US20140250493A1 - Firewall method and apparatus for industrial systems - Google Patents
Firewall method and apparatus for industrial systems Download PDFInfo
- Publication number
- US20140250493A1 US20140250493A1 US14/278,229 US201414278229A US2014250493A1 US 20140250493 A1 US20140250493 A1 US 20140250493A1 US 201414278229 A US201414278229 A US 201414278229A US 2014250493 A1 US2014250493 A1 US 2014250493A1
- Authority
- US
- United States
- Prior art keywords
- packet
- protocol
- access
- protocol packet
- devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/166—IP fragmentation; TCP segmentation
Definitions
- the present invention generally relates to industrial control systems, and more particularly to systems and methods that provide secure and firewall restricted Web-based access to control devices and components residing on a non-IP network within an industrial environment.
- a typical computer network comprises a plurality of interconnected microprocessor-based devices with specialized (e.g., network) software and/or hardware that facilitates interaction between at least two devices on the network.
- specialized e.g., network
- Such interaction can provide for a fast, efficient and cost-effective means to monitor, control and/or exchange information amongst networked devices such as printers, plotters, workstations, copiers, etc.
- Communication networks that link computing devices e.g., servers, workstations, etc.
- other devices e.g., lights, sprinkler systems, printer, plotters, etc.
- a network can be referred to as a Local Area Network (LAN) or a Wide Area Network (WAN), dependent on the network size.
- LAN Local Area Network
- WAN Wide Area Network
- a LAN is typically associated with a relatively small geographic area such as a department, a building or a group of buildings, and employed to connect local workstations, personal computers, printers, copiers, scanners, etc.
- a WAN typically is associated with networks that span larger geographical areas, and can include one or more smaller networks, such as one or more LANs.
- a WAN can be employed to couple computers and/or LANs that reside on opposite ends of a country and/or on opposite sides of the world. The most popular WAN today is the Internet.
- IP internet protocol
- a source device In an IP network, a source device generates data packets that include information (e.g., data to be delivered to a destination device, requests for certain data from a destination device, etc.) to be transmitted to a destination device, a source identifier that identifies the source of the data packet and a destination address associated with the destination device.
- information e.g., data to be delivered to a destination device, requests for certain data from a destination device, etc.
- a source identifier that identifies the source of the data packet and a destination address associated with the destination device.
- the source identifier and destination address fields in an IP packet are located in “framing” sections of the packet either before or after a data field.
- the framing fields of an IP packet will be referred to as IP packet frames.
- IP based networks include EtherNet/IP, EtherNet 10Base-T, 100Base-T (Fast EtherNet) and 1000Base-T (Gibabit EtherNet).
- IP networks have proven extremely useful in many applications, IP networks have several shortcomings that render the networks impractical for time sensitive applications. For instance, because IP network routing paths vary, the time required to transmit IP messages to destination devices varies appreciably. Similarly, excessive traffic over an IP network slows IP transmission rates so that packet delivery time is dependent on unpredictable factors.
- servers that communicate via IP enforce timeout rules wherein, if a packet has been transmitted from a source but the transmission period exceeds some threshold time period (e.g., due to network traffic), the message is discarded and has to be subsequently resent.
- IP networks are advantageous in applications where transmission time is not critical (e.g., a printing application, a request for information from a broker, sending an e-mail, etc.), IP networks have not been suitable in cases where information has to be transmitted almost instantaneously and at least within predictable time periods.
- Industrial controls is one application where unpredictable routing delays have rendered IP networks impractical in the past.
- An exemplary industrial manufacturing line may include several machining stations (and associated devices and subassemblies—e.g., switches, sensors, motor starters, pushbuttons, I/O blocks, welders, robots, drives, bar code readers, etc.) along a transfer line, several programmable logic controllers (PLCs), one or more human-machine interfaces (HMIs) and a network that links the other components together where the PLCs are programmed to read inputs from stations and transfer line devices and provide outputs to the devices as a function of control programs stored in the PLCs.
- PLCs programmable logic controllers
- HMIs human-machine interfaces
- device and subassembly control at each station and between stations or between stations and the transfer line may have to be precisely synchronized in order for the line devices and assemblies to function properly and safely (e.g., a first robot arm could be damaged if the arm is driven into a line station prior to a second robot arm being removed from the station).
- device and subassembly timing is important, unpredictable IP network delays and periodic failures cannot be tolerated.
- Non-IP devices More recently, small groups of signal sensors and actuators have been tied to remote I/O concentrators where the concentrators have been networked to the controllers. In some cases, devices have been designed where network interfaces are embedded in the devices themselves. Exemplary devices of this type include DeviceNet and ControlNet devices that have been developed by Rockwell Automation. DeviceNet, ControlNet and other types of devices that include embedded network interfaces will be referred to generally hereinafter as non-IP devices.
- non-IP devices suitable for use in industrial environments
- industrial networking protocols have been developed for use with the non-IP devices where the industrial protocols use data packet formats that specify specific network paths from source devices to destination devices and therefore can transmit data in predictable time periods.
- One exemplary type of industrial protocol for use with DeviceNet and ControlNet devices is referred to as the control and information protocol or the common industrial protocol (CIP).
- CIP common industrial protocol
- Another exemplary non-IP protocol suitable for use with some types of industrial devices is referred to as Data Highway Plus.
- Other non-IP protocols are contemplated.
- a CIP data packet will specify the packet source, information to be delivered to a destination device, the destination device address and a specific path through the networked devices from the source to the destination device.
- the path specification includes the addresses of each of the three intervening transmission path devices and the order in which the devices are linked.
- the path data includes first, second and third transmission path device addresses and identifies the destination device address separately.
- the source routes the packet to the address of the first device in the path
- the first device identifies the second path device address in the packet and routes the packet to the second address.
- the second path device identifies the third path device address in the packet and routes the packet to the third device address and the third device identifies the destination device address and routes the packet to the destination device to complete delivery of the packet.
- the specified path method used in CIP communication unlike IP, results in a deterministic communication protocol that is suited for use in industrial environments.
- Non-IP devices like DeviceNet, ControlNet, etc.
- the devices can be configured into a non-IP network that is less expensive than a typical IP network as the need for network switches is eliminated.
- DeviceNet, ControlNet and other similar network configurations have intrinsic safety features that are not provided by an IP network. For this reason, in many cases, it is most advantageous to configure hybrid networks including some IP network devices and some non-IP network devices specially designed for industrial applications (e.g., DeviceNet, ControlNet devices).
- Ethernet routing mechanism makes it possible to remotely monitor and control the networked industrial devices.
- IP IP
- non-IP e.g., DeviceNet, ControlNet
- the possibility for remote monitoring and control advantageously allows more flexible system layouts to be configured and reduces overall system costs where Ethernet infrastructure already exists to support other facility needs.
- Ethernet routing mechanism components presents security problems. For instance, where a LAN operated by a brokerage firm and including a server is linked to the Internet to allow customers to access account information, an unscrupulous computer hacker may attempt to access the LAN via an Internet connection to obtain information about one of the firm's client's accounts. As another instance, a hacker may maliciously attempt to access a banks software via the Internet to load a virus thereon that could scramble the bank's records and negatively affect the bank's business. As one other instance, a hacker may attempt to access a PLC and alter an industrial control program thereby causing damage to machine line components controlled by the PLC.
- networked devices In addition to unscrupulous persons doing unsavory things via networked interfaces, in many cases even well intentioned network users may be able to unintentionally cause problems if they access networked devices. For instance, in the case of a maintenance engineer at a manufacturing facility, while the engineer may be trained to maintain a first type of manufacturing line, the engineer may not be trained to maintain a second type of manufacturing line. While in a facility including the first line, the engineer may have to be proximate the first line to perform diagnostics procedures, check operating values, etc., wherein the proximity requirement and visual feedback ensures that the engineer is accessing first line devices, not second line devices. Where remote access is facilitated via a pure Ethernet or hybrid system, proximity and visual feedback cannot be relied upon and the end result could be that the engineer unknowingly accesses second line devices rather than first line devices.
- IT firewalls To ensure that unintended network access does not occur, information technology (IT) firewalls have been developed that, in effect, separate LANs and other sub-networks from the Internet and that operate as gatekeepers to keep unauthorized network users from accessing the sub-networks while still allowing access to authorized network users.
- a firewall generally intercepts attempts to access associated sub-networks and requires some type of proof of identity from a network user attempting to access the sub-networks prior to allowing access.
- proof of identity may require entry of a user name and password or may be transparent to a network user (i.e., information transmitted from the user's interface device may indicate identity which is automatically identified by the firewall).
- the firewall restricts access and may perform some secondary security process such as creating a log, activating an alarm, etc.
- an IT firewall algorithm interrogates the IP packet frame information to determine if the packet should be passed through the firewall to a destination device identified in the IP packet frame. If, however, the destination device designated in the IP packet frame routes the packet further based on the non-IP routing information (e.g., addresses in an embedded CIP packet), the ultimate destination designated by the non-IP routing information is not protected.
- This “carry-through” routing is a concern whether the CIP packet is routed via Ethernet or some other native industrial network such as DeviceNet or ControlNet.
- firewalls are provided within a network wherein data packets received thereby are decapsulated so that at least an ultimate destination device or resource is identified. Access rules are applied to determine if the packet should be transmitted further to facilitate access or if a security function (e.g., discarding the packet, sending a reject message, activating an alarm, etc.) should be performed. In at least some cases all routing information is identified and analyzed and whenever any device in a routing path is not to be accessed for any reason, even if the ultimate destination device is accessible, the a security function is performed.
- a security function e.g., discarding the packet, sending a reject message, activating an alarm, etc.
- At least some embodiments of the invention include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of: specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol
- the step of specifying access control information includes, for each of at least a subset of destination resources, specifying source resources authorized to communicate with the destination resource.
- the step of identifying at least a subset of the characteristics of the first protocol packet includes identifying the source of the first protocol packet and the step of comparing the first protocol packet characteristics to the access control information associated with the destination resource includes comparing the source of the first protocol packet to the resources authorized to communicate with the destination resource.
- the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, halting transmission of the first protocol packet.
- the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, at least one of activating an alarm signal and providing a signal back to the source indicating that the packet has been halted.
- the step of specifying access control information includes specifying packet characteristics (PCs) that include characteristics identifiable directly from the first protocol packet.
- PCs packet characteristics
- the step of specifying access control information includes specifying non-packet characteristics (NPQs) that include characteristics other than those identifiable directly from the first protocol packet.
- NPQs non-packet characteristics
- the NPQs may include at least a subset of a time associated with the first protocol packet transmission, the location of the source resource, where a person initiates the first protocol packet transmission, the identity of the initiating person and, where a person initiates the first protocol packet transmission, characteristics of the initiating person.
- the step of specifying access control information further includes specifying times during which resources can communicate with other resources, the method further including the step of, when a first protocol packet that includes an embedded second protocol packet is received, identifying a time associated with the received packet, the step of comparing including comparing the packet associated time with the specified times.
- the first protocol is one of an Ethernet protocol and an IP protocol.
- the second protocol is one of a common industrial protocol (CIP) and a Data Highway Plus protocol.
- the steps of specifying at least first and second priorities for network transmissions and, wherein, the step of restricting transmission includes transmitting as a function of the specified priorities and the packet characteristics.
- the step of specifying access control information includes the step of specifying locations of source resources from which communications with associated resources are allowed, the method further including the step of identifying the location of a source resource that transmits a first protocol packet that includes an embedded second protocol packet and the step of comparing further including comparing the identified source resource location with the specified source resource location.
- each destination resource includes at least one of a programmable logic controller (PLC), a human-machine interface (HMI), a sensor, an actuator, a drive, and a remote input/output device.
- PLC programmable logic controller
- HMI human-machine interface
- the step of specifying access control information includes specifying characteristics of persons authorized to communicate with associated resources, the step of identifying at least a subset of the characteristics of the first protocol packet including identifying characteristics of a person that initiates a communication and the step of comparing including comparing the specified and identified characteristics.
- the embedded protocol packet specifies a path of resources to a final destination resource, the method further including identifying access control information associated with each of the path resources, comparing the first protocol packet characteristics to the access control information associated each of the path resources resource and restricting transmission of the first protocol packet as a function of the results of the comparison to the access control information associated with the path resources.
- some inventive embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient's being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field: (i) intercepting the first protocol packet prior to the second protocol destination resource, (ii)
- the additional resource may be the first protocol packet destination resource.
- the second protocol packet may specify at least one path resource to the second protocol packet destination resource through which data is to be routed between the first and second protocol packet destination resources and the step of identifying at least one additional resource may include identifying the at least one path resource.
- some embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient's being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field, intercepting the first protocol packet prior to the second protocol destination resource, examining at least a sub
- the additional resource is the first protocol packet destination resource.
- the second protocol packet specifies at least one path resource to the second protocol packet destination resource through which data is to be routed between the first and second protocol packet destination resources and wherein the step of identifying at least one additional resource includes identifying the at least one path resource.
- some embodiments include a method for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the method comprising the steps of providing an access control database that correlates the source device with target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object, receiving at least one communication transmitted from the source to the target device, decapsulating the communications to identify the target device and related at least one object and the at least one service, comparing the identified target device, at least one object and at least one service with the target device, object and service information in the database and selectively transmitting the at least one communication to the target device as a function of the comparison.
- the correlated object includes a combination of a class, an instance of a class, an attribute of a class and an attribute of an instance of a class.
- some embodiments include a method for controlling communications between a source device and a target device, the method comprising the steps of providing an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose, providing a firewall between the source device and the target device, intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices, using the access control database to determine if the source device may access the target device and transmitting the connection open packet toward the target device when the source device may access the target device.
- some embodiments include a method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of providing a firewall linked to the system, transmitting an original communication packet from the source device that targets the target device, via the firewall intercepting the original communication packet, encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device, transmitting the spoof response packet to the source device and, via the source, accepting the spoof response packet as a legitimate response packet from the target device and
- the method further includes the steps of providing an access control database useable to identify unauthorized communications on the system and after intercepting the original communication packet and prior to encapsulating, using the access control database to identify that the communication packet is associated with an unauthorized communication.
- the step of encapsulating includes obtaining at least some information from the original communication packet and using the obtained information to instantiate at least a subset of the response packet.
- the original request packet includes a target-originator (T-O) ID and wherein the obtained information includes the T-O ID from the original request packet.
- T-O target-originator
- the obtained information includes information identifying the source device and information identifying the target device.
- the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.
- the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.
- At least some embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources, for each first protocol packet transmitted on the network that includes additional embedded packets, (i) intercepting the first protocol packet prior to the first protocol destination resource, (ii) examining at least a
- the step of restricting transmission includes identifying at least a subset of characteristics of the first protocol packet, comparing the first protocol packet characteristics to the identified access control information and restricting transmission as a function of the comparison.
- the step of examining includes examining to identify each of the intermediate path resources and the final destination resource and wherein the step of identifying access control information further includes identifying access control information for each of the intermediate path resources and the final destination resource.
- each of the additional embedded protocol packets is of the second type.
- the step of identifying at least a subset of characteristics of the first protocol packet includes identifying at least a subset of the characteristics of each of the first and the embedded protocol packets.
- the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
- the at least one protocol packet generated by a first protocol packet source requires a response from at least one of the intermediate path resources and the final destination resource including specific identifying information and wherein step of restricting includes, when a first protocol packet source is not authorized to communicate with the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source.
- At least some embodiments also include apparatus for performing the processes described above and hereafter.
- FIG. 1 is a schematic view of a system including firewalls according to at least some aspects of the present invention
- FIG. 2 is a schematic view of an exemplary dual protocol data packet including a non-IP data packet embedded or encapsulated within an IP type data packet;
- FIG. 3 is a schematic view of an exemplary simple access control database that may be used by the firewalls of FIG. 1 ;
- FIG. 4 is a flow chart illustrating an exemplary access control restricting method wherein access to control devices is limited as a function of which source is used to attempt the control;
- FIG. 5 is a flow chart illustrating one exemplary secondary function that may be substituted for a portion of the method of FIG. 4 ;
- FIG. 6 is similar to FIG. 5 , albeit illustrating a different secondary security function
- FIG. 7 is similar to FIG. 5 , albeit illustrating a third security function
- FIG. 8 is a schematic illustrating an exemplary HMI/user database that may be employed by the firewalls of FIG. 1 ;
- FIG. 9 is a flow chart similar to the flow chart of FIG. 4 , albeit illustrating a method wherein device access is restricted as a function of user identity;
- FIG. 10 is an access control database similar to the database of FIG. 3 , albeit illustrating a more complex embodiment wherein, in addition to user identity, other non-packet characteristics are included, priority information is included and specific application restrictions are included;
- FIG. 11 is yet another exemplary access control database including restrictions as a function of user type and a specification that identifies types corresponding to specific users;
- FIG. 12 is a flow chart illustrating a sub-method that may be substituted for a portion of the method of FIG. 9 to facilitate prioritization of data packets when they are passed by the firewalls of FIG. 1 ;
- FIG. 13 is a flow chart of a sub-process that may be substituted for a portion of the process of FIG. 9 wherein the firewalls of FIG. 1 analyze multiple data packets when necessary to identify intended application and restrict as a function of applications to be performed;
- FIG. 14 is a flow chart illustrating yet another method according to at least some aspects of the present invention wherein a security server of FIG. 1 learns access requirements and populates a portion of an access control database corresponding to a specific HMI user type;
- FIG. 15 is a screen shot or window that may be provided via an administrator's interface of FIG. 1 for manually specifying access control for a particular system user;
- FIG. 16 similar to FIG. 15 , albeit illustrating a different access control configuring window
- FIG. 17 a flow chart illustrating a method whereby a systems administrator manually specifies access control information
- FIG. 18 is a schematic view of an exemplary dual protocol data packet including a CIP data packet embedded or encapsulated within an IP type data packet where the data packet corresponds an unconnected send type service;
- FIG. 19 is a schematic view of an exemplary object path/service field as illustrated in FIG. 18 including a plurality of subfields;
- FIG. 20 is a flow chart illustrating a subprocess that may be substituted for a portion of the method of FIG. 4 for processing an unconnected send packet;
- FIG. 21 is similar to FIG. 18 , albeit illustrating a packet for initiating an unconnected forward open request service
- FIG. 22 is a schematic diagram illustrating a forward open table that may be generated and maintained by one of the firewalls in FIG. 1 for keeping track of open connection paths between sources and target network devices;
- FIG. 23 is similar to FIG. 18 , albeit illustrating a packet associated with an unconnected forward open reply service
- FIG. 24 is similar to FIG. 18 , albeit illustrating a packet corresponding to a connected send service
- FIG. 25 is similar to FIG. 18 , albeit illustrating a packet associated with an unconnected forward close service
- FIG. 26 is a portion of a flow chart illustrating a method that may be performed by one of the firewalls in FIG. 1 to form and eliminate open connection paths;
- FIG. 27 is another portion of the flow chart illustrated in FIG. 26 ;
- FIG. 28 is an exemplary access control database that is similar to the database of FIG. 3 , albeit including additional information;
- FIG. 29 is a schematic illustrating an exemplary server including a communication stack that is linked to a decapsulating firewall
- FIG. 30 is similar to FIG. 18 , albeit illustrating a spoofed response packet
- FIG. 31 is a flow chart illustrating a method associated with a communication stack.
- FIG. 32 is a sub-process that may be substituted for a portion of the method of FIG. 20 for generating a spoofed response packet.
- a device can be, but is not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, a microprocessor, a processing unit and/or a computer, and hardware (e.g., a sensor or actuator) performing a process, etc.
- FIG. 1 the present invention will be described in the context of an exemplary system 10 including a security subsystem 25 , source devices collectively identified by numeral 27 , a series of decapsulating firewalls, three of which are identified by numerals 28 , 30 and 31 , and an industrial control configuration 21 including a plurality of industrial control devices such as programmable logic controller PLC 1 and automated devices including devices D 1 , D 2 , D 3 , etc.
- the industrial control devices e.g., PLC 1 , devices D 1 , D 2 , etc.
- PLC 1 , devices D 1 , D 2 , etc. are arranged in a manufacturing facility or the like to perform some industrial process.
- the devices may be arranged to automatically assemble automobile seat components including cushions, springs, motors, rollers, support mechanisms, headrest extensions, covering material, etc.
- devices in addition to PLCs to control other devices, devices may includes sensors, actuators, data collecting processors and devices, input/output concentrators, etc.
- the configuration 21 devices are linked via a network as illustrated.
- automated device D 6 is linked to automated device D 1
- device D 1 is linked to device D 0 and device D 0 is linked to PLC 1 .
- device D 6 is linked to device D 5 and device D 5 is linked to device D 4 .
- more than one device can be linked to another device.
- each of devices D 2 , D 3 and D 6 are linked to different output ports of device D 1 .
- Each of the devices D 0 , D 1 , D 2 , etc. is assigned a specific network address and includes a processor capable of identifying network communications transmitted to the associated address.
- the device processors are programmed to examine received information packets to identify if the device is the final destination device or simply one device in a transmission path to some other destination device. Where the device is the final destination device, the processor uses packet data to perform some associated process. Where the device is not the final destination device, the processor transmits at least a portion of the received packet information to the next device in the transmission path.
- industrial control components may be of various network types, including, but not limited to, EtherNet, DeviceNet, ControlNet, etc.
- device D 4 communicates with device D 5 via ControlNet while device D 5 communicates with device D 6 via DeviceNet and device D 1 communicates with device D 2 via EtherNet.
- one device may be capable of communicating in several different protocols, depending on the next device to which a packet is to be routed.
- device D 1 communicates via a DeviceNet protocol with each of devices D 2 and D 6 but communicates via a ControlNet protocol with device D 3 .
- non-IP protocols are different than IPs in the way in which packets of information that facilitate the protocol are formed and the way in which networked devices use the packet information to route to a final destination device.
- IPs typically specify a packet source and a destination device and rely on routers and switches to deliver information packets from a source to a destination device
- non-IPs specify a specific network path through a chain of devices for delivering information packets from a source to a destination device.
- a non-IP packet may specify a path 37 including device D 4 , device D 5 , device D 6 , and so on all the way through to device DN.
- device D 4 when device D 4 receives the CIP packet, device D 4 recognizes that the packet should be transmitted to device D 5 and performs that transmission. Similarly, when device D 5 receives the packet, device D 5 determines that the packet should be transferred to device D 6 and performs that transmission. This process continues until the packet is received by device DN.
- a second exemplary path 35 through PCL 1 , and devices D 0 , D 1 , D 6 , etc. to device DN is illustrated. In FIG.
- communications that originate outside configuration 21 are IP communications and the network over which those communications travel is referred to as an IP network 26 and communications that originate within confirmation 21 are referred to as non-IP communications (e.g., CIP communications, Data Highway Plus, etc.) and the network (not labeled) is referred to as a non-IP network.
- IP communications e.g., CIP communications, Data Highway Plus, etc.
- non-IP communications e.g., CIP communications, Data Highway Plus, etc.
- sources 27 include any type of component that may be used to attempt to access any of the industrial control components or devices included in control configuration 21 .
- the term “access” is used in a general sense to refer to the ability to monitor, control, configure and/or obtains information from a destination device.
- each source 27 , etc. may also be used to access other devices linked to IP network 26 via pure IP communications.
- Exemplary sources S 2 , SN may include data monitoring and archiving servers, maintenance servers that analyze data obtained from system components and devices other IP or non-IP networks including other devices, servers that perform control and safety operations with respect to system components and devices, etc.
- the sources may include human-machine interfaces (HMIs) to enable information technology personnel, maintenance personnel, an administrative person, etc., to access system devices and components.
- HMIs human-machine interfaces
- illustrated sources S 1 and S 3 are laptop computers that run browser software to interact with laptop users to facilitate access to configuration 21 devices.
- Other exemplary HMIs may include an electronic notepad, a personal computer, a palm pilot, a hand-held computer, a personal digital assistant, a mainframe computer, a cell phone, a “dumb” terminal, a tablet PC, etc.
- laptop S 1 will be referred to as HMI S 1 and a person using HMI S 1 will be referred to as a “user” unless indicated otherwise.
- HMI S 3 laptop S 3 will be referred to as HMI S 3 .
- sources S 2 , SN, etc. may access or attempt to access configuration 21 devices either automatically (e.g., to periodically collect and archive operating data) or when a user performs some activating process, to simplify this explanation, access restriction will be described in the context of HMI S 1 unless indicated otherwise.
- HMI S 1 could be used to attempt to access any of configuration 21 devices, unless indicated otherwise, the present inventions will be described in the context of activity that causes HMI S 1 to attempt to access device DN via path 37 (e.g., through devices D 4 , D 5 , D 6 , etc.).
- HMI S 1 accesses control devices in configuration 21 by forming and transmitting IP data packets via IP based network 26 that include information necessary to deliver the packets to the destination devices.
- IP based network 26 that include information necessary to deliver the packets to the destination devices.
- system 10 components between HMI S 1 and a destination device within configuration 21 communicate using both IP and non-IP
- the data packet generated by HMI S 1 to access an industrial control device must include information that facilitates both routing on IP network 26 to a device at the “edge” of the IP network and subsequent routing via the non-IP network between configuration 21 devices.
- Exemplary packet 32 is a typical IP packet and, to that end, includes a frame that specifies packet source and destination device and a data field within the frame.
- the IP packet frame includes a source IP field 34 and an IP destination address field 36 as well as an end packet field 48 .
- the IP packet data field is identified by numeral 49 in FIG. 2 and includes fields 38 , 40 , 42 , 44 and 46 as illustrated.
- source ID field 34 includes information that identifies the packet source. For example, referring again to FIG. 1 , where HMI S 1 generates a packet, the information in field 34 identifies HMI S 1 as the source of the packet. Similarly, where source S 2 generates a packet, field 34 identifies source S 2 as the source of the packet.
- IP destination address field 36 includes an address corresponding to a destination device for the IP packet where the destination device is at the edge of the IP network.
- IP destination devices can only be devices that are directly linked to the IP network and that are capable of receiving IP packets.
- an exemplary IP target device linked to network 26 may include device D 4 , device DN+1 or PLC 1 while devices D 1 , D 5 , etc., that are not directly linked to the IP network 26 are not capable of being IP target devices.
- IP data field 49 is where data for delivery to a destination address is typically located.
- a non-IP data packet is encapsulated in field 49 where the packet includes non-IP path device address fields 38 , 40 , 42 and 44 and a non-IP data field 46 .
- the non-IP address fields 38 , 40 , 42 and 44 specify a string of addresses corresponding to non-IP devices and specify a path for non-IP routing.
- Data field 46 includes information that is to be delivered to the control device associated with the address specified in the last non-IP address field (e.g., field 44 ) of packet 32 .
- an exemplary data packet 32 will be described in the context of a case where a user logs on to HMI S 1 and performs some activity that requires HMI S 1 to transmit data to device DN.
- device DN is a temperature sensor
- the HMI S 1 user may use HMI browser software to request the current temperature reading of sensor DN which causes HMI S 1 to transmit a temperature read request to device DN.
- an HMI S 1 processor generates an information packet like packet 32 in FIG. 2 that identifies HMI S 1 as the source in field 34 .
- the packet will include the address of automated device D 4 in the IP destination address field 36 and will include the addresses of devices D 5 and D 6 through DN in non-IP path address fields 38 , 40 , 42 and 44 .
- the data to be delivered to device DN to facilitate access (e.g., to facilitate a temperature read in the above example) is stored in field 46 .
- IP network 26 identifies the IP destination address in field 36 and delivers the packet to device D 4 .
- device D 4 When device D 4 receives the packet, device D 4 decapsulates the packet to identify the address of the next device in the path leading to device DN (i.e., identifies the address specified in field 38 ). In addition, device D 4 determines the device type of device D 5 (e.g., a ControlNet device, a DeviceNet device, etc.) Once the address in field 38 has been identified, device D 4 recapsulates the data in fields 40 , 42 , 44 and 46 in a manner that is understandable by the next path device.
- device type of device D 5 e.g., a ControlNet device, a DeviceNet device, etc.
- device D 5 is a ControlNet device and therefore the protocol used to communicate from device D 4 to device D 5 is ControlNet and therefore the information in fields 40 , 42 , 44 , and 46 is recapsulated in a manner consistent with the ControlNet protocol.
- device D 4 transmits the recapsulated ControlNet packet to device D 5 .
- device D 5 When device D 5 receives the packet, device D 5 decapsulates the packet to identify the address specified in field 40 and also determines what type of device is associated with the next path address. After identifying the address specified in field 40 and device type, device D 5 recapsulates the information in fields 42 , 44 and 46 to form a packet having a form consistent with the protocol used to communicate from device D 5 to the device specified in field 40 (see again FIG. 2 ). As illustrated in FIG. 1 , the DeviceNet protocol is used to communicate from device D 5 to device D 6 . The recapsulated packet is transmitted to device D 6 . This process of decapsulating to identify the next non-IP device in a path and then recapsulating and transmitting the recapsulated packet to the next non-IP device in the path continues until data is received at the destination device DN.
- each source 27 has to have access to information about configuration 21 from which appropriate required paths to destination devices can be determined.
- the configuration information may be downloaded to a source like HMI S 1 whenever the source is initially linked to network 26 .
- the HMI S 1 (or any other source for that matter) may be programmed to browse configuration 21 and discover all devices and linkages within configuration 21 .
- HMI S 1 may be programmed to identify each device within configuration 21 that is directly linked to network 26 and thereafter, via dual protocol packets, cause each identified device to identify other devices linked thereto.
- any one of the sources 27 may be programmed to identify the new device and update configuration 21 information for that source or for any of the other sources 27 .
- one of the sources may be programmed to periodically pull network devices to identify changes in configuration 21 .
- sources 27 it is contemplated that, while it may be advantageous to allow sources 27 to access some of the industrial control devices within a system 10 and perform various activities with respect thereto, in at least some cases, it will be necessary to restrict access and activities of one or more of the sources 27 .
- HMI S 1 is only used by maintenance personnel trained to analyze data associated with devices D 4 , D 5 , D 6 through DN and to control those devices, it would be advantageous to restrict HMI S 1 users so that HMI S 1 cannot be used to access other system 10 devices (e.g., PLC 1 , devices D 1 , D 2 , etc.).
- firewalls 28 , 30 and 31 are provided within system 10 to isolate subsets of the non-IP devices from sources 27 .
- firewall 28 is provided to isolate PLC 1 as well as devices D 0 , D 1 , D 2 , D 3 and D 6 through DN from sources 27 .
- firewall 30 isolates devices D 4 , D 5 and D 6 through DN from sources 27 while firewall 31 isolates device DN+2 from sources 27 .
- firewall 30 may also be programmed to act as a redundant firewall to isolate PLC 1 and devices D 1 , D 2 and D 3 from sources 27 .
- firewalls 28 and 30 are linked directly to IP network 26 and are outside control configuration 21
- firewalls may be provided within the non-IP network or configuration 21 itself so that access to non-IP devices isolated thereby is restricted by the firewall while access to other non-IP devices outside the firewall is not restricted by the firewall.
- firewall 31 between non-IP devices DN+1 and DN+2 isolates and restricts access to device DN+2 and does not restrict access to device DN+1.
- IP network 26 is linked directly to firewall 31 to allow server 14 and firewall 31 to communicate.
- firewalls could be interspersed within the non-IP network to provide different levels of access restriction.
- another firewall could be positioned between devices D 5 and D 6 to further restrict access to devices D 6 through DN.
- security subsystem 25 includes a security/configuration server 14 that is linked to an HMI (e.g., a personal computer) 16 and a database 24 .
- HMI e.g., a personal computer
- database 24 is linked to IP network 26 .
- database 24 includes an access control (AC) database which, as the label implies, includes rules that establish which industrial control devices within configuration 21 can be accessed via each source 27 .
- AC access control
- Database 50 includes a source column 52 and a device access column 54 .
- Source column 52 lists each one of the sources 27 in FIG. 1 , and therefore, includes sources 51 , S 2 and S 3 through SN.
- Device access column 54 lists a subset of the control devices for each one of the sources in column 52 where the list of devices indicates the devices that may be accessed by the associated source in column 52 .
- access column 54 lists devices D 4 , D 5 , D 6 through DN.
- access column 54 includes an entry “All DN” which indicates that source S 2 can access all control devices within configuration 21 .
- FIG. 4 an exemplary access restricting method 62 according to at least some of the aspects of the present invention is illustrated where non-IP network access is restricted as a function of source device as well as destination device.
- an access control database 50 that specifies source and device access authority is stored in database 24 and that decapsulating firewalls 28 , 30 and 31 have been provided.
- a user of HMI S 1 performs an activity that causes HMI S 1 to encapsulate and transmit a dual protocol data packet 32 including encapsulated destination address information where the ultimate destination device is device DN.
- the data packet assembled by HMI S 1 identifies source S 1 in field 34 and the addresses of devices D 4 , D 5 and D 6 through DN in fields 36 , 38 , 40 , 42 and 44 , respectively.
- Data to be delivered to device DN is stored in data field 46 .
- firewall 30 prior to the packet 32 being received at device D 4 , the packet is intercepted at firewall 30 .
- firewall 30 decapsulates the received packet and identifies the device addresses in each of fields 36 , 38 , 40 , 42 and 44 as well as the source S 1 specified in field 34 .
- firewall 30 accesses the access control database 50 .
- firewall 30 uses access control database 50 to determine if HMI S 1 has authority to access the designated destination device DN.
- decision block 78 where HMI S 1 has authority to access designated destination device DN, control passes to block 80 where firewall 30 transmits the data packet to the IP target address specified in field 36 .
- the IP target address designates device D 4 and therefore, at block 80 , the packet is transmitted to device D 4 .
- routing consistent with non-IP network procedures continues until the packet data is delivered to the designated destination device DN.
- FIG. 5 a secondary security function 56 that may be substituted for block 82 in FIG. 4 is illustrated.
- control passes to block 56 where firewall 30 transmits a message to HMI S 1 indicating that the HMI S 1 has no right to access destination device DN.
- control passes back to block 68 and the method described above with respect to FIG. 4 continues.
- FIG. 6 another exemplary secondary security function 58 that may be substituted for block 82 in FIG. 4 is illustrated.
- control passes from block 78 to block 58 where firewall 30 generates a log or archive that reflects the communication attempt.
- the log is recorded in an audit/archive database which forms part of database 24 .
- An exemplary log may identify various types of information about the attempted access including the source used to attempt access, information identifying the data from the packet, information identifying the path specified by the packet, the time at which the attempted access occurred, where more than one attempt to access occurs, the number of attempts, etc.
- control again passes to block 68 in FIG. 4 where the process described above continues.
- FIG. 7 one other secondary security function 60 that may be substituted for block 82 in FIG. 4 as illustrated.
- control passes to block 60 where firewall 30 generates a warning signal indicating an unauthorized access attempt.
- the warning may be transmitted directly to security/configuration server 14 so that security or other administrative type personnel can determine if any action should be taken in response to the unauthorized access attempt.
- two or more of the secondary security functions described above with respect to FIGS. 5 through 7 may be performed when unauthorized access is attempted. For instance, in at least some cases, it is contemplated that a firewall 30 will generate a log of unauthorized access attempt as well as generate a warning indicating an unauthorized access attempt. Similarly, in other cases, the firewall may transmit a message to a source indicating no right to access a destination device, generate a log and generate a warning. Other secondary security functions are contemplated.
- a firewall identifies a final destination device specified by a non-IP packet and restricts transmission past the firewall as a function thereof
- the firewall may be programmed instead to identify all devices corresponding to addresses in the transmission path specified by the no-IP packet and may restrict further transmission when the source is not authorized to access any one or more of the those devices. For example, referring again to FIG.
- firewall 30 when firewall 30 receives a data packet from HMI S 1 that specifies a path through devices D 4 , D 5 and D 6 through DN, firewall 30 would identify each of devices D 4 , D 5 and D 6 through DN in the packet and would halt transmission past the firewall 30 because HMI S 1 is not authorized to access device D 5 .
- HMIs such as HMI S 1 are usable by system users to access industrial control devices
- access may be restricted as a function of user identity.
- a first user U 1 using HMI S 1 may be restricted to accessing only a first subset of the control devices including devices D 1 , D 2 , D 5 , D 6 , D 7 and so on
- a second user U 2 is restricted to accessing only a second subset of the devices including devices D 1 , D 2 , D 8 , D 90 , D 101 , D 129 , etc., despite the fact that each of users U 1 and U 2 uses the same HMI S 1 at different times.
- column 52 in addition to listing sources S 1 , S 2 , etc., column 52 also lists separate user identifiers U 1 , U 2 , U 3 , etc. For each user identifier in column 52 , device access column 54 lists a subset of the control devices and components accessible by the specific user. For example, for the user associated with user identifier U 1 , accessible devices include devices D 1 , D 2 , D 5 , D 6 , etc., while accessible devices by the user associated with identifier U 2 include devices D 1 , D 2 , D 8 , D 90 , D 101 , etc.
- security/configuration server 14 may be programmed to identify a user's identity whenever a user initially attempts to communicate via network 26 and prior to any attempts to access control devices. To this end, server 14 may be programmed to provide a log on agent 22 via HMI S 1 which requires a user name and password, uses biometric (e.g., fingers print scan, iris scan, voice recognition, etc.) techniques, etc., to positively identify a user.
- server 14 may be programmed to associate the user with the specific HMI used by the user during the user identifying process.
- server 14 associates HMI S 1 with the specific user's identity.
- the associated source and user data is stored in an HMI/user database that forms part of database 24 (see again FIG. 1 ).
- HMI/user database 120 includes an HMI column 122 and a current user column 124 .
- HMI column 122 lists each of the HMI sources currently being used with system 10 .
- Column 124 lists a current user of each of the HMIs in column 122 . For example, column 124 indicates that user U 1 is currently using HMI S 1 , that user U 101 is currently using HMI S 3 , and so on.
- the firewall 30 can identify the source of the packet in field 34 and can then access HMI/user database 120 (see again FIG. 8 ) to identify the current user of the HMI. Thereafter, the firewall 30 can access control database 50 to identify the subset of control devices and components that are accessible by the identified user and can restrict access to the devices when appropriate.
- server 14 interrogates a user via HMI S 1 to identify the user's identity.
- server 14 correlates and stores the user identity with the HMI identifier S 1 in the HMI/user database when the user logs onto IP network 26 successfully.
- firewall 30 intercepts the packet and at block 102 , firewall 30 decapsulates the received packet to identify the path and destination device information as well as the source of the data packet (i.e., which HMI transmitted the packet). In the present example, the firewall 30 identifies HMI S 1 as the source of the packet.
- firewall 30 accesses the stored HMI/user database and identifies the user currently associated with HMI S 1 . In the present example, fire wall 30 identifies user U 1 at block 104 .
- firewall 30 accesses access control database 50 (see again FIG. 3 ).
- firewall 30 uses database 50 to determine if user U 1 has authority to access designated target DN.
- control passes to block 114 where a secondary security function is performed.
- the secondary security function may be any of the functions described above with respect to FIG. 5 , 6 or 7 , may be a subset of those functions or may be any other suitable security function.
- control passes back up to block 98 where the process described above is repeated.
- the user identifying subprocess may be performed by each of the decapsulating firewalls 28 , 30 , 31 , etc.
- firewall 30 may be programmed to identify the packet source in field 34 and perform an interrogation of the user currently employing the source prior to decapsulating the other portions of the data packet.
- the firewall may be programmed to store correlated HMI/user information in a HMI/user database 120 like the one illustrated in FIG.
- HMI HMI
- user association e.g., S 1
- HMI/user association may be broke.
- a certain period of time e.g., 30 minutes
- access may be restricted in other ways as well.
- HMI users inside a facility to access control devices persons outside a manufacturing facility often should not be able to access control devices within the facility.
- HMI S 1 when HMI S 1 is used in an attempt to access configuration 21 devices from a location outside a facility associated with configuration 21 , access should be restricted while, when HMI S 1 is within the facility, a lesser amount of restriction may be appropriate.
- HMI HMI
- S 1 HMI
- To identify HMI location any of several different systems can be employed. For example, where HMI S 1 has to be physically linked via hardwire to network 26 , location can be determined by identifying the location of the linkage.
- HMI S 1 is equipped for wireless communication within a facility or outside the facility
- access points or the like can be used to generate data usable through a triangulation or other type procedure to identify the location of HMI S 1 .
- Methods for using wireless signals to identify HMI location are well known and therefore are not described herein detail.
- subsets of those non-packet characteristics can be used to restrict access.
- user U 1 may be restricted such that user U 1 can only access device D 2 between 10:00 A.M. and 11:00 A.M., but during that time, may be able to access device D 2 from any location while user U 2 is restricted such that user U 2 can access device D 2 between 9:00 A.M. and 4:00 P.M. but can only access device D 2 during that time period when an HMI used by user U 2 is within a first zone (i.e., zone 1) within the facility.
- zone 1 i.e., zone 1
- access to certain devices could be restricted as a function of non-user and non-source non-packet characteristics such as time, source location, etc. For instance, when a source is located outside a facility associated with configuration 21 , irrespective of which source is used to attempt access or, in the case of an HMI, which user is using the HMI, access may be prohibited. Similarly, access may also be prohibited to certain devices during hours outside a normal business day irrespective of source or HMI user identity.
- an exemplary relatively more detailed access control database 126 which includes, among other columns, a user column 128 , a device access column 130 , a time column 132 and a location column 134 .
- User column 128 lists the users U 1 , U 2 , etc. that are authorized to access system 10 for any purpose.
- Access column 130 lists a subset of configuration 21 devices for each one of the users in column 128 that are accessible by the user. For example, for user U 1 , column 130 lists devices D 1 , D 2 , D 5 , D 6 , etc.
- time column 132 specifies a period for each combination of a user and one of the devices or a subset of the devices listed in column 130 .
- column 132 lists a time period between 9:00 A.M. and 4:00 P.M. which means that user U 1 can access device D 1 during the period between 9:00 A.M. and 4:00 P.M.
- column 132 lists the time period between times 10:00 A.M. and 11:00 A.M. which indicates that user U 1 can access device D 2 during the one hour between 10:00 and 11:00 A.M.
- An “All” designation in column 132 indicates that an associated user in column 128 can access an associated device in column 130 at any time.
- location column 134 lists location restrictions for each use-device combination in columns 128 and 130 . For example, for the combination including user U 1 and either of devices D 5 or D 6 , location column 134 indicates that the devices D 5 and D 6 can only be accessed by user U 1 when an HMI used by user U 1 is located within a Zone 7 within a facility. An “All” designation in column 134 indicates that access can be had from any location in which an HMI is linkable to IP network 26 .
- firewalls While database 126 is more complicated than the previously described access control database 50 illustrated in FIG. 3 , it should be appreciated that operation of firewalls in a manner consistent with database 126 is similar to operation using simple database 50 . To this end, referring again to FIGS. 1 and 9 , process 90 in FIG. 9 performed by server 14 and the firewalls would be similar to the process described above except that at blocks 106 through 110 , a firewall would use the additional non-packet information or characteristics in database 126 to determine whether or not the user has authority to access the designated target device or component. For instance, where firewall 30 identifies user U 1 at block 104 and the designated destination device is D 5 , at block 108 , firewall 30 determines that access by user U 1 to device D 5 can only occur between 9:00 A.M.
- Firewall 30 can identify the current time and compare it to the required period and can obtain HMI location information from a device tracking system (not illustrated) and compare that information to the boundaries that define Zone 7. Where the user's HMI is within Zone 7 and the current time is between 9:00 A.M. and 4:00 P.M., user U 1 is authorized to access device D 5 and control passes to block 112 . Where the HMI is not located in Zone 7 or the current time is not within the time period 9:00 A.M. to 4:00 P.M., control passes to block 114 where a secondary security function is performed.
- One other way to restrict device and component access is to restrict the access as a function of employee type or training of a particular user type.
- employee type For example, many facilities may employ maintenance engineers commissioning engineers, industrial engineers, plant managers, line operators, operators of specific line types, etc. While each of these types of employees likely will require access to some control devices to perform their jobs, in most cases, the subsets of devices that need to be accessed by the different employees will be different.
- job titles that reflect user types may be assigned to each system 10 user and that different access rights may be provided as a function of the user type. For instance, a maintenance engineer may be authorized to access a first subset of control devices while a line operator may be authorized to access a second subset of control devices.
- a firewall 30 when a firewall 30 receives a packet and uses packet information to identify the user of the HMI (e.g., laptop S 1 ) used to transmit the packet, the firewall may further be programmed to identify the job title associated with the user and thereafter to identify the subset of devices and components accessible by the specific user.
- the firewall may further be programmed to identify the job title associated with the user and thereafter to identify the subset of devices and components accessible by the specific user.
- Database 140 includes a type-device access section 142 and a user type section 150 .
- Section 142 includes a user type column 146 and an access column 148 .
- User type column 146 lists user types for each of the different types of employees that may require access to any control devices with configuration 21 .
- user types include a maintenance engineer, a commissioning engineer, a plant manager, a line 3 operator, etc.
- Access column 148 lists a subset of devices accessible by each one of the user types in column 146 . For example, devices D 4 , D 5 , D 6 , etc. are listed for the maintenance engineer designation in column 146 while devices D 1 , D 2 , D 8 , D 90 , etc. are listed for the commissioning engineer designation in column 146 .
- user type section 150 includes a user column 152 and a type column 144 .
- Each of the system 10 users authorized to access at least one control device is listed in column 152 .
- users U 1 and U 2 as well as other users are listed in column 152 .
- Type column 144 lists a user type for each one of the users in column 152 .
- the user type “maintenance engineer” has been assigned to each of users U 1 and U 2 in column 152 while type “commissioning engineer” has been assigned to user U 3 in column 152 .
- the firewall uses database 140 to determine whether or not the user has authority to access the designated destination device. To this end, the firewall first uses user characteristics section 150 of database 140 to determine the type of user (e.g., maintenance engineer, commissioning engineer, plant manager, etc.). Assuming that user U 1 caused the packet to be transmitted, the firewall uses section 150 to determine that user U 1 is a maintenance engineer. Next, after identifying the user type, the firewall uses database section 142 to identify devices that the user is authorized to access and restricts as a function of the device list in column 148 .
- the type of user e.g., maintenance engineer, commissioning engineer, plant manager, etc.
- the firewall uses database section 142 to identify devices that the user is authorized to access and restricts as a function of the device list in column 148 .
- access control database 126 includes a priority column 136 where priority column 136 lists different priorities for each one of the user and device combinations in columns 128 and 130 .
- a priority P 3 is listed in column 136 for the combination including user U 1 and device D 1 while a priority P 1 is provided in column 136 for the combination including user U 1 and device D 5 in columns 128 and 130 , respectively, where priority P 1 is a higher priority than priority P 3 .
- non-IP network communications all have assigned priority values so that when a firewall (e.g., see 30 in FIG. 1 ) transmits a packet, the priority assigned to the packet by the firewall can be compared to the priorities of non-IP network packets and can be routed accordingly.
- FIG. 12 an exemplary sub-process 250 that may be substituted for block 112 in FIG. 9 is illustrated.
- control passes from block 110 to block 252 where firewall 20 accesses the priority data in database 126 (see again FIG. 10 ).
- the firewall uses the priority data in column 136 to identify the priority of a packet having the non-packet characteristics associated therewith listed in columns 128 , 130 , 132 and 134 .
- the firewall transmits the packet to the destination device or component in a manner consistent with the priority data.
- device access may be limited or restricted on an application by application basis.
- an applications column 135 is provided within database 126 where applications columns 135 lists separate applications for each one of the user and device combinations in columns 128 and 130 , respectively.
- column 135 lists applications A 1 , A 3 and A 4 meaning that only applications A 1 , A 3 and A 4 can be affected by user U 1 on device D 1 .
- applications A 2 and applications A 5 , A 6 and so on can not be performed by user U 1 on device D 1 .
- the firewalls will be programmed to accumulate information packets intercepted thereby until intended applications associated with the accumulated packets can be identified from the packet information. For instance, in one simple case, a firewall may have to accumulate 100 information packets in order to identify a specific type of application to be affected by the accumulated packets. Here, the firewall would store the packet information until sufficient information is available to identify the intended application. Once the intended application is identified, the firewall accesses database 126 and determines whether or not the intended application is authorized (e.g., whether or not the application appears in the listing in column 135 corresponding to the user and device combination in columns 128 and 130 , respectively).
- FIG. 13 a sub-method 270 that may be substituted for blocks 102 , 104 , 106 , 108 and 110 in FIG. 9 is illustrated.
- control passes to block 272 in FIG. 13 .
- the firewall decapsulates the received data packet to access target information, packet data and the packet source (e.g., to identify the HMI that transmitted the packet).
- the firewall accesses the stored HMI/user database and identifies the HMI user.
- the firewall accesses the access control database 126 (see again FIG. 10 ).
- the firewall uses the packet data to attempt to identify the intended application to be performed on the target device.
- control passes to block 282 where the packet information is stored.
- the firewall receives next data packet and control passes back up to block 272 where the decapsulating and analysis process is repeated as described above.
- the firewall uses the access control database 126 to determine if the user has authority to access the designated destination device and to affect the intended application.
- security server 14 may be useable in a learn mode or during a learning process to monitor use of an HMI by a particular user type to identify expected control device access for that user type so that the security server 14 can establish access control rules for populating an access control database.
- security server 14 may be useable in a learn mode or during a learning process to monitor use of an HMI by a particular user type to identify expected control device access for that user type so that the security server 14 can establish access control rules for populating an access control database.
- prior to a learning procedure for a specific user type no restrictions have been specified in an access control database for restricting user access to the industrial control devices in configuration 21 .
- an HMI user of the type associated with the specific process performs various tasks required to perform his job.
- the user's HMI forms and transmits data packets on IP network 26 that designate destination devices within configuration 21 .
- the firewalls 28 , 30 , 31 , etc. receives a data packet from the HMI, the firewall passes the packet on to the destination device without restriction.
- Security server 14 is programmed to monitor communications between the HMI and the configuration 21 devices and store records of device access.
- the firewalls 28 , 30 , 31 , etc. may cooperate to transmit copies of information packets from HMIs currently being tracked by server 14 to server 14 so that server 14 can store records of device access.
- the server 14 may also identify and store other non-packet characteristics such as the times at which the access occurs, the locations of the HMI when access occurs, the frequency of access, etc.
- server 14 may also be programmed to identify the nature of the access performed by an HMI during a learning process.
- server 14 may be programmed to determine whether or not the access was associated with a monitoring activity, a value setting or control activity, a data exchange or some other type of activity. After a learning process has been completed, server 14 can use the stored access information to populate a portion of an access control database like database 50 in FIG. 3 in a simple case or, to populate a more complex control database like database 126 in FIG. 10 or database 140 in FIG. 11 .
- a system administrator uses HMI 16 to place security server 14 in a learning mode so that server 14 can identify access typically required of a specific user type.
- the administrator uses HMI 16 to specify a specific user type and to specify an HMI to be tracked.
- the administrator may indicate that the current learning procedure will be used identify access activity required by a maintenance engineer and may specify HMI S 1 as the HMI to be tracked during the learning process.
- HMI S 1 is to be tracked during the learning process.
- server 14 tracks device access by HMI S 1 .
- server 14 stores HMI S 1 access information.
- server 14 monitors for some indication that the learning process should be ended (e.g., a learn process complete signal from HMI 16 ).
- control loops back up to block 236 where the process including blocks 236 , 238 and 240 is repeated.
- server 14 updates the access control database.
- the changes to the access control database may result in supplementing a type/device access section 142 of an access control database as illustrated in FIG. 11 where device access indicates devices accessed via HMI S 1 during the learning process.
- HMI 16 may also be used by a system administrator to manually specify access control information.
- server 14 may be provided with a full specification related to the industrial control devices that form configuration 21 so that information related to configuration 21 can be provided via HMI 16 allowing the administrator to manually select devices or subsets of the devices to be accessible by specific system users, specific sources (e.g., specific laptops, specific servers and databases, etc.), and, where contemplated, to specify other non-packet characteristics to affect access restriction.
- the configuration 21 information presented via HMI 16 may take any of several different forms including, but not limited to, a hierarchical list of control devices, a graphic view of the control devices such as a tree, an iconic graphical view, etc.
- window 180 includes instructions 182 to guide an administrator to provide information required to provide access control information.
- window 180 includes a sub-window 184 in which a configuration graphic consistent with configuration 21 in FIG. 1 is presented where each control device within configuration 21 is separately presented and linking relationships therebetween are also shown.
- a mouse controllable selection icon 194 is provided that can be moved within sub-window 184 to point to different control devices therein.
- a selection activity e.g., a double click on a controlling mouse
- FIG. 15 each of devices D 4 and D 5 are shown as being highlighted via cross-hatches therethrough.
- a double arrow icon 181 is provided adjacent a user indicator field 195 which, in FIG. 15 , indicates user U 1 .
- icon 181 may be used to scroll through different known system users for which access control information has already been placed in the access control database so that the administrator can easily switch from one user to the next during a specifying procedure. Where access control information has already been stored for one of the users, when the administrator scrolls to that user's identity via icon 181 , in at least some cases, it is contemplated that a graphic of configuration 21 for the specific user would automatically be provided within sub-window 184 and would indicate, via highlighting, devices controllable by a particular user.
- window 180 also includes an enter icon 186 .
- enter icon 186 After device icons to be accessible by a specific user have been selected via sub-window 184 , when enter icon 186 is selected, in at least some cases, a simple access control database like database 50 in FIG. 3 is supplemented for the specific user.
- additional non-packet characteristics are to be used to restrict device access
- other specifying tools may be provided via interface 16 .
- icon 186 is selected in FIG. 15
- another HMI window like window 200 in FIG. 16 may be provided.
- additional instructions 202 are provided for a system administrator to guide the administrator in specifying other important non-packet characteristics for restricting access.
- the instructions indicate that for the devices D 4 and D 5 that were selected via sub-window 184 in FIG. 15 , the administrator should indicate access times and specify required locations for the specific user to access.
- a separate non-packet characteristics specifying window 217 and 221 is provided.
- windows 217 and 221 is similar and therefore, in the interest of simplifying this explanation, only aspects of window 217 corresponding to device D 4 will be described here.
- start and stop time fields 219 and 218 are provided that can be used by the administrator to specify start and stop times at the beginning and end of a period during which the particular user should be able to access device D 4 , respectively.
- two headed arrow icons are provided in each of the time fields 219 and 218 , only one of the two headed arrow icons 215 labeled. The two headed arrow icons may be selected via mouse controlled cursor 208 to change the corresponding start or stop time.
- window 217 also includes a location restriction sub-window 223 that can be used to specify locations in which the particular user should be able to access device D 4 .
- a list of possible location restricting spaces is provided including an “All” designation, a Zone 1 designation, a Zone 2 designation, etc.
- Cursor 208 can be used to select one of the location restriction designations.
- a selection box 225 is provided around the selected location restriction designation. For example, in FIG. 16 , box 225 is provided around the All designation indicating that, as currently set, the user should be able to access device D 4 from all locations.
- a double headed arrow icon 227 is provided within window 223 to allow the administrator to scroll through location restriction designations where more than the four illustrated designations are possible.
- window 200 also includes an enter icon 204 and a double headed arrow icon 206 near a lower edge thereof.
- Double headed arrow icon 206 can be used to scroll through different device windows like windows 217 and 221 when more than two devices are selected via sub-window 184 in FIG. 15 .
- server 14 compiles the information specified via windows 180 and 200 and supplements an access control database similar to the database illustrated in FIG. 10 .
- a method or process 160 for manually configuring an access control database using an administrator's HMI is illustrated.
- a control configuration specification e.g., a graphical specification or a directory view type specification
- an administrator's interface 16 is provided.
- device selection tools and non-packet characteristics setting tools where necessary, like tools illustrated in FIG. 15 or 16 or tools akin thereto, are provided via HMI 16 .
- the access restriction information is provided to server 14 which, at block 174 , updates the access control database.
- a hybrid system may be provided wherein, during a learning process, the server 14 performs a process similar to the process described above. Thereafter, an administrator may use interface tools like those described above with respect to FIGS. 15 and 16 to analyze the access control information that resulted from the learning process and to modify that access information. To this end, for example, referring again to FIG. 15 , after a learning process for user U 1 , the administrator may access a screen shot like the one illustrated in FIG. 15 for user U 1 where all accessed devices are shown as highlighted.
- the administrator may either move on to a screen like that shown in FIG. 16 to see the non-packet characteristics that resulted from the learning process or may manually select other devices via sub-window 184 to be accessible or deselect highlighted devices in sub-window 184 that should not be accessible.
- access control information is described above as indicating devices that can be accessed and non-packet characteristics that correspond to access rights, in other embodiment the access control information may instead identify devices that cannot be accessed or non-packet characteristics that correspond to inaccessible conditions.
- the device access list in column 54 may list devices D 3 , D 8 , D 9 , etc., that are not accessible by user U 1 and in that case the firewalls would only allow access to devices that are not listed in column 54 .
- FIG. 3 the device access list in column 54 may list devices D 3 , D 8 , D 9 , etc., that are not accessible by user U 1 and in that case the firewalls would only allow access to devices that are not listed in column 54 .
- firewalls 28 , 30 and 31 are illustrated as being separate devices or components within the overall system 10 , it should be appreciated that each one of the firewalls may take any of several different forms.
- firewall 28 may be embedded within PLC 1 , may be its own standalone device or may run on a remote server.
- firewalls 28 and 30 are shown as being located between sources 27 and the devices within network 21 , firewalls may be linked to the other components described in any of several ways and the devices and sources may be programmed to communicate accordingly. For instance, in at least some applications firewalls 28 and 30 may be programmed to physically intercept any communications transmitted to destination devices within network 21 even if those communications do not specify one of the firewalls as a path device. Thus, for example, where source S 1 is used to transmit a packet identifying the address of PLC 1 as the IP destination (see field 36 in FIG. 2 ), fire wall 28 may be programmed to monitor network 26 for all communications specifying PLC 1 as an IP address and to then intercept those communications to be scrutinized as described above.
- firewalls may be employed and referenced as network devices that separate network 21 from sources 27 .
- firewalls 28 and 30 may be placed within the overall network so that the firewalls physically separate network 21 from sources 27 .
- the source when a source is used to access/control one of the devices within network 21 , the source may be programmed to route a data packet to one of the firewalls as if the firewall was one of the devices within network 21 .
- a packet may specify the address of firewall 28 in IP destination address field 36 and the Non-IP path address fields 38 , 40 , etc., may then specify the network devices PLC 1 , D 0 , D 1 , etc. In this case the data packets are not intercepted by the firewalls but are directed specifically to the firewalls as part of the network 21 .
- a second or embedded protocol that is embedded in an IP packet is the CIP protocol.
- the CIP protocol In addition to specifying a routing or communication path for packets, the CIP protocol also enables specification of specific activities that should be performed by a target network device. To this end, the CIP protocol enables specification of a specific “object” associated with a target network device that is associated with a packet as well as a service to be performed at, by or related to the object. With respect to the “object” concept, this concept contemplates a hierarchical organization of device functions and features including, in at least some cases, a class level, an instance level and an attributes level. For instance, an exemplary class may include a general class of devices such as proximity sensors. An instance of a proximity sensor, as the label implies, is a single occurrence of a proximity sensor.
- a single network device may include three instances of the proximity sensor class (i.e., the device includes three separate proximity sensors).
- Instance attributes are functional or operational characteristics associated with either a class or an instance of a class.
- a proximity sensor may be able to be operated in either one of two different ways. First, a proximity sensor may be able to precisely sense proximity of a part at a station along a transfer line and generate a variable signal to indicate a precise distance between the sensor and the part. Second, the proximity sensor may be able to operate in a binary fashion to indicate either presence or absence of a part at a transfer line station.
- the mode of sensor operation i.e., binary or precise
- an attribute of the instance may be the value (i.e., 1 or 0) of the sensor at a specific time.
- a service to be performed on the proximity sensor class may be to change the mode of operation from binary to precise using a write command.
- a service that may be performed on an instance of a proximity sensor that is operating in the binary mode may be to read the sensor value.
- a firewall 30 may be programmed to examine an intended routing path through the network 21 devices, the target device, the target object (i.e., class-attribute, class-instance-attribute, etc.) at a target device and perhaps the service to be performed at, by or to the target object.
- object filtering The process wherein a firewall examines target objects and services is referred to hereinafter as “object filtering”.
- exemplary database 562 that may be maintained within database 24 for supporting object filtering is illustrated.
- Exemplary database 562 includes a source column 552 , a device column 554 , a class column 556 , an instance column 558 , an attribute column 560 and a service column 564 .
- Source column 552 lists each of the sources that may, for any purpose, access devices within non-IP network 21 .
- exemplary sources in column 552 include sources 51 , S 2 .
- Device column 554 includes a separate list of non-IP network devices corresponding to each of the sources in column 552 .
- column 554 includes devices D 1 and D 2 corresponding to source 51 in column 552 .
- the devices associated with a source in column 552 include any non-IP network devices that the corresponding source can access for any reason.
- class, instance and attribute columns 556 , 558 and 560 are used to specify different device objects corresponding to each of the devices in column 554 .
- the combination including class C 1 and attribute A 1 specifies a specific attribute of a specific class associated with device D 1 .
- the combination including class C 1 , instance 11 and attribute A 4 specifies a different object associated with device D 1 .
- Other class, instance and attribute combinations are contemplated and a small subset thereof are illustrated in columns 556 , 558 and 560 . As shown, more than one attribute may be associated with a class or instance and more than one instance may be associated with a single class.
- Service column 564 specifies one or more services or functions that are associated with each of the attributes in column 560 .
- a first service Ser 1 is associated with attribute A 1 in column 560 .
- two services Ser 1 and Ser 2 are associated with attribute A 2 in column 560 .
- a service Ser 22 corresponds to an object including class C 1 , instance 11 and attribute A 4 related to device D 1 and source S 1 in columns 554 and 552 , respectively, which means that source S 1 is authorized to initiate service Ser 22 for device D 1 and the related object corresponding to the combination of class C 1 , instance 11 and attribute A 4 .
- a persistent communication path can be established between the source and the network device so that overhead required to perform communications can be reduced appreciably (i.e., the path does not have to be re-indicated with each transmitted packet).
- several communications are required in at least some embodiments including an initial source communication indicating that a persistent connection path should be formed and specifying a communication path through the non-IP network to a destination or target device.
- an initial network device communication back to the source is required in some embodiments.
- the initial source communication also includes a target-to-originator (T-O) connection ID (T-O ID) that is to be used by the target device when the target sends packets back to the source (i.e., the originator).
- T-O ID target-to-originator
- the initial network device communication also includes an originator-to-target (O-T) connection ID (O-T ID) that is to be used by the source (i.e., the originator) when the source sends second and subsequent packets to the target network device.
- O-T originator-to-target
- the target device only accepts packets from the source that include the O-T ID. Establishment of a connection path will be described in greater detail below.
- the initial source packet for establishing a persistent connection path with a network device will be referred to as an “unconnected forward open request” because the packet commences the opening of a connection path and is initially unconnected (i.e., the path initially is not connected).
- the initial network packet will be referred to hereinafter as an “unconnected forward open reply” because the packet is a reply to the open request.
- Packets transmitted after a connection path is established will be referred to hereinafter as “connected send” packets or communications.
- a packet to eliminate a persistent connection path will be referred to hereinafter as an “unconnected forward close request”.
- exemplary dual protocol data packet 300 including a CIP data packet embedded or encapsulated within an IP data packet is illustrated.
- Exemplary packet 300 corresponds to a typical unconnected send packet.
- packet 300 is shown in its simplified form and it should be appreciated that a typical packet may include other fields populated with various types of information useful or required for transmitting the packet 300 from a source to a target network device.
- Exemplary packet 300 is a typical IP packet and, to that end, includes a frame that specifies packet source and destination device as well as a data field within the frame.
- Packet 300 includes a source ID field 302 and an IP destination address field 303 .
- the IP packet data field is identified by numeral 324 and includes fields 304 , 306 , etc.
- IP data field 324 is where data for delivery to an IP destination address is typically located.
- a non-IP data packet is encapsulated in field 324 where the packet includes non-IP path device address fields 312 , 314 , 316 and 318 as well as a general service type field 304 , a connection manager field 306 and a target object path/service field 308 .
- the non-IP address fields 312 , 314 , 316 and 318 specify a string of addresses corresponding to non-IP devices and specify a path for non-IP routing to the target network device.
- general service type field 304 specifies a general type of service associated with packet 300 .
- exemplary general service types include an unconnected send, a connected send, an unconnected forward open request, an unconnected forward open reply, an unconnected forward close request, etc.
- the service type associated with packet 300 is an unconnected send meaning that the packet 300 is to be transmitted to a target network device without establishing or opening a persistent connection path.
- Connection manager field 306 is used to indicate that the packet 300 should be internally routed within the IP destination device to a connection manager object within the device.
- each of the non-IP network 21 devices includes a connection manager object which is typically a software program that is provided to manage communication paths for the device.
- the connection manager object is capable of identifying a general service type specified in field 304 and examining the address fields (e.g., 312 , 314 , etc.) to identify the next device within the non-IP routing path to which at least a subset of the packet 300 information should be transmitted.
- object path/service field 308 specifies a specific object associated with the target device and a service to be performed at, by or on the object.
- the object path and service field 308 may specify a specific proximity sensor instance associated with a target device and that the value of the sensor should be read (i.e., the service is to read a value).
- an exemplary object path/service field 308 is illustrated that includes an object field 334 and a service field 336 .
- Object field 334 includes a class subfield 338 , an instance subfield 340 and an attribute subfield 342 .
- FIG. 20 an exemplary submethod 350 that may be substituted for a portion of the method 62 illustrated in FIG. 4 is shown where the submethod corresponds to a firewall process that may be performed when an unconnected send data packet is intercepted where the packet includes an embedded CIP subpacket.
- a firewall e.g., 30
- control passes to block 352 .
- firewall 30 decapsulates the received packet and identifies the packet source, the target device, an object specified in object path/service field 308 and the service specified in field 308 .
- firewall 30 accesses the stored AC database (see again FIG. 28 ).
- firewall 30 uses the database to determine if the source has authority to access the target device for any purpose. This step may comprise simply checking the list in column 554 of the database 562 to see if the target device is correlated with the source device in column 552 .
- control passes down to block 366 where a secondary security function is performed.
- the secondary security function may take any of several different forms including the forms described above with respect to FIGS. 4 through 7 .
- packet information is transmitted to the first device in the non-IP routing path specified by the unconnected send packet (see address in field 312 in FIG. 18 ). Transmission continues through the non-IP path until a subset of the data is received by the target device. The target device uses the subset of packet information to perform the service at, on or by the object specified in field 308 .
- FIG. 21 another exemplary dual protocol packet 370 including a CIP packet embedded within an IP packet is illustrated.
- Fields in packet 370 that are similar to fields in packet 300 described above with respect to FIG. 18 are labeled with identical numbers and, in the interest of simplifying this explanation, are not described here in detail. More specifically, fields 302 , 303 , 306 , 312 , 314 , 316 and 318 are akin to the identically numbered fields in FIG. 18 . In FIG. 12 , however, the information in fields 302 , 303 , 312 , 314 , 316 and 318 is generally the reverse of information in the similarly numbered fields in FIG.
- packet 370 includes a general service type field 374 and a T-O ID field 377 .
- Field 374 indicates an unconnected forward open request meaning that a persistent connection should be set up between the source and the target device to facilitate subsequent communications.
- T-O ID field 377 includes a target-to-originator connection ID that is generated by the source.
- firewall 30 may maintain a forward open table 402 for keeping track of open or established connection paths between sources and target network devices.
- exemplary table 402 includes a source IP column 390 , a destination IP column 392 , a route path column 394 , a T-O connection ID column 396 , an O-T connection ID column 398 and a connection serial number column 400 .
- FIG. 22 data corresponding to a single open connection path is illustrated and arranged in a single row.
- Source IP column 390 includes a source IP address for each open connection path. Exemplary source IP address in column 390 is XJ234789.
- Destination IP column 392 includes a destination IP address corresponding an IP destination device within network 21 for each address in column 390 .
- Route path column 394 indicates a route path for each connection path specified in table 402 . In the illustrated example, the route path includes devices D 4 , D 5 , D 6 , etc.
- column 396 is used to store a T-O connection ID for each of the route paths specified in column 394 .
- an exemplary connection ID is T-O 1920 .
- Column 398 is used to store an O-T connection ID corresponding to each of the route paths in column 394 .
- exemplary connection ID in column 398 is O-T 0349 .
- a separate connection serial number is provided for each of the route paths in column 394 .
- firewall 30 decapsulates the packet and determines whether or not the source specified by the packet has authority to access the target network device specified by the packet for any reason. Where the source has authority to access the target network device for any reason, firewall 30 populates a new connection path row in table 402 with information directly from the packet 370 including providing information in columns 390 , 392 , 394 and 396 . When firewall 30 populates a new connection path row, firewall 30 also generate a connection serial number and places the serial number is column 400 correlated with the new connection path row. Thus, at this point, all of the new connection path row information in table 402 is specified except for an entry in column 398 . When a source does not have authority to access the target network device for at least one reason, the firewall does not create a new connection path row in table 402 and may perform some type of secondary security function.
- firewall 30 transmits a packet 370 along with the connection serial number via the designated non-IP route path to the target network device.
- This subpacket is not illustrated.
- each of the route devices decapsulates the received packet, identifies the device from which the packet was received, the next device along the route path to which to transmit a subpacket and the connection serial number, stores identification of the previous device and next device along with the connection serial number in a table akin to forward open table 402 for subsequent routing and then transmits a subpacket to the next device along the prescribed path until the target receives a subpacket.
- an exemplary unconnected forward open reply packet 410 is illustrated that includes a general service type field 414 , a T-O ID field 416 , an O-T ID field 418 , a connection serial number field 419 and a non-IP address field 412 (this field 412 may be optional).
- Field 414 specifies the general service type (i.e., an unconnected forward open reply in the present case).
- Field 416 includes the T-O ID which is required by the target device to communicate with the source (i.e., the source will not accept communications from the target device without the T-O ID).
- Field 418 includes an O-T ID which is generated by the target network device and which is required in any communications from the source for the target device to receive the communications.
- Field 419 includes the connection path serial number associated with the line of communication.
- Field 412 indicates the non-IP address of the device in the non-IP connection path that precedes the target device.
- a non-IP connection path includes devices D 4 , D 5 , D 6 . . . DN- 1 and DN and device DN is the target device
- the address specified in field 412 corresponds to device DN- 1 .
- device DN- 1 uses the connection serial number in field 419 to identify the preceding connection path device DN- 2 via a lookup table stored by device DN- 1 and transmits a packet to that device. This process is repeated until device D 4 receives a reply packet and uses information therefrom to generate an IP framed packet to be transmitted to the source.
- the IP framed packet includes, among other things, the T-O ID, the O-T ID and the connection serial number corresponding to the connection path.
- firewall 30 when firewall 30 intercepts the unconnected forward open reply packet, firewall 30 identifies the O-T ID and the connection serial number and inserts the ID in column 398 in the row associated with the connection serial number.
- the source After the source receives the unconnected forward open reply, the source begins communicating along the established connection path with the target network device without having to completely specify the non-IP routing path and hence communication overhead is reduced appreciably. Instead, the source need only specify the connection serial number which is then used by the non-IP path network devices to route to next devices along the path until a packet is received by the target device.
- Packet 420 which may be transmitted by a source to a target network device after a connection path has been established is illustrated.
- Packet 420 includes source and IP destination address information in fields 302 and 303 .
- a connected send type is indicated in general service type field 424 .
- the O-T ID is specified in field 426 and the connection serial number is specified in field 427 .
- a target object path/service field 428 is populated with an object path and a service to be performed on the object indicated by the object path as described above.
- firewall 30 When a connected send packet 420 is intercepted by firewall 30 , firewall 30 decapsulates the packet, identifies the source, the target network device and the object and service and uses that information to determine whether or not a subpacket should be transmitted on to the target network device.
- a source may be programmed to transmit an unconnected forward close type packet 430 .
- Packet 430 includes source and IP destination information in fields 302 and 303 as well as a general service type field 434 and a connection serial number field 436 .
- firewall 30 decapsulates the packet, identifies the packet as a forward close type packet by examining the information in field 434 , identifies the connection path serial number in field 436 and then discontinues the connection path by deleting the row corresponding thereto in table 402 (see again FIG. 22 ).
- firewall 30 allows disconnect information to be transmitted along the connection path causing devices therealong to delete path related information from their memories.
- firewall 30 monitors packets that are targeting network 21 devices. Where a forward open request is not received at decision block 454 , control passes to block 483 in FIG. 27 . Where a connected send packet is not identified at block 483 (here it is assumed that a connection path has previously been specified and instantiated in a firewall forward open table), control passes to block 498 . If an unconnected forward close packet is not identified at block 498 , control passes back up to block 452 where monitoring of intercepted packets continues.
- firewall 30 decapsulates the intercepted packet to identify the source of the packet, the target network device, the non-IP path through network 21 and the T-O connection ID.
- firewall 30 accesses the stored AC database 562 (see FIG. 28 ).
- firewall 30 uses the AC database 562 to determine if the source has authority to connect to the target network device for any purpose.
- control passes to block 482 where a secondary security function akin to one of the functions described above is performed. After block 482 , control passes to block 483 in FIG. 27 .
- firewall 30 populates a portion of a new row of the forward open table 402 with information including the source IP address, the destination IP address, the route path and the T-O connection ID.
- firewall 30 transmits a packet via the non-IP path specified by the unconnected forward open request packet to the target network device that includes the connection serial number and the T-O ID.
- the target network device encapsulates an unconnected forward open reply (see FIG.
- Firewall 30 intercepts the reply packet and, at block 474 , the decapsulates the unconnected forward open reply and identifies the O-T connection ID and uses that ID to complete the connection path row in forward open table 402 at block 478 .
- the non-IP network device that separates other network 21 devices from the IP network e.g., device D 4 in the present example
- generates an IP protocol reply which is transmitted back to the source and that includes the O-T connection ID as well as the connection serial number corresponding to the newly open connection path.
- control passes to block 483 in FIG. 27 . At this point, a new connection path has been established and is instantiated in table 402 .
- firewall 30 monitors intercepted dual protocol packets targeting network 21 devices for a connected send packet.
- control passes to block 486 .
- firewall 30 decapsulates a receive packet to access the connection serial number and thereby identify the connection path associated with the connected send packet.
- firewall 30 access the forward open table 402 and identifies the route path associated with the connection serial number as well as the target network device.
- firewall 30 accesses the stored AC database 562 (see FIG. 28 ) and at block 492 firewall 30 determines if the intended function or service is allowed.
- firewall 30 deletes the connection path associated with the connection serial number in the forward close packet and control passes back up to block 452 in FIG. 26 where monitoring continues. After a connection path row has been deleted from table 402 , if additional communications are attempted using the connection serial number associated with the deleted row, firewall 30 does not allow the communications.
- a communication of this type is referred to hereinafter as an “unconnected send” because, as the label implies, a packet is sent in one direction and a connection is not set up between the source and device.
- a firewall denies a request from a source (e.g., a server, a computer, a network device, etc.), the source can get “hung up” during a timeout period (e.g., 10 seconds) if a properly formatted response to the request is not received.
- a timeout period e.g. 10 seconds
- many sources maintain single string communication stacks for communicating on a network. For instance, referring to FIG. 29 , a system 600 is illustrated where a server 590 performs five applications A 1 -A 5 and maintains a CIP stack 592 that lists requests 001 , 012 , etc. from the applications.
- a pointer 594 indicates a current request 011 in the stack that has most recently been transmitted 604 to a target device via network 26 . Consistent with FIG. 1 , firewall 30 intercepts the request 001 and determines if the request is to be halted or continued. In at least some applications, after a request is transmitted 604 , server 590 will wait for a response or the end of a timeout period before processing the next request in the stack 592 .
- timeout periods should be minimized to facilitate fast processing of all requests in the CIP stack 592 .
- the firewall 30 is programmed to generate and transmit 606 a spoofed message back to the requesting server/source where the spoofed message has a format that will be recognized as a response to the request.
- the requesting source receives the spoofed message and recognizes the message as a properly formatted response, the source processes the response and releases the CIP stack so that the next stack request (e.g., 012 in the present example) can be processed.
- an exemplary spoofed response packet 610 is illustrated that includes a source ID field 612 , an IP destination address field 614 , an “Invalid Access Request” message field 616 , a connection SN field 617 and a T-O ID field 618 .
- Source ID field 612 indicates the original target device from the original request packet and field 614 indicates the address of the original source.
- the source may be the server 590 or server stack 592 .
- Field 618 includes the target to originator ID (i.e., the T-O ID) from the original request.
- the information in fields 612 , 614 , and 618 is all information that is required by the source to accept the packet 610 as a response to the associated request packet.
- some of the information (e.g., source and target identifying information) in the response packet fields will be gleaned or obtained from the original request communication packet.
- other information such as the connection SN in field 617 will be “bogus” information fabricated by firewall 30 to trick the source into recognizing a communication as a response from the target device intended for the source. For instance, where a request corresponds to an unauthorized communication, clearly no connection path is to be formed and therefore no connection SN will be required. However, if a source requires a response packet that includes a serial number, a bogus or fake connection SN has to be generated and used to instantiate an appropriate field in a response packet.
- field 616 includes a message or some indication akin thereto that the request was invalid or has been denied.
- the field 616 indication is used by the receiving source to perform some other function (e.g., indicate an error to a system user, begin a process to generate another request packet, etc.).
- stack 592 receives a new request from one of the applications A 1 -A 5 associated therewith.
- stack 592 adds the request to the stack.
- server 590 accesses the next request in the stack (e.g., in a FIFO manner) and at block 628 , server 590 encapsulates and transmits a packet (see 370 in FIG. 21 ) corresponding to the next stack request to a corresponding target device via network 26 .
- stack 592 (or server 590 ) starts a timeout clock for the specific request.
- firewall 30 determines if the request should be halted or further processed. Where the request should be further processed, control passes back to block 364 in FIG. 20 .
- firewall 30 generates information required to encapsulate a spoofed response.
- the required information to be generated will include, in at least some applications, a connection serial number (SN) as well as a rejection message for instantiating fields 617 and 616 , respectively.
- SN connection serial number
- the data generated at block 634 will depend on requirements set by the source (e.g., server 590 ) and the type of protocol and therefore that other types of spoofed information may be generated.
- a response packet is encapsulated and at block 638 the packet is transmitted to the originating source device.
- server 590 /stack 592 monitors network 26 for a response that includes properly formatted and required data (e.g., the correct source and destination, a SN, the appropriate T-O ID, etc.).
- a response that meets the format and content criteria of a proper response is not received, control passes to block 648 where server 590 monitors the timeout clock. When the timeout period has not expired, control loops back up to block 642 . When the time out period expires at block 648 , control passes back up to block 622 where the process described above is repeated.
- the receiving server/source may simply indicate to a system operator that an error has occurred. In other cases the error may prompt an associated application to generate a following request.
- firewall functionality may be embedded within a non-IP network device (e.g., a PLC) that is dedicated to firewall activities or in a non-IP network device that performs other functions in addition to firewall activities.
- a non-IP network device e.g., a PLC
- a persistent connection path is created between a source (e.g., S 1 ) and a non-IP network device (e.g., DN)
- communications/transmissions should generally be regular such that the period between consecutive transmissions. is no longer than a maximum duration.
- a firewall may be programmed to close the connection path by deleting the path from the forward open table.
- forward open table 402 may, in addition to the columns described above, include a connection timeout column 600 and a timer column 602 .
- Timeout column 600 includes a separate timeout period (e.g., TOP 1 ) for each of the connection path serial numbers in column 400 .
- the timeout periods may be specified by source devices that initiate connection paths or may be generated by a firewall in at least some embodiments.
- the timeout periods may all be the same or may be connection path specific.
- Timer column 602 includes a timer value (e.g., TI 1 ) for each timeout period in column 600 .
- Each timer starts at a zero value when a forward open request is received and is reset to a zero value when a transmission along a related connection path is received by the firewall.
- a timer value exceeds an associated timeout period in column 600 , the firewall closes the associated communication path.
- a firewall may be programmed to spoof any application or component that generates a request for which a response is required.
- the formats and required data in the different responses may be different but the spoofing principle is the same.
- the firewall will simply be programmed to generate several different types of spoofed messages for return to request sources and will generate the appropriate message for each source.
- first and second protocols are independent of protocol type (i.e., the first or framing protocol may be other than an Ethernet protocol and the embedded protocol may be any protocol employed in the industrial industries).
- an Ethernet message may contain a CIP message with a first embedded destination which in turn may contain a CIP or other protocol message with yet another or second embedded distinction and so on.
- the firewall concept may cause a processor to evaluate one, or all or a subset of the embedded destinations and intended activities when a n-tier encapsulation occurs.
- a database may specify that a specific workstation or hand held device associated with a specific user can only be used to access and manipulate specific resources.
- a processor uses the access controlling information to determine if transmission should be restricted.
- access control information is specified, specification should be viewed broadly unless otherwise indicated to include any data form that specifies access rules related to resources regardless of whether the database rules are based on destination or source resources.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Method and apparatus for use with systems including networked resources where communication between resources is via dual packet protocols wherein a first protocol includes a frame that specifies a destination device/resource and a data field and the second protocol specifies a final destination device/resource and includes a data field, where the second packets are encapsulated in the first protocol packet frames, the method including specifying access control information for resources, for each first protocol packet transmitted on the network, intercepting the first protocol packet prior to the first protocol destination resource, examining a subset of the additional embedded packet information to identify one of the intermediate path resources and the final destination resource, identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and restricting transmission of the first protocol packet as a function of the identified access control information.
Description
- This application is a continuation of U.S. patent application Ser. No. 13/182,808, which was filed on Jul. 14, 2011 and entitled “FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS,” which is a continuation of U.S. Pat. No. 7,990,967, which was issued on Aug. 2, 2011 and entitled “FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS,” which claims priority to U.S. Provisional Patent Application No. 60/641,839, which was filed on Jan. 6, 2005 and entitled “FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS,” and U.S. Pat. No. 7,990,967 also claims priority to U.S. Provisional Patent Application No. 60/700,380, which was filed on Jul. 19, 2005 and also entitled “FIREWALL METHOD AND APPARATUS FOR INDUSTRIAL SYSTEMS,” all of which are incorporated herein by reference.
- Not applicable.
- The present invention generally relates to industrial control systems, and more particularly to systems and methods that provide secure and firewall restricted Web-based access to control devices and components residing on a non-IP network within an industrial environment.
- A typical computer network comprises a plurality of interconnected microprocessor-based devices with specialized (e.g., network) software and/or hardware that facilitates interaction between at least two devices on the network. Such interaction can provide for a fast, efficient and cost-effective means to monitor, control and/or exchange information amongst networked devices such as printers, plotters, workstations, copiers, etc.
- Communication networks that link computing devices (e.g., servers, workstations, etc.) and other devices (e.g., lights, sprinkler systems, printer, plotters, etc.) together are typically categorized and differentiated through characteristics such as size and user base, architecture, and topology. For example, a network can be referred to as a Local Area Network (LAN) or a Wide Area Network (WAN), dependent on the network size. A LAN is typically associated with a relatively small geographic area such as a department, a building or a group of buildings, and employed to connect local workstations, personal computers, printers, copiers, scanners, etc. while a WAN typically is associated with networks that span larger geographical areas, and can include one or more smaller networks, such as one or more LANs. For example, a WAN can be employed to couple computers and/or LANs that reside on opposite ends of a country and/or on opposite sides of the world. The most popular WAN today is the Internet.
- Various types of communication protocols have been developed to facilitate communication between remotely located network devices. For instance, one common type of network based protocol is referred to as an internet protocol (IP). In an IP network, a source device generates data packets that include information (e.g., data to be delivered to a destination device, requests for certain data from a destination device, etc.) to be transmitted to a destination device, a source identifier that identifies the source of the data packet and a destination address associated with the destination device. Here, the source identifier and destination address fields in an IP packet are located in “framing” sections of the packet either before or after a data field. Hereinafter, unless indicated otherwise, the framing fields of an IP packet will be referred to as IP packet frames. Once an IP data packet is transmitted, network routers and hubs that receive the packet analyze the packet frames to identify the destination address, attempt to identify the most efficient way to deliver the packet to the destination device and then retransmit the packet to another network device until the packet arrives at the destination device. Here, the destination device is programmed to receive the packet, decode the packet information and typically perform some process associated with the decoded information. For instance, a first packet may be routed to a printer to print a document, a second packet may be routed to a light switch to turn on a light, a third packet may be routed to a stock brokerage server to request information about a client's account, etc. Examples of IP based networks include EtherNet/IP, EtherNet 10Base-T, 100Base-T (Fast EtherNet) and 1000Base-T (Gibabit EtherNet).
- While IP networks have proven extremely useful in many applications, IP networks have several shortcomings that render the networks impractical for time sensitive applications. For instance, because IP network routing paths vary, the time required to transmit IP messages to destination devices varies appreciably. Similarly, excessive traffic over an IP network slows IP transmission rates so that packet delivery time is dependent on unpredictable factors. In addition, in at least some cases, servers that communicate via IP, enforce timeout rules wherein, if a packet has been transmitted from a source but the transmission period exceeds some threshold time period (e.g., due to network traffic), the message is discarded and has to be subsequently resent.
- Thus, while IP networks are advantageous in applications where transmission time is not critical (e.g., a printing application, a request for information from a broker, sending an e-mail, etc.), IP networks have not been suitable in cases where information has to be transmitted almost instantaneously and at least within predictable time periods. Industrial controls is one application where unpredictable routing delays have rendered IP networks impractical in the past.
- An exemplary industrial manufacturing line may include several machining stations (and associated devices and subassemblies—e.g., switches, sensors, motor starters, pushbuttons, I/O blocks, welders, robots, drives, bar code readers, etc.) along a transfer line, several programmable logic controllers (PLCs), one or more human-machine interfaces (HMIs) and a network that links the other components together where the PLCs are programmed to read inputs from stations and transfer line devices and provide outputs to the devices as a function of control programs stored in the PLCs. In many cases device and subassembly control at each station and between stations or between stations and the transfer line may have to be precisely synchronized in order for the line devices and assemblies to function properly and safely (e.g., a first robot arm could be damaged if the arm is driven into a line station prior to a second robot arm being removed from the station). Where device and subassembly timing is important, unpredictable IP network delays and periodic failures cannot be tolerated.
- Early industrial control systems employed discrete signal wires between sensors and controllers and between controllers and actuators to ensure fast and predictable response times where control was modified by direct connection to the controller.
- More recently, small groups of signal sensors and actuators have been tied to remote I/O concentrators where the concentrators have been networked to the controllers. In some cases, devices have been designed where network interfaces are embedded in the devices themselves. Exemplary devices of this type include DeviceNet and ControlNet devices that have been developed by Rockwell Automation. DeviceNet, ControlNet and other types of devices that include embedded network interfaces will be referred to generally hereinafter as non-IP devices.
- In addition to developing non-IP devices suitable for use in industrial environments, industrial networking protocols have been developed for use with the non-IP devices where the industrial protocols use data packet formats that specify specific network paths from source devices to destination devices and therefore can transmit data in predictable time periods. One exemplary type of industrial protocol for use with DeviceNet and ControlNet devices is referred to as the control and information protocol or the common industrial protocol (CIP). Another exemplary non-IP protocol suitable for use with some types of industrial devices is referred to as Data Highway Plus. Other non-IP protocols are contemplated. Where an Ethernet links an HMI to a destination ControlNet or DeviceNet device through three additional ControlNet or DeviceNet devices (hereinafter “transmission path devices”) arranged in a series, a CIP data packet will specify the packet source, information to be delivered to a destination device, the destination device address and a specific path through the networked devices from the source to the destination device.
- Here, the path specification includes the addresses of each of the three intervening transmission path devices and the order in which the devices are linked. For instance, in the present example that includes a three device path and a destination device, the path data includes first, second and third transmission path device addresses and identifies the destination device address separately. During transmission of the CIP packet, the source routes the packet to the address of the first device in the path, the first device identifies the second path device address in the packet and routes the packet to the second address. The second path device identifies the third path device address in the packet and routes the packet to the third device address and the third device identifies the destination device address and routes the packet to the destination device to complete delivery of the packet. The specified path method used in CIP communication, unlike IP, results in a deterministic communication protocol that is suited for use in industrial environments.
- Even more recently, for various reasons, industry members have adapted the specialized industrial network devices such as ControlNet and DeviceNet devices for use with open standards like Ethernet. For instance, in the case of CIP, CIP packets have been encapsulated within Ethernet or IP packet frames for routing via Ethernet. The result of this adaptation is that programming interfaces and sometimes controller to device interfaces are now communicating via Ethernet IP.
- One advantage of non-IP devices like DeviceNet, ControlNet, etc., is that the devices can be configured into a non-IP network that is less expensive than a typical IP network as the need for network switches is eliminated. In addition, DeviceNet, ControlNet and other similar network configurations have intrinsic safety features that are not provided by an IP network. For this reason, in many cases, it is most advantageous to configure hybrid networks including some IP network devices and some non-IP network devices specially designed for industrial applications (e.g., DeviceNet, ControlNet devices).
- While industrial control has historically been limited to confined and secure spaces such as within a manufacturing facility, in cases where pure Ethernet or hybrid networks (e.g., including a combination of IP and non-IP (e.g., DeviceNet, ControlNet) network devices) are used to route data between devices, the transparency of the Ethernet routing mechanism makes it possible to remotely monitor and control the networked industrial devices. The possibility for remote monitoring and control advantageously allows more flexible system layouts to be configured and reduces overall system costs where Ethernet infrastructure already exists to support other facility needs.
- Unfortunately, one problem with pure Ethernet and hybrid networks is that the transparency of the Ethernet routing mechanism components presents security problems. For instance, where a LAN operated by a brokerage firm and including a server is linked to the Internet to allow customers to access account information, an unscrupulous computer hacker may attempt to access the LAN via an Internet connection to obtain information about one of the firm's client's accounts. As another instance, a hacker may maliciously attempt to access a banks software via the Internet to load a virus thereon that could scramble the bank's records and negatively affect the bank's business. As one other instance, a hacker may attempt to access a PLC and alter an industrial control program thereby causing damage to machine line components controlled by the PLC.
- In addition to unscrupulous persons doing unsavory things via networked interfaces, in many cases even well intentioned network users may be able to unintentionally cause problems if they access networked devices. For instance, in the case of a maintenance engineer at a manufacturing facility, while the engineer may be trained to maintain a first type of manufacturing line, the engineer may not be trained to maintain a second type of manufacturing line. While in a facility including the first line, the engineer may have to be proximate the first line to perform diagnostics procedures, check operating values, etc., wherein the proximity requirement and visual feedback ensures that the engineer is accessing first line devices, not second line devices. Where remote access is facilitated via a pure Ethernet or hybrid system, proximity and visual feedback cannot be relied upon and the end result could be that the engineer unknowingly accesses second line devices rather than first line devices.
- To ensure that unintended network access does not occur, information technology (IT) firewalls have been developed that, in effect, separate LANs and other sub-networks from the Internet and that operate as gatekeepers to keep unauthorized network users from accessing the sub-networks while still allowing access to authorized network users. To this end, a firewall generally intercepts attempts to access associated sub-networks and requires some type of proof of identity from a network user attempting to access the sub-networks prior to allowing access. Here, proof of identity may require entry of a user name and password or may be transparent to a network user (i.e., information transmitted from the user's interface device may indicate identity which is automatically identified by the firewall). Where a network user is not authorized to access a sub-network, the firewall restricts access and may perform some secondary security process such as creating a log, activating an alarm, etc.
- While conventional IT firewalls work well in the context of pure IP communication, where a non-IP industrial protocol (e.g., CIP) is embedded within an IP or Ethernet frame, the embedded non-IP protocol could be used to perform unauthorized activities despite a properly functioning IT firewall. Here, when an IP or Ehternet packet including an embedded non-IP packet is received by a firewall, an IT firewall algorithm interrogates the IP packet frame information to determine if the packet should be passed through the firewall to a destination device identified in the IP packet frame. If, however, the destination device designated in the IP packet frame routes the packet further based on the non-IP routing information (e.g., addresses in an embedded CIP packet), the ultimate destination designated by the non-IP routing information is not protected. This “carry-through” routing is a concern whether the CIP packet is routed via Ethernet or some other native industrial network such as DeviceNet or ControlNet.
- Thus, it would be advantageous to have a method and apparatus that allows devices linked to an IP network to access industrial and other devices linked to a non-IP network only when the accessing device or person using the accessing device has authority to access the destination device.
- The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. This summary is not an extensive overview of the invention. It is intended to neither identify key or critical elements of the invention nor delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
- It has been recognized that network security problems can occur when additional routing information is encapsulated or embedded in the data field of an IP data packet that specifies a destination device or resource that is different than the destination device or resource specified in the IP packet frame. Specifically, where it is desired to restrict access to certain devices within a control configuration embedded routing information has enabled packets to be passed through conventional it firewalls enabling access to restricted devices.
- According to at least some inventive aspects, firewalls are provided within a network wherein data packets received thereby are decapsulated so that at least an ultimate destination device or resource is identified. Access rules are applied to determine if the packet should be transmitted further to facilitate access or if a security function (e.g., discarding the packet, sending a reject message, activating an alarm, etc.) should be performed. In at least some cases all routing information is identified and analyzed and whenever any device in a routing path is not to be accessed for any reason, even if the ultimate destination device is accessible, the a security function is performed.
- Consistent with the above, at least some embodiments of the invention include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet transmitting and receiving resources being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of: specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field: (i) intercepting the first protocol packet prior to the first protocol destination resource; (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource; (iii) identifying the access control information associated with the second protocol destination resource, (iv) identifying at least a subset of characteristics of the first protocol packet, (v) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and (vi) restricting transmission of the first protocol packet as a function of the comparison results.
- In at least some cases the step of specifying access control information includes, for each of at least a subset of destination resources, specifying source resources authorized to communicate with the destination resource. In some cases the step of identifying at least a subset of the characteristics of the first protocol packet includes identifying the source of the first protocol packet and the step of comparing the first protocol packet characteristics to the access control information associated with the destination resource includes comparing the source of the first protocol packet to the resources authorized to communicate with the destination resource. In some embodiments the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, halting transmission of the first protocol packet. In still other embodiments the step of restricting includes, when the first protocol packet source is not authorized to access the second protocol destination resource, at least one of activating an alarm signal and providing a signal back to the source indicating that the packet has been halted.
- In some cases, the step of specifying access control information includes specifying packet characteristics (PCs) that include characteristics identifiable directly from the first protocol packet.
- In some cases the step of specifying access control information includes specifying non-packet characteristics (NPQs) that include characteristics other than those identifiable directly from the first protocol packet. Here, the NPQs may include at least a subset of a time associated with the first protocol packet transmission, the location of the source resource, where a person initiates the first protocol packet transmission, the identity of the initiating person and, where a person initiates the first protocol packet transmission, characteristics of the initiating person.
- In some embodiments the step of specifying access control information further includes specifying times during which resources can communicate with other resources, the method further including the step of, when a first protocol packet that includes an embedded second protocol packet is received, identifying a time associated with the received packet, the step of comparing including comparing the packet associated time with the specified times.
- In some cases the first protocol is one of an Ethernet protocol and an IP protocol. In some cases the second protocol is one of a common industrial protocol (CIP) and a Data Highway Plus protocol. In some cases the steps of specifying at least first and second priorities for network transmissions and, wherein, the step of restricting transmission includes transmitting as a function of the specified priorities and the packet characteristics.
- In some additional embodiments the step of specifying access control information includes the step of specifying locations of source resources from which communications with associated resources are allowed, the method further including the step of identifying the location of a source resource that transmits a first protocol packet that includes an embedded second protocol packet and the step of comparing further including comparing the identified source resource location with the specified source resource location.
- In some cases each destination resource includes at least one of a programmable logic controller (PLC), a human-machine interface (HMI), a sensor, an actuator, a drive, and a remote input/output device. In some cases the step of specifying access control information includes specifying characteristics of persons authorized to communicate with associated resources, the step of identifying at least a subset of the characteristics of the first protocol packet including identifying characteristics of a person that initiates a communication and the step of comparing including comparing the specified and identified characteristics.
- In some embodiments the embedded protocol packet specifies a path of resources to a final destination resource, the method further including identifying access control information associated with each of the path resources, comparing the first protocol packet characteristics to the access control information associated each of the path resources resource and restricting transmission of the first protocol packet as a function of the results of the comparison to the access control information associated with the path resources.
- In addition, some inventive embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient's being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field: (i) intercepting the first protocol packet prior to the second protocol destination resource, (ii) examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource, (iii) examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource, (iv) identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource, (v) identifying at least a subset of characteristics of the first protocol packet, (vi) comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource and (vii) restricting transmission of the first protocol packet as a function of the comparison results. Here, the additional resource may be the first protocol packet destination resource. In the alternative, the second protocol packet may specify at least one path resource to the second protocol packet destination resource through which data is to be routed between the first and second protocol packet destination resources and the step of identifying at least one additional resource may include identifying the at least one path resource.
- In addition, some embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier and a second protocol data field, wherein at least some communication between resources includes first protocol packets including second protocol packets embedded in the first protocol data fields, packet senders and intended recipient's being source and destination resources, respectively, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources where the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource, for each first protocol packet transmitted on the network that includes a second protocol packet embedded in the first protocol data field, intercepting the first protocol packet prior to the second protocol destination resource, examining at least a subset of the embedded second protocol packet information to identify the second protocol destination resource, examining the first protocol packet information to identify at least one additional resource in addition to the second protocol destination resource, identifying the access control information associated with the second protocol destination resource and the access control information associated with the additional resource, identifying at least a subset of characteristics of the first protocol packet, comparing the first protocol packet characteristics to the access control information associated with the second protocol destination resource and comparing the first protocol packet characteristics to the access control information associated with the additional resource and restricting transmission of the first protocol packet as a function of the comparison results.
- In at least some cases the additional resource is the first protocol packet destination resource. In at least some cases the second protocol packet specifies at least one path resource to the second protocol packet destination resource through which data is to be routed between the first and second protocol packet destination resources and wherein the step of identifying at least one additional resource includes identifying the at least one path resource.
- Moreover, some embodiments include a method for controlling communications between a source device linked to an IP network and a target device linked to a non-IP network wherein the target device includes at least one object, each communication specify at least one object and at least one service related to the target device, the method comprising the steps of providing an access control database that correlates the source device with target devices, objects and services where the correlated target devices include devices that the source can access and the correlated services include services that the source can initiate at the correlated object, receiving at least one communication transmitted from the source to the target device, decapsulating the communications to identify the target device and related at least one object and the at least one service, comparing the identified target device, at least one object and at least one service with the target device, object and service information in the database and selectively transmitting the at least one communication to the target device as a function of the comparison.
- In at least some cases the correlated object includes a combination of a class, an instance of a class, an attribute of a class and an attribute of an instance of a class.
- Furthermore, some embodiments include a method for controlling communications between a source device and a target device, the method comprising the steps of providing an access control database that correlates the source device with target devices where the correlated target devices include devices that the source can access for at least one purpose, providing a firewall between the source device and the target device, intercepting a connection open packet transmitted by the source device to the target device that is intended to open a connection path between the source and the target devices, using the access control database to determine if the source device may access the target device and transmitting the connection open packet toward the target device when the source device may access the target device.
- In addition, some embodiments include a method for minimizing processing delays when unauthorized communications occur on a system that includes a source device, a target device and a communication stack, the source device sequentially generating and transmitting communication packets for each of the stack communications and, after a packet is transmitted, waiting for a response packet for at least a subset of the communications prior to transmitting another communication packet associated with another of the stack communications, the method comprising the steps of providing a firewall linked to the system, transmitting an original communication packet from the source device that targets the target device, via the firewall intercepting the original communication packet, encapsulating a spoof response packet that simulates a response from the target device and that is of a form that will be accepted by the source device as a legitimate response from the target device, transmitting the spoof response packet to the source device and, via the source, accepting the spoof response packet as a legitimate response packet from the target device and
- moving on to process the next communication in the stack.
- In some cases the method further includes the steps of providing an access control database useable to identify unauthorized communications on the system and after intercepting the original communication packet and prior to encapsulating, using the access control database to identify that the communication packet is associated with an unauthorized communication.
- In some cases the step of encapsulating includes obtaining at least some information from the original communication packet and using the obtained information to instantiate at least a subset of the response packet. In some cases the original request packet includes a target-originator (T-O) ID and wherein the obtained information includes the T-O ID from the original request packet.
- In some cases the obtained information includes information identifying the source device and information identifying the target device. In some cases the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information. In some cases the step of encapsulating further includes generating at least some bogus information to instantiate at least a subset of the response packet information and instantiating at least portions of the response packet with the bogus information.
- At least some embodiments include a method for use with a system including networked resources where communication between resources is via at least first and second different protocols wherein the first protocol includes a first protocol packet including a source identifier, a first protocol destination identifier that indicates a first protocol destination resource and a first protocol data field, the second protocol including a second protocol packet including at least one second protocol destination identifier that indicates a second protocol destination resource and a second protocol data field, wherein at least some communication between resources includes first protocol packets including additional packets embedded in the first protocol data fields, one of the additional embedded packets specifying a final destination resource and each of the other additional embedded packets specifying an intermediate path resource, at last one of the additional embedded packets being a second protocol packet, the method for controlling communication between resources and comprising the steps of specifying access control information for at least a subset of the resources, for each first protocol packet transmitted on the network that includes additional embedded packets, (i) intercepting the first protocol packet prior to the first protocol destination resource, (ii) examining at least a subset of the additional embedded packet information to identify at least one of the intermediate path resources and the final destination resource, (iii) identifying the access control information associated with the identified at least one of the intermediate path resources and the final destination resource and (iv) restricting transmission of the first protocol packet as a function of the identified access control information.
- Here, in some cases the step of restricting transmission includes identifying at least a subset of characteristics of the first protocol packet, comparing the first protocol packet characteristics to the identified access control information and restricting transmission as a function of the comparison. In some cases the step of examining includes examining to identify each of the intermediate path resources and the final destination resource and wherein the step of identifying access control information further includes identifying access control information for each of the intermediate path resources and the final destination resource.
- In some cases each of the additional embedded protocol packets is of the second type. In some embodiments the step of identifying at least a subset of characteristics of the first protocol packet includes identifying at least a subset of the characteristics of each of the first and the embedded protocol packets. In some cases the access control information includes at least one of characteristics of first protocol packets that are authorized to be transmitted to an associated resource and characteristics of first protocol packets that are unauthorized to be transmitted to an associated resource.
- In some embodiments the at least one protocol packet generated by a first protocol packet source requires a response from at least one of the intermediate path resources and the final destination resource including specific identifying information and wherein step of restricting includes, when a first protocol packet source is not authorized to communicate with the second protocol destination resource, encapsulating the specific identifying information in a response packet and transmitting the response packet to the first protocol packet source.
- At least some embodiments also include apparatus for performing the processes described above and hereafter.
- The following description and annexed drawings set forth in detail certain illustrative aspects of the present invention. These aspects are indicative, however, of but a few of the various ways in which the principles of the invention may be employed and the present invention is intended to include all such aspects and their equivalents. Other advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the drawings.
- The invention will hereafter be described with reference to the accompanying drawings, wherein like reference numerals denote like elements, and:
-
FIG. 1 is a schematic view of a system including firewalls according to at least some aspects of the present invention; -
FIG. 2 is a schematic view of an exemplary dual protocol data packet including a non-IP data packet embedded or encapsulated within an IP type data packet; -
FIG. 3 is a schematic view of an exemplary simple access control database that may be used by the firewalls ofFIG. 1 ; -
FIG. 4 is a flow chart illustrating an exemplary access control restricting method wherein access to control devices is limited as a function of which source is used to attempt the control; -
FIG. 5 is a flow chart illustrating one exemplary secondary function that may be substituted for a portion of the method ofFIG. 4 ; -
FIG. 6 is similar toFIG. 5 , albeit illustrating a different secondary security function; -
FIG. 7 is similar toFIG. 5 , albeit illustrating a third security function; -
FIG. 8 is a schematic illustrating an exemplary HMI/user database that may be employed by the firewalls ofFIG. 1 ; -
FIG. 9 is a flow chart similar to the flow chart ofFIG. 4 , albeit illustrating a method wherein device access is restricted as a function of user identity; -
FIG. 10 is an access control database similar to the database ofFIG. 3 , albeit illustrating a more complex embodiment wherein, in addition to user identity, other non-packet characteristics are included, priority information is included and specific application restrictions are included; -
FIG. 11 is yet another exemplary access control database including restrictions as a function of user type and a specification that identifies types corresponding to specific users; -
FIG. 12 is a flow chart illustrating a sub-method that may be substituted for a portion of the method ofFIG. 9 to facilitate prioritization of data packets when they are passed by the firewalls ofFIG. 1 ; -
FIG. 13 is a flow chart of a sub-process that may be substituted for a portion of the process ofFIG. 9 wherein the firewalls ofFIG. 1 analyze multiple data packets when necessary to identify intended application and restrict as a function of applications to be performed; -
FIG. 14 is a flow chart illustrating yet another method according to at least some aspects of the present invention wherein a security server ofFIG. 1 learns access requirements and populates a portion of an access control database corresponding to a specific HMI user type; -
FIG. 15 is a screen shot or window that may be provided via an administrator's interface ofFIG. 1 for manually specifying access control for a particular system user; -
FIG. 16 similar toFIG. 15 , albeit illustrating a different access control configuring window; -
FIG. 17 a flow chart illustrating a method whereby a systems administrator manually specifies access control information; -
FIG. 18 is a schematic view of an exemplary dual protocol data packet including a CIP data packet embedded or encapsulated within an IP type data packet where the data packet corresponds an unconnected send type service; -
FIG. 19 is a schematic view of an exemplary object path/service field as illustrated inFIG. 18 including a plurality of subfields; -
FIG. 20 is a flow chart illustrating a subprocess that may be substituted for a portion of the method ofFIG. 4 for processing an unconnected send packet; -
FIG. 21 is similar toFIG. 18 , albeit illustrating a packet for initiating an unconnected forward open request service; -
FIG. 22 is a schematic diagram illustrating a forward open table that may be generated and maintained by one of the firewalls inFIG. 1 for keeping track of open connection paths between sources and target network devices; -
FIG. 23 is similar toFIG. 18 , albeit illustrating a packet associated with an unconnected forward open reply service; -
FIG. 24 is similar toFIG. 18 , albeit illustrating a packet corresponding to a connected send service; -
FIG. 25 is similar toFIG. 18 , albeit illustrating a packet associated with an unconnected forward close service; -
FIG. 26 is a portion of a flow chart illustrating a method that may be performed by one of the firewalls inFIG. 1 to form and eliminate open connection paths; -
FIG. 27 is another portion of the flow chart illustrated inFIG. 26 ; -
FIG. 28 is an exemplary access control database that is similar to the database ofFIG. 3 , albeit including additional information; -
FIG. 29 is a schematic illustrating an exemplary server including a communication stack that is linked to a decapsulating firewall; -
FIG. 30 is similar toFIG. 18 , albeit illustrating a spoofed response packet; -
FIG. 31 is a flow chart illustrating a method associated with a communication stack; and -
FIG. 32 is a sub-process that may be substituted for a portion of the method ofFIG. 20 for generating a spoofed response packet. - The present invention is now described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It may be evident, however, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the present invention.
- As used herein, the term “device,” or “resource” is intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. For example, a device can be, but is not limited to, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, a microprocessor, a processing unit and/or a computer, and hardware (e.g., a sensor or actuator) performing a process, etc.
- Referring now to
FIG. 1 , the present invention will be described in the context of anexemplary system 10 including asecurity subsystem 25, source devices collectively identified bynumeral 27, a series of decapsulating firewalls, three of which are identified bynumerals industrial control configuration 21 including a plurality of industrial control devices such as programmable logic controller PLC1 and automated devices including devices D1, D2, D3, etc. The industrial control devices (e.g., PLC1, devices D1, D2, etc.) are arranged in a manufacturing facility or the like to perform some industrial process. For example, the devices may be arranged to automatically assemble automobile seat components including cushions, springs, motors, rollers, support mechanisms, headrest extensions, covering material, etc. In this regard, in addition to PLCs to control other devices, devices may includes sensors, actuators, data collecting processors and devices, input/output concentrators, etc. - To facilitate control, monitoring exchange of data and configuring of the devices, the
configuration 21 devices are linked via a network as illustrated. For example, referring again toFIG. 1 , automated device D6 is linked to automated device D1, device D1 is linked to device D0 and device D0 is linked to PLC1. Similarly, device D6 is linked to device D5 and device D5 is linked to device D4. As illustrated, more than one device can be linked to another device. For instance, each of devices D2, D3 and D6 are linked to different output ports of device D1. Although only a small number of industrial control devices are illustrated inFIG. 1 , it should be appreciated that, in many applications, several thousand devices may be linked together to form an intricate web of control components for facilitating complex industrial processes. - Each of the devices D0, D1, D2, etc. is assigned a specific network address and includes a processor capable of identifying network communications transmitted to the associated address. In addition, the device processors are programmed to examine received information packets to identify if the device is the final destination device or simply one device in a transmission path to some other destination device. Where the device is the final destination device, the processor uses packet data to perform some associated process. Where the device is not the final destination device, the processor transmits at least a portion of the received packet information to the next device in the transmission path.
- As known in the automation industry, industrial control components may be of various network types, including, but not limited to, EtherNet, DeviceNet, ControlNet, etc. For instance, in
FIG. 1 , device D4 communicates with device D5 via ControlNet while device D5 communicates with device D6 via DeviceNet and device D1 communicates with device D2 via EtherNet. Also, as illustrated, one device may be capable of communicating in several different protocols, depending on the next device to which a packet is to be routed. For instance, device D1 communicates via a DeviceNet protocol with each of devices D2 and D6 but communicates via a ControlNet protocol with device D3. - In general, non-IP protocols are different than IPs in the way in which packets of information that facilitate the protocol are formed and the way in which networked devices use the packet information to route to a final destination device. In this regard, while IPs typically specify a packet source and a destination device and rely on routers and switches to deliver information packets from a source to a destination device, non-IPs specify a specific network path through a chain of devices for delivering information packets from a source to a destination device. For example, referring once again to
FIG. 1 , to deliver a packet fromfirewall 30 to automated device DN, a non-IP packet may specify apath 37 including device D4, device D5, device D6, and so on all the way through to device DN. Here, when device D4 receives the CIP packet, device D4 recognizes that the packet should be transmitted to device D5 and performs that transmission. Similarly, when device D5 receives the packet, device D5 determines that the packet should be transferred to device D6 and performs that transmission. This process continues until the packet is received by device DN. A secondexemplary path 35 through PCL1, and devices D0, D1, D6, etc. to device DN is illustrated. InFIG. 1 , communications that originate outsideconfiguration 21 are IP communications and the network over which those communications travel is referred to as anIP network 26 and communications that originate withinconfirmation 21 are referred to as non-IP communications (e.g., CIP communications, Data Highway Plus, etc.) and the network (not labeled) is referred to as a non-IP network. - Referring still to
FIG. 1 ,sources 27 include any type of component that may be used to attempt to access any of the industrial control components or devices included incontrol configuration 21. Here, the term “access” is used in a general sense to refer to the ability to monitor, control, configure and/or obtains information from a destination device. In addition, eachsource 27, etc. may also be used to access other devices linked toIP network 26 via pure IP communications. Exemplary sources S2, SN may include data monitoring and archiving servers, maintenance servers that analyze data obtained from system components and devices other IP or non-IP networks including other devices, servers that perform control and safety operations with respect to system components and devices, etc. - In addition, at least some of the sources may include human-machine interfaces (HMIs) to enable information technology personnel, maintenance personnel, an administrative person, etc., to access system devices and components. For example, illustrated sources S1 and S3 are laptop computers that run browser software to interact with laptop users to facilitate access to
configuration 21 devices. Other exemplary HMIs may include an electronic notepad, a personal computer, a palm pilot, a hand-held computer, a personal digital assistant, a mainframe computer, a cell phone, a “dumb” terminal, a tablet PC, etc. Hereinafter, laptop S1 will be referred to as HMI S1 and a person using HMI S1 will be referred to as a “user” unless indicated otherwise. Similarly, laptop S3 will be referred to as HMI S3. In addition, while sources S2, SN, etc. may access or attempt to accessconfiguration 21 devices either automatically (e.g., to periodically collect and archive operating data) or when a user performs some activating process, to simplify this explanation, access restriction will be described in the context of HMI S1 unless indicated otherwise. Moreover, while HMI S1 could be used to attempt to access any ofconfiguration 21 devices, unless indicated otherwise, the present inventions will be described in the context of activity that causes HMI S1 to attempt to access device DN via path 37 (e.g., through devices D4, D5, D6, etc.). - Referring still to
FIG. 1 , HMI S1 accesses control devices inconfiguration 21 by forming and transmitting IP data packets via IP basednetwork 26 that include information necessary to deliver the packets to the destination devices. To this end, becausesystem 10 components between HMI S1 and a destination device withinconfiguration 21 communicate using both IP and non-IP, the data packet generated by HMI S1 to access an industrial control device must include information that facilitates both routing onIP network 26 to a device at the “edge” of the IP network and subsequent routing via the non-IP network betweenconfiguration 21 devices. - Referring now to
FIG. 2 , anexemplary data packet 32 that may be generated by HMI S1 inFIG. 1 to access one of the industrial control devices inconfiguration 21 is illustrated.Exemplary packet 32 is a typical IP packet and, to that end, includes a frame that specifies packet source and destination device and a data field within the frame. InFIG. 2 , the IP packet frame includes asource IP field 34 and an IPdestination address field 36 as well as anend packet field 48. The IP packet data field is identified by numeral 49 inFIG. 2 and includesfields source ID field 34 includes information that identifies the packet source. For example, referring again toFIG. 1 , where HMI S1 generates a packet, the information infield 34 identifies HMI S1 as the source of the packet. Similarly, where source S2 generates a packet,field 34 identifies source S2 as the source of the packet. - IP
destination address field 36 includes an address corresponding to a destination device for the IP packet where the destination device is at the edge of the IP network. Here, IP destination devices can only be devices that are directly linked to the IP network and that are capable of receiving IP packets. For example, referring again toFIG. 1 , an exemplary IP target device linked tonetwork 26 may include device D4, device DN+1 or PLC1 while devices D1, D5, etc., that are not directly linked to theIP network 26 are not capable of being IP target devices. - Referring still to
FIG. 2 ,IP data field 49 is where data for delivery to a destination address is typically located. In the present case, a non-IP data packet is encapsulated infield 49 where the packet includes non-IP path device address fields 38, 40, 42 and 44 and anon-IP data field 46. The non-IP address fields 38, 40, 42 and 44 specify a string of addresses corresponding to non-IP devices and specify a path for non-IP routing.Data field 46 includes information that is to be delivered to the control device associated with the address specified in the last non-IP address field (e.g., field 44) ofpacket 32. - Referring still to
FIGS. 1 and 2 , anexemplary data packet 32 will be described in the context of a case where a user logs on to HMI S1 and performs some activity that requires HMI S1 to transmit data to device DN. For instance, where device DN is a temperature sensor, the HMI S1 user may use HMI browser software to request the current temperature reading of sensor DN which causes HMI S1 to transmit a temperature read request to device DN. - Once HMI activity requires data transmission to device DN, an HMI S1 processor generates an information packet like
packet 32 inFIG. 2 that identifies HMI S1 as the source infield 34. In addition, in at least some cases, the packet will include the address of automated device D4 in the IPdestination address field 36 and will include the addresses of devices D5 and D6 through DN in non-IP path address fields 38, 40, 42 and 44. The data to be delivered to device DN to facilitate access (e.g., to facilitate a temperature read in the above example) is stored infield 46. Here, when theexemplary packet 32 is transmitted by HMI S1,IP network 26 identifies the IP destination address infield 36 and delivers the packet to device D4. When device D4 receives the packet, device D4 decapsulates the packet to identify the address of the next device in the path leading to device DN (i.e., identifies the address specified in field 38). In addition, device D4 determines the device type of device D5 (e.g., a ControlNet device, a DeviceNet device, etc.) Once the address infield 38 has been identified, device D4 recapsulates the data infields fields - When device D5 receives the packet, device D5 decapsulates the packet to identify the address specified in
field 40 and also determines what type of device is associated with the next path address. After identifying the address specified infield 40 and device type, device D5 recapsulates the information infields FIG. 2 ). As illustrated inFIG. 1 , the DeviceNet protocol is used to communicate from device D5 to device D6. The recapsulated packet is transmitted to device D6. This process of decapsulating to identify the next non-IP device in a path and then recapsulating and transmitting the recapsulated packet to the next non-IP device in the path continues until data is received at the destination device DN. - To form a dual protocol IP and non-IP type packet like the one described with respect to
FIG. 2 , eachsource 27 has to have access to information aboutconfiguration 21 from which appropriate required paths to destination devices can be determined. Here, the configuration information may be downloaded to a source like HMI S1 whenever the source is initially linked tonetwork 26. In the alternative, the HMI S1 (or any other source for that matter) may be programmed to browseconfiguration 21 and discover all devices and linkages withinconfiguration 21. Here, for instance, HMI S1 may be programmed to identify each device withinconfiguration 21 that is directly linked tonetwork 26 and thereafter, via dual protocol packets, cause each identified device to identify other devices linked thereto. - Similarly, when a new device is added to
configuration 21, any one of thesources 27 may be programmed to identify the new device and updateconfiguration 21 information for that source or for any of theother sources 27. In this regard, to identify newly linked devices, one of the sources may be programmed to periodically pull network devices to identify changes inconfiguration 21. - In at least some cases, it is contemplated that, while it may be advantageous to allow
sources 27 to access some of the industrial control devices within asystem 10 and perform various activities with respect thereto, in at least some cases, it will be necessary to restrict access and activities of one or more of thesources 27. For instance, where HMI S1 is only used by maintenance personnel trained to analyze data associated with devices D4, D5, D6 through DN and to control those devices, it would be advantageous to restrict HMI S1 users so that HMI S1 cannot be used to accessother system 10 devices (e.g., PLC1, devices D1, D2, etc.). - Referring again to
FIG. 1 , to restrict access to system devices according to one aspect of the present invention, decapsulating firewalls, three of which are identified bynumerals Exemplary firewalls system 10 to isolate subsets of the non-IP devices fromsources 27. For example,firewall 28 is provided to isolate PLC1 as well as devices D0, D1, D2, D3 and D6 through DN fromsources 27. Similarly,firewall 30 isolates devices D4, D5 and D6 through DN fromsources 27 whilefirewall 31 isolates device DN+2 fromsources 27. As illustrated,firewall 30 may also be programmed to act as a redundant firewall to isolate PLC1 and devices D1, D2 and D3 fromsources 27. - Referring still to
FIG. 1 , whilefirewalls IP network 26 and areoutside control configuration 21, in at least some cases it is contemplated that firewalls may be provided within the non-IP network orconfiguration 21 itself so that access to non-IP devices isolated thereby is restricted by the firewall while access to other non-IP devices outside the firewall is not restricted by the firewall. For example, inFIG. 1 ,firewall 31 between non-IP devices DN+1 and DN+2 isolates and restricts access to device DN+2 and does not restrict access to device DN+1. InFIG. 1 , whilefirewall 31 is withinconfiguration 21,IP network 26 is linked directly tofirewall 31 to allowserver 14 andfirewall 31 to communicate. - In addition, it is also contemplated that multiple levels of firewalls could be interspersed within the non-IP network to provide different levels of access restriction. Thus, for instance, although not illustrated, referring to
FIG. 1 , another firewall could be positioned between devices D5 and D6 to further restrict access to devices D6 through DN. - Referring once again to
FIG. 1 ,security subsystem 25 includes a security/configuration server 14 that is linked to an HMI (e.g., a personal computer) 16 and adatabase 24. In addition,server 14 is linked toIP network 26. Among other databases,database 24 includes an access control (AC) database which, as the label implies, includes rules that establish which industrial control devices withinconfiguration 21 can be accessed via eachsource 27. - Referring now to
FIG. 3 , an exemplarysimplified AC database 50 is illustrated.Database 50 includes asource column 52 and a device access column 54.Source column 52 lists each one of thesources 27 inFIG. 1 , and therefore, includes sources 51, S2 and S3 through SN. Device access column 54, as the label implies, lists a subset of the control devices for each one of the sources incolumn 52 where the list of devices indicates the devices that may be accessed by the associated source incolumn 52. For example, for HMI S1 incolumn 52, access column 54 lists devices D4, D5, D6 through DN. As another example, for source S2, access column 54 includes an entry “All DN” which indicates that source S2 can access all control devices withinconfiguration 21. - Referring now to
FIG. 4 , an exemplaryaccess restricting method 62 according to at least some of the aspects of the present invention is illustrated where non-IP network access is restricted as a function of source device as well as destination device. Referring also toFIGS. 1 and 3 , prior tobeginning method 62, it is assumed that anaccess control database 50 that specifies source and device access authority is stored indatabase 24 and that decapsulating firewalls 28, 30 and 31 have been provided. Referring also toFIG. 2 , atblock 68, herein it is assumed that a user of HMI S1 performs an activity that causes HMI S1 to encapsulate and transmit a dualprotocol data packet 32 including encapsulated destination address information where the ultimate destination device is device DN. Thus, here, the data packet assembled by HMI S1 identifies source S1 infield 34 and the addresses of devices D4, D5 and D6 through DN infields data field 46. - Referring to
FIGS. 1 through 4 , atblock 70, prior to thepacket 32 being received at device D4, the packet is intercepted atfirewall 30. Atblock 72,firewall 30 decapsulates the received packet and identifies the device addresses in each offields field 34. Next, at block 74,firewall 30 accesses theaccess control database 50. Atblock 76,firewall 30 usesaccess control database 50 to determine if HMI S1 has authority to access the designated destination device DN. Atdecision block 78, where HMI S1 has authority to access designated destination device DN, control passes to block 80 wherefirewall 30 transmits the data packet to the IP target address specified infield 36. In the present example, the IP target address designates device D4 and therefore, atblock 80, the packet is transmitted to device D4. Referring again toFIG. 1 , after the packet is received by device D4, routing consistent with non-IP network procedures continues until the packet data is delivered to the designated destination device DN. - Referring once again to block 78, were HMI S1 is not authorized to access designated destination device DN, control passes to block 82 where
firewall 30 performs a secondary security function. After each ofblocks - Referring to
FIG. 5 , asecondary security function 56 that may be substituted forblock 82 inFIG. 4 is illustrated. To this end, referring also toFIG. 4 , afterblock 78, if HMI S1 is not authorized to access destination device DN, control passes to block 56 wherefirewall 30 transmits a message to HMI S1 indicating that the HMI S1 has no right to access destination device DN. Afterblock 56, control passes back to block 68 and the method described above with respect toFIG. 4 continues. - Referring to
FIG. 6 , another exemplarysecondary security function 58 that may be substituted forblock 82 inFIG. 4 is illustrated. Referring also toFIG. 4 , if the HMI S1 is not authorized to access destination device DN, control passes fromblock 78 to block 58 wherefirewall 30 generates a log or archive that reflects the communication attempt. Referring also toFIG. 1 , the log is recorded in an audit/archive database which forms part ofdatabase 24. An exemplary log may identify various types of information about the attempted access including the source used to attempt access, information identifying the data from the packet, information identifying the path specified by the packet, the time at which the attempted access occurred, where more than one attempt to access occurs, the number of attempts, etc. Afterblock 58, control again passes to block 68 inFIG. 4 where the process described above continues. - Referring to
FIG. 7 , one othersecondary security function 60 that may be substituted forblock 82 inFIG. 4 as illustrated. Referring also toFIG. 4 , if the source is not authorized to access the designated destination device, control passes to block 60 wherefirewall 30 generates a warning signal indicating an unauthorized access attempt. Here, the warning may be transmitted directly to security/configuration server 14 so that security or other administrative type personnel can determine if any action should be taken in response to the unauthorized access attempt. - In at least some cases, two or more of the secondary security functions described above with respect to
FIGS. 5 through 7 may be performed when unauthorized access is attempted. For instance, in at least some cases, it is contemplated that afirewall 30 will generate a log of unauthorized access attempt as well as generate a warning indicating an unauthorized access attempt. Similarly, in other cases, the firewall may transmit a message to a source indicating no right to access a destination device, generate a log and generate a warning. Other secondary security functions are contemplated. - While an embodiment that has been described above wherein a firewall identifies a final destination device specified by a non-IP packet and restricts transmission past the firewall as a function thereof, it should be appreciated that similar systems are contemplated wherein the firewall may be programmed instead to identify all devices corresponding to addresses in the transmission path specified by the no-IP packet and may restrict further transmission when the source is not authorized to access any one or more of the those devices. For example, referring again to
FIG. 1 , where HMI S1 is not authorized to access device D5 but is authorized access each of devices D4 and D6 through DN, whenfirewall 30 receives a data packet from HMI S1 that specifies a path through devices D4, D5 and D6 through DN,firewall 30 would identify each of devices D4, D5 and D6 through DN in the packet and would halt transmission past thefirewall 30 because HMI S1 is not authorized to access device D5. - In at least some embodiments where HMIs such as HMI S1 are usable by system users to access industrial control devices, it is contemplated that access may be restricted as a function of user identity. For example, a first user U1 using HMI S1 may be restricted to accessing only a first subset of the control devices including devices D1, D2, D5, D6, D7 and so on, while a second user U2 is restricted to accessing only a second subset of the devices including devices D1, D2, D8, D90, D101, D129, etc., despite the fact that each of users U1 and U2 uses the same HMI S1 at different times.
- Referring once again to
FIG. 3 , in addition to listing sources S1, S2, etc.,column 52 also lists separate user identifiers U1, U2, U3, etc. For each user identifier incolumn 52, device access column 54 lists a subset of the control devices and components accessible by the specific user. For example, for the user associated with user identifier U1, accessible devices include devices D1, D2, D5, D6, etc., while accessible devices by the user associated with identifier U2 include devices D1, D2, D8, D90, D101, etc. - In order to restrict device and component access as a function of user identity, user identity has to be determined. In at least some embodiments, it is contemplated that security/
configuration server 14 may be programmed to identify a user's identity whenever a user initially attempts to communicate vianetwork 26 and prior to any attempts to access control devices. To this end,server 14 may be programmed to provide a log on agent 22 via HMI S1 which requires a user name and password, uses biometric (e.g., fingers print scan, iris scan, voice recognition, etc.) techniques, etc., to positively identify a user. Here, afterserver 14 positively identifies a user,server 14 may be programmed to associate the user with the specific HMI used by the user during the user identifying process. For example, where the user uses HMI S1 during the identifying process and to link toIP network 26,server 14 associates HMI S1 with the specific user's identity. The associated source and user data is stored in an HMI/user database that forms part of database 24 (see againFIG. 1 ). - An exemplary HMI/
user database 120 is illustrated inFIG. 8 and includes anHMI column 122 and acurrent user column 124. As the label implies,HMI column 122 lists each of the HMI sources currently being used withsystem 10.Column 124 lists a current user of each of the HMIs incolumn 122. For example,column 124 indicates that user U1 is currently using HMI S1, that user U101 is currently using HMI S3, and so on. - Referring once again to
FIGS. 1 and 2 , after a user has been associated with an HMI in the HMI/user database, when one of the firewalls (e.g., 30) receives aninformation packet 32, thefirewall 30 can identify the source of the packet infield 34 and can then access HMI/user database 120 (see againFIG. 8 ) to identify the current user of the HMI. Thereafter, thefirewall 30 can accesscontrol database 50 to identify the subset of control devices and components that are accessible by the identified user and can restrict access to the devices when appropriate. - Referring now to
FIG. 9 , anexemplary method 90 for restricting access to control devices as a function of user identity is illustrated. Here again, it is assumed that appropriate firewalls have been provided and that an access control database akin todatabase 50 inFIG. 3 has been stored indatabase 24. Referring also toFIGS. 1 , 2, 3 and 8, atblock 94,server 14 interrogates a user via HMI S1 to identify the user's identity. Atblock 96,server 14 correlates and stores the user identity with the HMI identifier S1 in the HMI/user database when the user logs ontoIP network 26 successfully. Atblock 98, the user performs some activity causing HMI S1 to attempt to access one of the control devices via encapsulating and transmitting a dual protocol packet atblock 98. For the purposes of this explanation, it will be assumed that the users activities caused HMI S1 to attempt to access device DN. Atblock 100,firewall 30 intercepts the packet and atblock 102,firewall 30 decapsulates the received packet to identify the path and destination device information as well as the source of the data packet (i.e., which HMI transmitted the packet). In the present example, thefirewall 30 identifies HMI S1 as the source of the packet. Atblock 104,firewall 30 accesses the stored HMI/user database and identifies the user currently associated with HMI S1. In the present example,fire wall 30 identifies user U1 atblock 104. - Continuing, at
block 106,firewall 30 accesses access control database 50 (see againFIG. 3 ). Atblock 108,firewall 30 usesdatabase 50 to determine if user U1 has authority to access designated target DN. Atblock 110, where the user U1 does not have authority to access the designated target, control passes to block 114 where a secondary security function is performed. Here, the secondary security function may be any of the functions described above with respect toFIG. 5 , 6 or 7, may be a subset of those functions or may be any other suitable security function. After forblock 114, control passes back up to block 98 where the process described above is repeated. - Referring again to block 110, where user U1 has authority to access the designated target, control passes to block 112 where the data packet is transmitted to the destination device. After
block 112, control passes back up to block 98 where the process described above is repeated. - Although not illustrated, in other cases it is contemplated that the user identifying subprocess (e.g., requiring entry of a user name and password, biometric analysis, etc.) may be performed by each of the decapsulating firewalls 28, 30, 31, etc. Here, for instance, when a data packet 32 (see again
FIG. 2 ) is received by a firewall, such asfirewall 30,firewall 30 may be programmed to identify the packet source infield 34 and perform an interrogation of the user currently employing the source prior to decapsulating the other portions of the data packet. In this case, if user identity is successfully verified, the firewall may be programmed to store correlated HMI/user information in a HMI/user database 120 like the one illustrated inFIG. 8 for subsequent use until the HMI (e.g., S1) and user association is discontinued. For instance, when an HMI user logs off an HMI the HMI/user association may be broke. As another example, if a certain period of time (e.g., 30 minutes) without HMI activity occurs, the HMI/user association may be broke. - In addition to restricting device and component access as a function of user identity, in at least some embodiments it is contemplated that access may be restricted in other ways as well. For example, in at least some cases, it may be advantageous to restrict access to specific control devices so that access can only occur during specific times, such as during normal first shift business hours of 9:00 A.M. to 4:00 P.M. or during normal maintenance hours, such as between 10:00 A.M. and 11:00 A.M. In other cases, it may be desirable to restrict access as a function of the location of a source attempting to access a device or component. For example, in at least some cases, while it may be desirable to allow HMI users inside a facility to access control devices, persons outside a manufacturing facility often should not be able to access control devices within the facility. Referring again to
FIG. 1 , when HMI S1 is used in an attempt to accessconfiguration 21 devices from a location outside a facility associated withconfiguration 21, access should be restricted while, when HMI S1 is within the facility, a lesser amount of restriction may be appropriate. - As another example, with certain types of devices and components, it may be desirable to restrict access thereto such that, the devices and components can only be accessed when an HMI to be used to access the devices is in a position in which the user of the HMI has the ability to clearly view how the devices are operating. Here, separate zones within a facility may be specified and associated with specific devices such that access to the devices and components via an HMI (e.g., S1) is only allowed when the HMI S1 is located within the associated zone. To identify HMI location any of several different systems can be employed. For example, where HMI S1 has to be physically linked via hardwire to network 26, location can be determined by identifying the location of the linkage. In other cases where HMI S1 is equipped for wireless communication within a facility or outside the facility, access points or the like can be used to generate data usable through a triangulation or other type procedure to identify the location of HMI S1. Methods for using wireless signals to identify HMI location are well known and therefore are not described herein detail.
- In addition to separately using user identity, time, location and other non-packet characteristics to restrict device and component access, subsets of those non-packet characteristics can be used to restrict access. For example, user U1 may be restricted such that user U1 can only access device D2 between 10:00 A.M. and 11:00 A.M., but during that time, may be able to access device D2 from any location while user U2 is restricted such that user U2 can access device D2 between 9:00 A.M. and 4:00 P.M. but can only access device D2 during that time period when an HMI used by user U2 is within a first zone (i.e., zone 1) within the facility. Other combinations of non-packet characteristics on which to restrict access are contemplated.
- Moreover, in at least some cases access to certain devices could be restricted as a function of non-user and non-source non-packet characteristics such as time, source location, etc. For instance, when a source is located outside a facility associated with
configuration 21, irrespective of which source is used to attempt access or, in the case of an HMI, which user is using the HMI, access may be prohibited. Similarly, access may also be prohibited to certain devices during hours outside a normal business day irrespective of source or HMI user identity. - Referring now to
FIG. 10 , an exemplary relatively more detailedaccess control database 126 is illustrated which includes, among other columns, auser column 128, adevice access column 130, atime column 132 and alocation column 134.User column 128 lists the users U1, U2, etc. that are authorized to accesssystem 10 for any purpose.Access column 130 lists a subset ofconfiguration 21 devices for each one of the users incolumn 128 that are accessible by the user. For example, for user U1,column 130 lists devices D1, D2, D5, D6, etc. - Referring still to
FIG. 10 ,time column 132 specifies a period for each combination of a user and one of the devices or a subset of the devices listed incolumn 130. For example, for the combination of user U1 and device D1,column 132 lists a time period between 9:00 A.M. and 4:00 P.M. which means that user U1 can access device D1 during the period between 9:00 A.M. and 4:00 P.M. Similarly, for the combination including user U1 and device D2,column 132 lists the time period between times 10:00 A.M. and 11:00 A.M. which indicates that user U1 can access device D2 during the one hour between 10:00 and 11:00 A.M. An “All” designation incolumn 132 indicates that an associated user incolumn 128 can access an associated device incolumn 130 at any time. - Referring yet again to
FIG. 10 ,location column 134 lists location restrictions for each use-device combination incolumns location column 134 indicates that the devices D5 and D6 can only be accessed by user U1 when an HMI used by user U1 is located within aZone 7 within a facility. An “All” designation incolumn 134 indicates that access can be had from any location in which an HMI is linkable toIP network 26. - While
database 126 is more complicated than the previously describedaccess control database 50 illustrated inFIG. 3 , it should be appreciated that operation of firewalls in a manner consistent withdatabase 126 is similar to operation usingsimple database 50. To this end, referring again toFIGS. 1 and 9 ,process 90 inFIG. 9 performed byserver 14 and the firewalls would be similar to the process described above except that atblocks 106 through 110, a firewall would use the additional non-packet information or characteristics indatabase 126 to determine whether or not the user has authority to access the designated target device or component. For instance, wherefirewall 30 identifies user U1 atblock 104 and the designated destination device is D5, atblock 108,firewall 30 determines that access by user U1 to device D5 can only occur between 9:00 A.M. and 4:00 P.M. and can only occur when the HMI used by user U1 is withinZone 7.Firewall 30 can identify the current time and compare it to the required period and can obtain HMI location information from a device tracking system (not illustrated) and compare that information to the boundaries that defineZone 7. Where the user's HMI is withinZone 7 and the current time is between 9:00 A.M. and 4:00 P.M., user U1 is authorized to access device D5 and control passes to block 112. Where the HMI is not located inZone 7 or the current time is not within the time period 9:00 A.M. to 4:00 P.M., control passes to block 114 where a secondary security function is performed. - One other way to restrict device and component access is to restrict the access as a function of employee type or training of a particular user type. For example, many facilities may employ maintenance engineers commissioning engineers, industrial engineers, plant managers, line operators, operators of specific line types, etc. While each of these types of employees likely will require access to some control devices to perform their jobs, in most cases, the subsets of devices that need to be accessed by the different employees will be different. Here, it is contemplated that different job titles that reflect user types may be assigned to each
system 10 user and that different access rights may be provided as a function of the user type. For instance, a maintenance engineer may be authorized to access a first subset of control devices while a line operator may be authorized to access a second subset of control devices. In this case, when afirewall 30 receives a packet and uses packet information to identify the user of the HMI (e.g., laptop S1) used to transmit the packet, the firewall may further be programmed to identify the job title associated with the user and thereafter to identify the subset of devices and components accessible by the specific user. - Referring now to
FIG. 11 , an exemplary access control database 140 usable to control device and component access as a function of user type is illustrated. Database 140 includes a type-device access section 142 and auser type section 150.Section 142 includes auser type column 146 and anaccess column 148.User type column 146 lists user types for each of the different types of employees that may require access to any control devices withconfiguration 21. For example, inFIG. 11 , user types include a maintenance engineer, a commissioning engineer, a plant manager, aline 3 operator, etc.Access column 148 lists a subset of devices accessible by each one of the user types incolumn 146. For example, devices D4, D5, D6, etc. are listed for the maintenance engineer designation incolumn 146 while devices D1, D2, D8, D90, etc. are listed for the commissioning engineer designation incolumn 146. - Referring still to
FIG. 11 ,user type section 150 includes auser column 152 and atype column 144. Each of thesystem 10 users authorized to access at least one control device is listed incolumn 152. For example, users U1 and U2 as well as other users are listed incolumn 152.Type column 144 lists a user type for each one of the users incolumn 152. For example, the user type “maintenance engineer” has been assigned to each of users U1 and U2 incolumn 152 while type “commissioning engineer” has been assigned to user U3 incolumn 152. - Referring still to
FIG. 11 and also toFIGS. 1 and 9 , to restrict access as a function job titles or user types, after a firewall has identified the identity of a user that caused an HMI to transmit a packet intercepted thereby atblock 104, atblock 108, the firewall uses database 140 to determine whether or not the user has authority to access the designated destination device. To this end, the firewall first usesuser characteristics section 150 of database 140 to determine the type of user (e.g., maintenance engineer, commissioning engineer, plant manager, etc.). Assuming that user U1 caused the packet to be transmitted, the firewall usessection 150 to determine that user U1 is a maintenance engineer. Next, after identifying the user type, the firewall usesdatabase section 142 to identify devices that the user is authorized to access and restricts as a function of the device list incolumn 148. - In most cases essential control method and processes in an industrial environment will be supported entirely by control components and devices linked via the non-IP network and within
configuration 21. Here, to ensure that essential methods and processes are always performed as quickly as possible, and in at least some cases, it is contemplated that, when the firewalls intercept data packets, the firewalls will be programmed to prioritize packets transmitted thereby onto the non-IP network. In this regard, referring toFIG. 10 ,access control database 126 includes apriority column 136 wherepriority column 136 lists different priorities for each one of the user and device combinations incolumns column 136 for the combination including user U1 and device D1 while a priority P1 is provided incolumn 136 for the combination including user U1 and device D5 incolumns FIG. 1 ) transmits a packet, the priority assigned to the packet by the firewall can be compared to the priorities of non-IP network packets and can be routed accordingly. - Referring now to
FIG. 12 , anexemplary sub-process 250 that may be substituted forblock 112 inFIG. 9 is illustrated. Referring also toFIGS. 1 and 9 , after a firewall determines that a user has authority to access a designated destination device, control passes fromblock 110 to block 252 where firewall 20 accesses the priority data in database 126 (see againFIG. 10 ). The firewall uses the priority data incolumn 136 to identify the priority of a packet having the non-packet characteristics associated therewith listed incolumns block 256, the firewall transmits the packet to the destination device or component in a manner consistent with the priority data. - In many cases, while it may be desirable to allow a specific user to access specific devices and components for specific purposes, it may not be desired to allow the user to access the devices and components for other purposes (e.g., to facilitate other applications). For example, while it may be desirable to allow a plant manager to monitor virtually any device activity within a facility, it may be undesirable to allow a plant manager to alter or control device operations. Thus, according to another aspect of at least some embodiments of the present invention, device access may be limited or restricted on an application by application basis. In this regarding, referring once again to
FIG. 10 , anapplications column 135 is provided withindatabase 126 whereapplications columns 135 lists separate applications for each one of the user and device combinations incolumns columns column 135 lists applications A1, A3 and A4 meaning that only applications A1, A3 and A4 can be affected by user U1 on device D1. In other words, applications A2 and applications A5, A6 and so on can not be performed by user U1 on device D1. - In many cases, when a user causes an HMI to access a device by sending data packets, it is impossible to determine the application to be performed via the device from a single packet. Thus, in at least some embodiments, it is contemplated that the firewalls will be programmed to accumulate information packets intercepted thereby until intended applications associated with the accumulated packets can be identified from the packet information. For instance, in one simple case, a firewall may have to accumulate 100 information packets in order to identify a specific type of application to be affected by the accumulated packets. Here, the firewall would store the packet information until sufficient information is available to identify the intended application. Once the intended application is identified, the firewall accesses
database 126 and determines whether or not the intended application is authorized (e.g., whether or not the application appears in the listing incolumn 135 corresponding to the user and device combination incolumns - Referring now to
FIG. 13 , a sub-method 270 that may be substituted forblocks FIG. 9 is illustrated. Referring also toFIGS. 1 and 9 , after a firewall intercepts an data packet atblock 100, control passes to block 272 inFIG. 13 . Atblock 272, the firewall decapsulates the received data packet to access target information, packet data and the packet source (e.g., to identify the HMI that transmitted the packet). Atblock 274, the firewall accesses the stored HMI/user database and identifies the HMI user. Atblock 276, the firewall accesses the access control database 126 (see againFIG. 10 ). Atblock 278, the firewall uses the packet data to attempt to identify the intended application to be performed on the target device. Atblock 280, where the data from the packet and data from other preceding packets is insufficient to identify the application, control passes to block 282 where the packet information is stored. Atblock 284, the firewall receives next data packet and control passes back up to block 272 where the decapsulating and analysis process is repeated as described above. - Referring again to block 280, if the intended application has been identified, control passes from
block 280 to block 286. Atblock 286, the firewall uses theaccess control database 126 to determine if the user has authority to access the designated destination device and to affect the intended application. Atblock 288 where the user has authority to access and to affect the intended application, control passes to block 112 inFIG. 9 where all of the stored packet information is transmitted to the destination device. However, atblock 288, where the user does not have the authority to access the device or does not have the authority to affect the intended application, control passes back to block 114 inFIG. 9 where a secondary function is performed. - According to one additional aspect of the present invention, in at least some embodiments, it is contemplated that security server 14 (see again
FIG. 1 ) may be useable in a learn mode or during a learning process to monitor use of an HMI by a particular user type to identify expected control device access for that user type so that thesecurity server 14 can establish access control rules for populating an access control database. In this regard, in at least some cases it is contemplated that prior to a learning procedure for a specific user type, no restrictions have been specified in an access control database for restricting user access to the industrial control devices inconfiguration 21. Here, during the learning process an HMI user of the type associated with the specific process performs various tasks required to perform his job. During task performance the user's HMI forms and transmits data packets onIP network 26 that designate destination devices withinconfiguration 21. Whenever one of thefirewalls -
Security server 14 is programmed to monitor communications between the HMI and theconfiguration 21 devices and store records of device access. In this regard, thefirewalls server 14 toserver 14 so thatserver 14 can store records of device access. In addition to storing records identifying that access has occurred, theserver 14 may also identify and store other non-packet characteristics such as the times at which the access occurs, the locations of the HMI when access occurs, the frequency of access, etc. Moreover,server 14 may also be programmed to identify the nature of the access performed by an HMI during a learning process. For example,server 14 may be programmed to determine whether or not the access was associated with a monitoring activity, a value setting or control activity, a data exchange or some other type of activity. After a learning process has been completed,server 14 can use the stored access information to populate a portion of an access control database likedatabase 50 inFIG. 3 in a simple case or, to populate a more complex control database likedatabase 126 inFIG. 10 or database 140 inFIG. 11 . - Referring now to
FIG. 14 , anexemplary learning process 230 is illustrated. Atblock 232, a system administrator usesHMI 16 to placesecurity server 14 in a learning mode so thatserver 14 can identify access typically required of a specific user type. Next, at block 234, the administrator usesHMI 16 to specify a specific user type and to specify an HMI to be tracked. For example, at block 234, the administrator may indicate that the current learning procedure will be used identify access activity required by a maintenance engineer and may specify HMI S1 as the HMI to be tracked during the learning process. Hereinafter it will be assumed that the learning process is for a maintenance engineer type user and that HMI S1 is to be tracked during the learning process. - Continuing, referring to
FIG. 14 , atblock 236, while a maintenance engineer uses HMI S1 to perform routine maintenance activities on theconfiguration 21 control devices,server 14 tracks device access by HMI S1. Atblock 238,server 14 stores HMI S1 access information. Atblock 240,server 14 monitors for some indication that the learning process should be ended (e.g., a learn process complete signal from HMI 16). Atblock 242, while the learning process continues, control loops back up to block 236 where theprocess including blocks block 242, when a system administrator usesHMI 16 to indicate that the learning process has been completed, control passes to block 244 whereserver 14 updates the access control database. In the present example, the changes to the access control database may result in supplementing a type/device access section 142 of an access control database as illustrated inFIG. 11 where device access indicates devices accessed via HMI S1 during the learning process. - While the learning process has been described above in the context of a method for identifying access required by a specific user type, it should be appreciated that a similar process could be performed for a system user type, the administrator identifies a specific user at the beginning of the learning process.
- According to one other aspect of at least some embodiments of the present invention, it is contemplated that
HMI 16 may also be used by a system administrator to manually specify access control information. In this regard,server 14 may be provided with a full specification related to the industrial control devices that formconfiguration 21 so that information related toconfiguration 21 can be provided viaHMI 16 allowing the administrator to manually select devices or subsets of the devices to be accessible by specific system users, specific sources (e.g., specific laptops, specific servers and databases, etc.), and, where contemplated, to specify other non-packet characteristics to affect access restriction. Here, theconfiguration 21 information presented viaHMI 16 may take any of several different forms including, but not limited to, a hierarchical list of control devices, a graphic view of the control devices such as a tree, an iconic graphical view, etc. - Referring now to
FIGS. 1 and 15 , an exemplary administrator'sHMI screenshot 180 that may be presented viaHMI 16 during manual access control specification is illustrated.Window 180 includesinstructions 182 to guide an administrator to provide information required to provide access control information. In addition,window 180 includes a sub-window 184 in which a configuration graphic consistent withconfiguration 21 inFIG. 1 is presented where each control device withinconfiguration 21 is separately presented and linking relationships therebetween are also shown. Moreover, a mousecontrollable selection icon 194 is provided that can be moved withinsub-window 184 to point to different control devices therein. Whenicon 194 is pointing at one of the device icons withinsub-window 184, a selection activity (e.g., a double click on a controlling mouse) causes the device icon to be highlighted. InFIG. 15 , each of devices D4 and D5 are shown as being highlighted via cross-hatches therethrough. - Referring still to
FIG. 15 , adouble arrow icon 181 is provided adjacent a user indicator field 195 which, inFIG. 15 , indicates user U1. Here it is contemplated thaticon 181 may be used to scroll through different known system users for which access control information has already been placed in the access control database so that the administrator can easily switch from one user to the next during a specifying procedure. Where access control information has already been stored for one of the users, when the administrator scrolls to that user's identity viaicon 181, in at least some cases, it is contemplated that a graphic ofconfiguration 21 for the specific user would automatically be provided withinsub-window 184 and would indicate, via highlighting, devices controllable by a particular user. For new users, the administrator can simply provide an identifier (e.g., U1) in field 195 corresponding to the new user. Referring again toFIG. 15 ,window 180 also includes anenter icon 186. After device icons to be accessible by a specific user have been selected viasub-window 184, whenenter icon 186 is selected, in at least some cases, a simple access control database likedatabase 50 inFIG. 3 is supplemented for the specific user. - In other cases, where additional non-packet characteristics are to be used to restrict device access, when
enter icon 186 is selected inFIG. 15 , other specifying tools may be provided viainterface 16. For example, in at least some cases, whenicon 186 is selected inFIG. 15 , another HMI window likewindow 200 inFIG. 16 may be provided. InFIG. 16 ,additional instructions 202 are provided for a system administrator to guide the administrator in specifying other important non-packet characteristics for restricting access. In the present example, the instructions indicate that for the devices D4 and D5 that were selected viasub-window 184 inFIG. 15 , the administrator should indicate access times and specify required locations for the specific user to access. In addition, for each of devices D4 and D5, a separate non-packetcharacteristics specifying window windows window 217 corresponding to device D4 will be described here. Withinwindow 217, start and stoptime fields arrow icons 215 labeled. The two headed arrow icons may be selected via mouse controlledcursor 208 to change the corresponding start or stop time. - Referring still to
FIG. 16 ,window 217 also includes a location restriction sub-window 223 that can be used to specify locations in which the particular user should be able to access device D4. Withinsub-window 223, a list of possible location restricting spaces is provided including an “All” designation, aZone 1 designation, aZone 2 designation, etc.Cursor 208 can be used to select one of the location restriction designations. Aselection box 225 is provided around the selected location restriction designation. For example, inFIG. 16 ,box 225 is provided around the All designation indicating that, as currently set, the user should be able to access device D4 from all locations. A double headedarrow icon 227 is provided withinwindow 223 to allow the administrator to scroll through location restriction designations where more than the four illustrated designations are possible. - Referring still to
FIG. 16 ,window 200 also includes anenter icon 204 and a double headedarrow icon 206 near a lower edge thereof. Double headedarrow icon 206 can be used to scroll through different device windows likewindows sub-window 184 inFIG. 15 . After time and location restriction information has been specified viawindows enter icon 204 is selected,server 14 compiles the information specified viawindows FIG. 10 . - Referring now to
FIG. 17 , a method orprocess 160 for manually configuring an access control database using an administrator's HMI is illustrated. At block 162 a control configuration specification (e.g., a graphical specification or a directory view type specification) is provided. Atblock 166, an administrator'sinterface 16 is provided. Atblock 170, device selection tools and non-packet characteristics setting tools where necessary, like tools illustrated inFIG. 15 or 16 or tools akin thereto, are provided viaHMI 16. Atblock 172, after the administrator uses the HMI tools to specify access control information, the access restriction information is provided toserver 14 which, atblock 174, updates the access control database. - While two different methods for specifying access control database information are described above, one in which the security server performs a learning process and another in which a system administrator manually specifies access control information, in at least some cases it is contemplated that a hybrid system may be provided wherein, during a learning process, the
server 14 performs a process similar to the process described above. Thereafter, an administrator may use interface tools like those described above with respect toFIGS. 15 and 16 to analyze the access control information that resulted from the learning process and to modify that access information. To this end, for example, referring again toFIG. 15 , after a learning process for user U1, the administrator may access a screen shot like the one illustrated inFIG. 15 for user U1 where all accessed devices are shown as highlighted. Here, the administrator may either move on to a screen like that shown inFIG. 16 to see the non-packet characteristics that resulted from the learning process or may manually select other devices viasub-window 184 to be accessible or deselect highlighted devices in sub-window 184 that should not be accessible. - What has been described above includes examples of the present invention. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the present invention, but one of ordinary skill in the art may recognize that many further combinations and permutations of the present invention are possible. Accordingly, the present invention is intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims.
- For example, while access control information is described above as indicating devices that can be accessed and non-packet characteristics that correspond to access rights, in other embodiment the access control information may instead identify devices that cannot be accessed or non-packet characteristics that correspond to inaccessible conditions. For instances, referring again to
FIG. 3 , for user U1, the device access list in column 54 may list devices D3, D8, D9, etc., that are not accessible by user U1 and in that case the firewalls would only allow access to devices that are not listed in column 54. In addition, referring again toFIG. 1 , while the comparing steps have been described above as being performed byfirewalls server 14. Moreover, whilefirewalls overall system 10, it should be appreciated that each one of the firewalls may take any of several different forms. For example,firewall 28 may be embedded within PLC1, may be its own standalone device or may run on a remote server. - In addition, referring again to
FIG. 1 , whilefirewalls sources 27 and the devices withinnetwork 21, firewalls may be linked to the other components described in any of several ways and the devices and sources may be programmed to communicate accordingly. For instance, in at least some applications firewalls 28 and 30 may be programmed to physically intercept any communications transmitted to destination devices withinnetwork 21 even if those communications do not specify one of the firewalls as a path device. Thus, for example, where source S1 is used to transmit a packet identifying the address of PLC1 as the IP destination (seefield 36 inFIG. 2 ),fire wall 28 may be programmed to monitornetwork 26 for all communications specifying PLC1 as an IP address and to then intercept those communications to be scrutinized as described above. - As another instance, firewalls (e.g., 28, 30) may be employed and referenced as network devices that separate
network 21 fromsources 27. Here, firewalls 28 and 30 may be placed within the overall network so that the firewalls physicallyseparate network 21 fromsources 27. In this case, when a source is used to access/control one of the devices withinnetwork 21, the source may be programmed to route a data packet to one of the firewalls as if the firewall was one of the devices withinnetwork 21. In other words, referring toFIGS. 1 and 2 , a packet may specify the address offirewall 28 in IPdestination address field 36 and the Non-IP path address fields 38, 40, etc., may then specify the network devices PLC1, D0, D1, etc. In this case the data packets are not intercepted by the firewalls but are directed specifically to the firewalls as part of thenetwork 21. - Exemplary System
- Now an exemplary system will be described wherein a second or embedded protocol that is embedded in an IP packet is the CIP protocol.
- In addition to specifying a routing or communication path for packets, the CIP protocol also enables specification of specific activities that should be performed by a target network device. To this end, the CIP protocol enables specification of a specific “object” associated with a target network device that is associated with a packet as well as a service to be performed at, by or related to the object. With respect to the “object” concept, this concept contemplates a hierarchical organization of device functions and features including, in at least some cases, a class level, an instance level and an attributes level. For instance, an exemplary class may include a general class of devices such as proximity sensors. An instance of a proximity sensor, as the label implies, is a single occurrence of a proximity sensor. For example, in at least some cases a single network device may include three instances of the proximity sensor class (i.e., the device includes three separate proximity sensors). Instance attributes are functional or operational characteristics associated with either a class or an instance of a class. For example, a proximity sensor may be able to be operated in either one of two different ways. First, a proximity sensor may be able to precisely sense proximity of a part at a station along a transfer line and generate a variable signal to indicate a precise distance between the sensor and the part. Second, the proximity sensor may be able to operate in a binary fashion to indicate either presence or absence of a part at a transfer line station. Here, the mode of sensor operation (i.e., binary or precise) may be an attribute of the proximity sensor class that can be altered. As another example, where an instance of a proximity sensor is operated in the binary mode, an attribute of the instance may be the value (i.e., 1 or 0) of the sensor at a specific time.
- In the above examples, a service to be performed on the proximity sensor class may be to change the mode of operation from binary to precise using a write command. A service that may be performed on an instance of a proximity sensor that is operating in the binary mode may be to read the sensor value. Here, it should be appreciated that the examples described above are only exemplary and have been limited in the interest of simplifying this explanation. In a working system, as one of ordinary skill in the art would understand, a huge number of different object classes, instances and attributes are contemplated and would be supported by a functioning system.
- Referring again to
FIG. 1 , in the case of the CIP protocol, to determine if a packet from a source should be transmitted to a target or destination device, afirewall 30 may be programmed to examine an intended routing path through thenetwork 21 devices, the target device, the target object (i.e., class-attribute, class-instance-attribute, etc.) at a target device and perhaps the service to be performed at, by or to the target object. The process wherein a firewall examines target objects and services is referred to hereinafter as “object filtering”. - To support object filtering, first, objects accessible to specific sources have to be identified and services that can be initiated at, by or on specific objects. To this end, an enhanced access database may be provided. Referring now to
FIG. 28 , an exemplaryaccess control database 562 that may be maintained withindatabase 24 for supporting object filtering is illustrated.Exemplary database 562 includes asource column 552, adevice column 554, aclass column 556, aninstance column 558, anattribute column 560 and aservice column 564.Source column 552 lists each of the sources that may, for any purpose, access devices withinnon-IP network 21. To this end exemplary sources incolumn 552 include sources 51, S2.Device column 554 includes a separate list of non-IP network devices corresponding to each of the sources incolumn 552. For example,column 554 includes devices D1 and D2 corresponding to source 51 incolumn 552. The devices associated with a source incolumn 552 include any non-IP network devices that the corresponding source can access for any reason. - Referring still to
FIG. 28 , class, instance and attributecolumns column 554. For instance, the combination including class C1 and attribute A1 specifies a specific attribute of a specific class associated with device D1. Similarly, the combination including class C1,instance 11 and attribute A4 specifies a different object associated with device D1. Other class, instance and attribute combinations are contemplated and a small subset thereof are illustrated incolumns -
Service column 564 specifies one or more services or functions that are associated with each of the attributes incolumn 560. In the example, a first service Ser1 is associated with attribute A1 incolumn 560. Similarly, two services Ser1 and Ser2 are associated with attribute A2 incolumn 560. A service Ser22 corresponds to an object including class C1,instance 11 and attribute A4 related to device D1 and source S1 incolumns instance 11 and attribute A4. - In the case of the CIP protocol there are two general ways in which to send data packets between sources and target network devices. First, when only minimal amounts of information/data need to be transmitted to a network device or from a network device to a source and there is no need for a reply from the receiving component or when only minimal back and forth communication is necessary, data packets can be sent between a source and a network device along route paths without forming a persistent connection path therebetween. A communication of this type is referred to hereinafter as an “unconnected send” because, as the label implies, a packet is sent in one direction and a persistent connection path is not set up between the source and device. Herein, the phrase “persistent connection path” is used to refer to a path that, once established, does not have to be re-indicated each time a data packet is transmitted along the path and that can be affirmatively eliminated.
- Second, when larger quantities of information need to be sent between a source and a network device or when several rounds of back and forth communication between a source and a network device are required, a persistent communication path can be established between the source and the network device so that overhead required to perform communications can be reduced appreciably (i.e., the path does not have to be re-indicated with each transmitted packet). To establish a persistent source to network device connection path, several communications are required in at least some embodiments including an initial source communication indicating that a persistent connection path should be formed and specifying a communication path through the non-IP network to a destination or target device. In addition, an initial network device communication back to the source is required in some embodiments.
- In at least some applications the initial source communication also includes a target-to-originator (T-O) connection ID (T-O ID) that is to be used by the target device when the target sends packets back to the source (i.e., the originator). Here, the source will only accept packets back from the target network device that include the T-O ID. Similarly, in at least some applications, the initial network device communication also includes an originator-to-target (O-T) connection ID (O-T ID) that is to be used by the source (i.e., the originator) when the source sends second and subsequent packets to the target network device. Here, the target device only accepts packets from the source that include the O-T ID. Establishment of a connection path will be described in greater detail below.
- Hereinafter, unless indicated otherwise, the initial source packet for establishing a persistent connection path with a network device will be referred to as an “unconnected forward open request” because the packet commences the opening of a connection path and is initially unconnected (i.e., the path initially is not connected). Similarly, the initial network packet will be referred to hereinafter as an “unconnected forward open reply” because the packet is a reply to the open request. Packets transmitted after a connection path is established will be referred to hereinafter as “connected send” packets or communications. A packet to eliminate a persistent connection path will be referred to hereinafter as an “unconnected forward close request”.
- Referring to
FIG. 18 , an exemplary dualprotocol data packet 300 including a CIP data packet embedded or encapsulated within an IP data packet is illustrated.Exemplary packet 300 corresponds to a typical unconnected send packet. Here,packet 300 is shown in its simplified form and it should be appreciated that a typical packet may include other fields populated with various types of information useful or required for transmitting thepacket 300 from a source to a target network device. -
Exemplary packet 300 is a typical IP packet and, to that end, includes a frame that specifies packet source and destination device as well as a data field within the frame.Packet 300 includes asource ID field 302 and an IPdestination address field 303. The IP packet data field is identified bynumeral 324 and includesfields IP data field 324 is where data for delivery to an IP destination address is typically located. In the present case, a non-IP data packet is encapsulated infield 324 where the packet includes non-IP path device address fields 312, 314, 316 and 318 as well as a generalservice type field 304, aconnection manager field 306 and a target object path/service field 308. As in the case ofFIG. 2 above, the non-IP address fields 312, 314, 316 and 318 specify a string of addresses corresponding to non-IP devices and specify a path for non-IP routing to the target network device. - Referring still to
FIG. 18 , generalservice type field 304, as the label implies, specifies a general type of service associated withpacket 300. For example, exemplary general service types include an unconnected send, a connected send, an unconnected forward open request, an unconnected forward open reply, an unconnected forward close request, etc. Here, although a small number of general service types are described, it should be understood that many other service types are contemplated. InFIG. 18 , as indicated in brackets, the service type associated withpacket 300 is an unconnected send meaning that thepacket 300 is to be transmitted to a target network device without establishing or opening a persistent connection path. -
Connection manager field 306 is used to indicate that thepacket 300 should be internally routed within the IP destination device to a connection manager object within the device. Here, in at least some embodiments, each of thenon-IP network 21 devices includes a connection manager object which is typically a software program that is provided to manage communication paths for the device. In the case of an IP destination device, the connection manager object is capable of identifying a general service type specified infield 304 and examining the address fields (e.g., 312, 314, etc.) to identify the next device within the non-IP routing path to which at least a subset of thepacket 300 information should be transmitted. - Referring still to
FIG. 18 , object path/service field 308, as the label implies, specifies a specific object associated with the target device and a service to be performed at, by or on the object. For instance, consistent with the above example, the object path andservice field 308 may specify a specific proximity sensor instance associated with a target device and that the value of the sensor should be read (i.e., the service is to read a value). In this regard, referring also toFIG. 19 , an exemplary object path/service field 308 is illustrated that includes anobject field 334 and aservice field 336.Object field 334 includes aclass subfield 338, aninstance subfield 340 and anattribute subfield 342. - Referring now to
FIG. 20 , anexemplary submethod 350 that may be substituted for a portion of themethod 62 illustrated inFIG. 4 is shown where the submethod corresponds to a firewall process that may be performed when an unconnected send data packet is intercepted where the packet includes an embedded CIP subpacket. Referring also toFIGS. 1 and 4 , after a firewall (e.g., 30) intercepts a packet atblock 70, control passes to block 352. Atblock 352,firewall 30 decapsulates the received packet and identifies the packet source, the target device, an object specified in object path/service field 308 and the service specified infield 308. Atblock 354,firewall 30 accesses the stored AC database (see againFIG. 28 ). Atblock 356,firewall 30 uses the database to determine if the source has authority to access the target device for any purpose. This step may comprise simply checking the list incolumn 554 of thedatabase 562 to see if the target device is correlated with the source device incolumn 552. Atdecision block 358, where the source does not have authority to access the target device for at least one purpose, control passes down to block 366 where a secondary security function is performed. Here, the secondary security function may take any of several different forms including the forms described above with respect toFIGS. 4 through 7 . - Referring still to
FIGS. 1 , 18 and 20, if the source has authority to access the target device atblock 358, control passes to block 360 wherefirewall 30 usesAC database 562 to determine if the source has authority to commence the identified service for the identified object (i.e., object filtering). Atblock 362, where the source does not have authority to commence the identified service for the identified object, control passes to block 366. Where the source has authority to commence the service for the object, control passes to block 364 where packet information is transmitted to the first device in the non-IP routing path specified by the unconnected send packet (see address infield 312 inFIG. 18 ). Transmission continues through the non-IP path until a subset of the data is received by the target device. The target device uses the subset of packet information to perform the service at, on or by the object specified infield 308. - Referring now to
FIG. 21 , another exemplarydual protocol packet 370 including a CIP packet embedded within an IP packet is illustrated. Fields inpacket 370 that are similar to fields inpacket 300 described above with respect toFIG. 18 are labeled with identical numbers and, in the interest of simplifying this explanation, are not described here in detail. More specifically, fields 302, 303, 306, 312, 314, 316 and 318 are akin to the identically numbered fields inFIG. 18 . InFIG. 12 , however, the information infields FIG. 18 (i.e., the source ID infield 302 corresponds to the original target device, theaddress field 303 corresponds to the original source device and the path specified byfields FIG. 18 ). In addition tofields packet 370 includes a generalservice type field 374 and aT-O ID field 377.Field 374 indicates an unconnected forward open request meaning that a persistent connection should be set up between the source and the target device to facilitate subsequent communications.T-O ID field 377 includes a target-to-originator connection ID that is generated by the source. - Referring again to
FIG. 1 and also toFIG. 22 , in at least some embodiments it is contemplated thatfirewall 30 may maintain a forward open table 402 for keeping track of open or established connection paths between sources and target network devices. To this end, exemplary table 402 includes asource IP column 390, a destination IP column 392, aroute path column 394, a T-Oconnection ID column 396, an O-Tconnection ID column 398 and a connectionserial number column 400. InFIG. 22 , data corresponding to a single open connection path is illustrated and arranged in a single row. Nevertheless, it should be appreciated that many hundreds and even thousands of rows of data may populate table 402 at any given time in a complex system where each row includes information associated with a different currently established path.Source IP column 390 includes a source IP address for each open connection path. Exemplary source IP address incolumn 390 is XJ234789. Destination IP column 392 includes a destination IP address corresponding an IP destination device withinnetwork 21 for each address incolumn 390.Route path column 394 indicates a route path for each connection path specified in table 402. In the illustrated example, the route path includes devices D4, D5, D6, etc. - Referring still to
FIG. 22 column 396 is used to store a T-O connection ID for each of the route paths specified incolumn 394. InFIG. 22 , an exemplary connection ID is T-O 1920.Column 398 is used to store an O-T connection ID corresponding to each of the route paths incolumn 394. InFIG. 22 , exemplary connection ID incolumn 398 is O-T 0349. Incolumn 400, a separate connection serial number is provided for each of the route paths incolumn 394. - Referring to
FIGS. 1 , 21 and 22, when an unconnected forwardopen packet 370 is intercepted byfirewall 30,firewall 30 decapsulates the packet and determines whether or not the source specified by the packet has authority to access the target network device specified by the packet for any reason. Where the source has authority to access the target network device for any reason,firewall 30 populates a new connection path row in table 402 with information directly from thepacket 370 including providing information incolumns firewall 30 populates a new connection path row,firewall 30 also generate a connection serial number and places the serial number iscolumn 400 correlated with the new connection path row. Thus, at this point, all of the new connection path row information in table 402 is specified except for an entry incolumn 398. When a source does not have authority to access the target network device for at least one reason, the firewall does not create a new connection path row in table 402 and may perform some type of secondary security function. - Continuing, after a new connection path row is partially populated,
firewall 30 transmits apacket 370 along with the connection serial number via the designated non-IP route path to the target network device. This subpacket is not illustrated. As a packet is received by each of the non-IP network devices during routing to the target device, each of the route devices decapsulates the received packet, identifies the device from which the packet was received, the next device along the route path to which to transmit a subpacket and the connection serial number, stores identification of the previous device and next device along with the connection serial number in a table akin to forward open table 402 for subsequent routing and then transmits a subpacket to the next device along the prescribed path until the target receives a subpacket. - When the target network device receives the subpacket including the T-O ID and the connection serial number, the target device recognizes the subpacket as a forward open request and in turn generates an unconnected forward open reply data packet that is transmitted back along the connection path to the
firewall 30. InFIG. 23 , an exemplary unconnected forwardopen reply packet 410 is illustrated that includes a generalservice type field 414, aT-O ID field 416, anO-T ID field 418, a connectionserial number field 419 and a non-IP address field 412 (thisfield 412 may be optional).Field 414 specifies the general service type (i.e., an unconnected forward open reply in the present case).Field 416 includes the T-O ID which is required by the target device to communicate with the source (i.e., the source will not accept communications from the target device without the T-O ID).Field 418 includes an O-T ID which is generated by the target network device and which is required in any communications from the source for the target device to receive the communications.Field 419 includes the connection path serial number associated with the line of communication.Field 412 indicates the non-IP address of the device in the non-IP connection path that precedes the target device. - For instance, referring again to
FIG. 1 , where a non-IP connection path includes devices D4, D5, D6 . . . DN-1 and DN and device DN is the target device, the address specified infield 412 corresponds to device DN-1. When device DN-1 receives the packet, device DN-1 uses the connection serial number infield 419 to identify the preceding connection path device DN-2 via a lookup table stored by device DN-1 and transmits a packet to that device. This process is repeated until device D4 receives a reply packet and uses information therefrom to generate an IP framed packet to be transmitted to the source. Here, the IP framed packet includes, among other things, the T-O ID, the O-T ID and the connection serial number corresponding to the connection path. When an IP packet is transmitted to the source,firewall 30 intercepts the packet. - Referring still to
FIGS. 1 , 22 and 23, whenfirewall 30 intercepts the unconnected forward open reply packet,firewall 30 identifies the O-T ID and the connection serial number and inserts the ID incolumn 398 in the row associated with the connection serial number. - After the source receives the unconnected forward open reply, the source begins communicating along the established connection path with the target network device without having to completely specify the non-IP routing path and hence communication overhead is reduced appreciably. Instead, the source need only specify the connection serial number which is then used by the non-IP path network devices to route to next devices along the path until a packet is received by the target device.
- Referring to
FIG. 24 , an exemplary connected send packet 420 which may be transmitted by a source to a target network device after a connection path has been established is illustrated. Packet 420 includes source and IP destination address information infields service type field 424. The O-T ID is specified infield 426 and the connection serial number is specified infield 427. Here, a target object path/service field 428 is populated with an object path and a service to be performed on the object indicated by the object path as described above. When a connected send packet 420 is intercepted byfirewall 30,firewall 30 decapsulates the packet, identifies the source, the target network device and the object and service and uses that information to determine whether or not a subpacket should be transmitted on to the target network device. - Referring to
FIG. 25 , to close or eliminate a connection path, a source may be programmed to transmit an unconnected forwardclose type packet 430.Packet 430 includes source and IP destination information infields service type field 434 and a connectionserial number field 436. When a forwardclose packet 430 is intercepted byfirewall 30,firewall 30 decapsulates the packet, identifies the packet as a forward close type packet by examining the information infield 434, identifies the connection path serial number infield 436 and then discontinues the connection path by deleting the row corresponding thereto in table 402 (see againFIG. 22 ). In addition,firewall 30 allows disconnect information to be transmitted along the connection path causing devices therealong to delete path related information from their memories. - Referring now to
FIGS. 26 and 27 , anexemplary method 450 for establishing an authorized connection path between a source and a target device for communicating along the path and for eliminating an established connection path is illustrated. Referring also toFIGS. 1 and 22 , atblock 452,firewall 30 monitors packets that are targetingnetwork 21 devices. Where a forward open request is not received atdecision block 454, control passes to block 483 inFIG. 27 . Where a connected send packet is not identified at block 483 (here it is assumed that a connection path has previously been specified and instantiated in a firewall forward open table), control passes to block 498. If an unconnected forward close packet is not identified atblock 498, control passes back up to block 452 where monitoring of intercepted packets continues. - Referring again to
FIGS. 1 , 22 and 26, when a forward open request is received atdecision block 454, control passes to block 456 wherefirewall 30 decapsulates the intercepted packet to identify the source of the packet, the target network device, the non-IP path throughnetwork 21 and the T-O connection ID. At block 458,firewall 30 accesses the stored AC database 562 (seeFIG. 28 ). Atblock 460,firewall 30 uses theAC database 562 to determine if the source has authority to connect to the target network device for any purpose. Atblock 462, where the source does not have authority to connect to the target network device, control passes to block 482 where a secondary security function akin to one of the functions described above is performed. Afterblock 482, control passes to block 483 inFIG. 27 . - Referring again to decision block 462, where the source has authority to connect to the target network device for at least one purpose, control passes to block 464 where
firewall 30 assigns a connection serial number to the connection path between the source and the target network device. At block 468,firewall 30 populates a portion of a new row of the forward open table 402 with information including the source IP address, the destination IP address, the route path and the T-O connection ID. At block 470,firewall 30 transmits a packet via the non-IP path specified by the unconnected forward open request packet to the target network device that includes the connection serial number and the T-O ID. Atblock 472, the target network device encapsulates an unconnected forward open reply (seeFIG. 23 ) including an O-T connection ID and transmits that reply to the source.Firewall 30 intercepts the reply packet and, atblock 474, the decapsulates the unconnected forward open reply and identifies the O-T connection ID and uses that ID to complete the connection path row in forward open table 402 atblock 478. Atblock 480, the non-IP network device that separatesother network 21 devices from the IP network (e.g., device D4 in the present example) generates an IP protocol reply which is transmitted back to the source and that includes the O-T connection ID as well as the connection serial number corresponding to the newly open connection path. Afterblock 480, control passes to block 483 inFIG. 27 . At this point, a new connection path has been established and is instantiated in table 402. - Referring to
FIG. 27 and also toFIGS. 1 and 22 , atblock 483,firewall 30 monitors intercepted dual protocolpackets targeting network 21 devices for a connected send packet. When a connected send packet is intercepted, control passes to block 486. Atblock 486firewall 30 decapsulates a receive packet to access the connection serial number and thereby identify the connection path associated with the connected send packet. Atblock 488,firewall 30 access the forward open table 402 and identifies the route path associated with the connection serial number as well as the target network device. At block 490,firewall 30 accesses the stored AC database 562 (seeFIG. 28 ) and atblock 492firewall 30 determines if the intended function or service is allowed. At block 494, where the service is not allowed, control passes to block 506 where a secondary security function is performed. After block 506, control passes back up to block 452 inFIG. 26 where the monitoring process continues. At block 494, where the function is allowed, control passes to block 496 wherefirewall 30 transmits the connected send packet including the T-O connection ID and the connection serial number to the target network device along the path indicated in route path column 394 (see specificallyFIG. 22 ). - Referring again to decision block 483, where a connected send packet has not been intercepted, control passes to block 498 where
firewall 30 determines whether or not a forward close packet has been intercepted. When a forward close packet has not been intercepted, control passes back to block 452 inFIG. 26 where monitoring continues. When a forward close packet is intercepted atblock 498, control passes to block 500 wherefirewall 30 accesses forward open table 402 (see againFIG. 22 ) and identifies the connection path row associated with the connection serial number in the forward close packet. Atblock 502,firewall 30 deletes the connection path associated with the connection serial number in the forward close packet and control passes back up to block 452 inFIG. 26 where monitoring continues. After a connection path row has been deleted from table 402, if additional communications are attempted using the connection serial number associated with the deleted row,firewall 30 does not allow the communications. - A communication of this type is referred to hereinafter as an “unconnected send” because, as the label implies, a packet is sent in one direction and a connection is not set up between the source and device.
- In at least some contemplated embodiments it has been recognized that when a firewall denies a request from a source (e.g., a server, a computer, a network device, etc.), the source can get “hung up” during a timeout period (e.g., 10 seconds) if a properly formatted response to the request is not received. To this end, many sources maintain single string communication stacks for communicating on a network. For instance, referring to
FIG. 29 , asystem 600 is illustrated where aserver 590 performs five applications A1-A5 and maintains aCIP stack 592 that listsrequests 001, 012, etc. from the applications. Apointer 594 indicates acurrent request 011 in the stack that has most recently been transmitted 604 to a target device vianetwork 26. Consistent withFIG. 1 ,firewall 30 intercepts the request 001 and determines if the request is to be halted or continued. In at least some applications, after a request is transmitted 604,server 590 will wait for a response or the end of a timeout period before processing the next request in thestack 592. - In at least some applications timeout periods should be minimized to facilitate fast processing of all requests in the
CIP stack 592. According to another aspect of the present invention, when afirewall 30 determines that a request should be denied, thefirewall 30 is programmed to generate and transmit 606 a spoofed message back to the requesting server/source where the spoofed message has a format that will be recognized as a response to the request. When the requesting source receives the spoofed message and recognizes the message as a properly formatted response, the source processes the response and releases the CIP stack so that the next stack request (e.g., 012 in the present example) can be processed. - Referring now to
FIG. 30 , an exemplaryspoofed response packet 610 is illustrated that includes asource ID field 612, an IPdestination address field 614, an “Invalid Access Request”message field 616, aconnection SN field 617 and aT-O ID field 618.Source ID field 612 indicates the original target device from the original request packet andfield 614 indicates the address of the original source. In the present example the source may be theserver 590 orserver stack 592.Field 618 includes the target to originator ID (i.e., the T-O ID) from the original request. Here, the information infields packet 610 as a response to the associated request packet. - In at least some cases, some of the information (e.g., source and target identifying information) in the response packet fields will be gleaned or obtained from the original request communication packet. In some cases, other information such as the connection SN in
field 617 will be “bogus” information fabricated byfirewall 30 to trick the source into recognizing a communication as a response from the target device intended for the source. For instance, where a request corresponds to an unauthorized communication, clearly no connection path is to be formed and therefore no connection SN will be required. However, if a source requires a response packet that includes a serial number, a bogus or fake connection SN has to be generated and used to instantiate an appropriate field in a response packet. - Referring still to
FIG. 30 ,field 616 includes a message or some indication akin thereto that the request was invalid or has been denied. Thefield 616 indication is used by the receiving source to perform some other function (e.g., indicate an error to a system user, begin a process to generate another request packet, etc.). - Referring now to
FIG. 31 , amethod 620 for maintaining a single string communication stack is illustrated. Referring also toFIG. 29 , atblock 622,stack 592 receives a new request from one of the applications A1-A5 associated therewith. Atblock 624,stack 592 adds the request to the stack. Atblock 626,server 590 accesses the next request in the stack (e.g., in a FIFO manner) and atblock 628,server 590 encapsulates and transmits a packet (see 370 inFIG. 21 ) corresponding to the next stack request to a corresponding target device vianetwork 26. Atblock 630, stack 592 (or server 590) starts a timeout clock for the specific request. - Referring to
FIG. 32 , a sub-process 640 that may be substituted for a portion of the process illustrated inFIG. 20 is shown where the sub-process is for generating a spoofed response packet when a request is denied. Referring also toFIG. 29 , whenfirewall 30 receives a request on anetwork 26, atblock 632,firewall 30 determines if the request should be halted or further processed. Where the request should be further processed, control passes back to block 364 inFIG. 20 . - At
block 632, where the request is to be halted for lack of authority, control passes to block 634. Atblock 634,firewall 30 generates information required to encapsulate a spoofed response. In the present example, referring again toFIG. 30 , the required information to be generated will include, in at least some applications, a connection serial number (SN) as well as a rejection message for instantiatingfields block 634 will depend on requirements set by the source (e.g., server 590) and the type of protocol and therefore that other types of spoofed information may be generated. The important point here is that the spoofed data/information and the packet format encapsulated atblock 636 should result in a packet that will be received as a properly formatted and legitimate response by the original source. Atblock 636, a response packet is encapsulated and atblock 638 the packet is transmitted to the originating source device. - Referring again to
FIGS. 29 and 31 , atblock 642,server 590/stack 592monitors network 26 for a response that includes properly formatted and required data (e.g., the correct source and destination, a SN, the appropriate T-O ID, etc.). Atblock 644, when a response that meets the format and content criteria of a proper response is not received, control passes to block 648 whereserver 590 monitors the timeout clock. When the timeout period has not expired, control loops back up to block 642. When the time out period expires atblock 648, control passes back up to block 622 where the process described above is repeated. - Referring still to
FIGS. 29 and 31 , when a response that meets the format and content criteria of a proper response is received, control passes to block 646 where the response is processed. Here, in the case of a spoofed response, the receiving server/source may simply indicate to a system operator that an error has occurred. In other cases the error may prompt an associated application to generate a following request. - While the CIP example herein is described in the context of a firewall that is separate from the non-IP network devices, it should be appreciated that, in at least some embodiments, the firewall functionality may be embedded within a non-IP network device (e.g., a PLC) that is dedicated to firewall activities or in a non-IP network device that performs other functions in addition to firewall activities.
- Referring again to
FIG. 1 , in at least some embodiments it is contemplated that when a persistent connection path is created between a source (e.g., S1) and a non-IP network device (e.g., DN), communications/transmissions should generally be regular such that the period between consecutive transmissions. is no longer than a maximum duration. Here, when more than a maximum duration or a maximum timeout period occurs since a most recent packet transmission on a specific connection path, a firewall may be programmed to close the connection path by deleting the path from the forward open table. - To this end, referring also to
FIG. 22 , forward open table 402 may, in addition to the columns described above, include aconnection timeout column 600 and atimer column 602.Timeout column 600 includes a separate timeout period (e.g., TOP1) for each of the connection path serial numbers incolumn 400. The timeout periods may be specified by source devices that initiate connection paths or may be generated by a firewall in at least some embodiments. The timeout periods may all be the same or may be connection path specific.Timer column 602 includes a timer value (e.g., TI1) for each timeout period incolumn 600. Each timer starts at a zero value when a forward open request is received and is reset to a zero value when a transmission along a related connection path is received by the firewall. When a timer value exceeds an associated timeout period incolumn 600, the firewall closes the associated communication path. - In addition, while the spoofed response process is described above in the context of a server as a source, it should be appreciated that many system components and even applications may include a single string stack and may be hung up when a firewall receives an unauthorized request. In at least some cases it is contemplated that a firewall may be programmed to spoof any application or component that generates a request for which a response is required. Here, the formats and required data in the different responses may be different but the spoofing principle is the same. The firewall will simply be programmed to generate several different types of spoofed messages for return to request sources and will generate the appropriate message for each source.
- Moreover, while the examples above are described in the context of specific types of first and second protocols, it should be appreciated that at least some inventive embodiments are independent of protocol type (i.e., the first or framing protocol may be other than an Ethernet protocol and the embedded protocol may be any protocol employed in the industrial industries).
- Furthermore, to be clear, in at least some applications it is contemplated that the embedded messages could be nested. For instance, an Ethernet message may contain a CIP message with a first embedded destination which in turn may contain a CIP or other protocol message with yet another or second embedded distinction and so on. Here, in at least some application, the firewall concept may cause a processor to evaluate one, or all or a subset of the embedded destinations and intended activities when a n-tier encapsulation occurs.
- In addition, while the invention above is described in the context of databases that specify access control information for destination resources, it should be appreciated that the invention also contemplates specifying access controlling information for source resources. For instance, a database may specify that a specific workstation or hand held device associated with a specific user can only be used to access and manipulate specific resources. Here, after decapsulation of a packet, a processor uses the access controlling information to determine if transmission should be restricted. Thus, where access control information is specified, specification should be viewed broadly unless otherwise indicated to include any data form that specifies access rules related to resources regardless of whether the database rules are based on destination or source resources.
- To apprise the public of the scope of this invention, the following claims are made:
Claims (28)
1. A method for controlling access in an electronic network, comprising:
receiving a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;
retrieving at least one access rule based on at least one characteristic of the second protocol packet;
applying the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and
controlling access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.
2. The method of claim 1 , wherein retrieving at least one access rule comprises accessing the at least one access rule from an external access control database.
3. The method of claim 1 , wherein controlling access of the communication further comprises restricting access a second protocol destination resource when the access rule outcome indicates that the second protocol destination resource is within a control configuration.
4. The method of claim 1 , wherein the at least one access rule comprises at least one zone designation.
5. The method of claim 4 , wherein controlling access of the communication to the first protocol destination resource further comprises restricting access when the access rule outcome indicates that the source device is outside the at least one zone designation.
6. The method of claim 4 , wherein controlling access of the communication to the first protocol destination resource further comprises restricting access when the access rule outcome indicates that the source device is inside the at least one zone designation.
7. The method of claim 1 , wherein the at least one access rule is configured via at least one central administrator interface.
8. The method of claim 7 , further comprising receiving the at least one access rule via the at least one central administrator interface.
9. The method of claim 1 , wherein the at least one access rule specifies communication sources authorized to communicate with a second protocol destination resource specified in the second protocol packet and communication sources not authorized to communicate with the second protocol destination resource.
10. The method of claim 9 , further comprising generating a warning signal when the access rule outcome indicates that at least one of the communication sources is not authorized to communicate with the second protocol destination resource.
11. The method of claim 10 , further comprising transmitting the warning signal to a configuration server.
12. The method of claim 1 , wherein the first protocol packet is configured in accordance with an IP protocol.
13. The method of claim 1 , wherein the at least one characteristic of at least one of the first protocol packet and the second protocol packet comprises a source identifier associated with the source device.
14. The method of claim 13 , wherein the source identifier comprises an IP address.
15. The method of claim 13 , wherein the source identifier comprises an Ethernet address.
16. The method of claim 1 , wherein the second protocol packet is configured according to a common industrial protocol.
17. The method of claim 1 , wherein the second protocol packet is configured according to a Data Highway Plus protocol.
18. The method of claim 1 , wherein the first protocol packet is configured in accordance with an Ethernet/IP protocol.
19. The method of claim 1 , wherein the at least one characteristic of the second protocol packet is at least one of a command, a service, an object, and an address filter.
20. The method of claim 1 , wherein controlling access of the communication to the first protocol destination resource further comprises halting transmission of the first protocol packet when the access rule outcome indicates an unauthorized access attempt.
21. The method of claim 1 , wherein the second protocol packet specifies a path through a plurality of path resources, and wherein the at least one access rule includes access control information associated with at least one of the path resources.
22. The method of claim 1 , wherein the second protocol packet specifies a path through a plurality of path resources, and wherein the at least one access rule includes access control information associated with each of the path resources.
23. An apparatus for controlling access in an electronic network, comprising:
a memory;
a processor disposed in communication with the memory and configured to issue processing instructions stored in the memory to:
receive a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;
retrieve at least one access rule based on at least one characteristic of the second protocol packet;
apply the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and
control access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.
24. The apparatus of claim 23 , wherein the apparatus is programmable to retrieve at least one access rule from an external access control database.
25. The apparatus of claim 23 , wherein the apparatus is programmable to restrict access to a second protocol destination resource when the access rule outcome indicates that the second protocol destination resource is within a control configuration.
26. The apparatus of claim 23 , wherein the apparatus is programmable to connect to a central administrator interface, wherein the central administrator interface is programmable to create the at least one access rule.
27. A non-transitory processor-accessible medium storing processor-issuable instructions to:
receive a communication from a source device, the communication comprising a first protocol packet having first protocol packet information including a first protocol destination resource identifier, wherein a second protocol packet is embedded in the first protocol packet;
retrieve at least one access rule based on at least one characteristic of the second protocol packet;
apply the at least one access rule to at least one characteristic of the first protocol packet to determine an access rule outcome; and
control access of the communication to a first protocol destination resource associated with the first protocol destination resource identifier according to the access rule outcome.
28. A method for restricting transmission of a protocol packet between a source device and a destination device linked on a network, the method comprising:
intercepting a first protocol packet having a second protocol packet embedded within the first protocol packet, wherein the second protocol packet includes a destination identifier that identifies a destination device for the second protocol packet;
examining at least a portion of the embedded second protocol packet to identify the destination device;
identifying access control information associated with the destination device;
identifying a first protocol packet characteristic;
comparing the first protocol packet characteristic to the access control information associated with the destination device; and
restricting transmission of the first protocol packet as a function of the access control information and the first protocol packet characteristic.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/278,229 US20140250493A1 (en) | 2005-01-06 | 2014-05-15 | Firewall method and apparatus for industrial systems |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US64183905P | 2005-01-06 | 2005-01-06 | |
US70038005P | 2005-07-19 | 2005-07-19 | |
US11/326,742 US7990967B2 (en) | 2005-01-06 | 2006-01-06 | Firewall method and apparatus for industrial systems |
US13/182,808 US8774186B2 (en) | 2005-01-06 | 2011-07-14 | Firewall method and apparatus for industrial systems |
US14/278,229 US20140250493A1 (en) | 2005-01-06 | 2014-05-15 | Firewall method and apparatus for industrial systems |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/182,808 Continuation US8774186B2 (en) | 2005-01-06 | 2011-07-14 | Firewall method and apparatus for industrial systems |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140250493A1 true US20140250493A1 (en) | 2014-09-04 |
Family
ID=36203911
Family Applications (6)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/326,742 Active 2030-01-14 US7990967B2 (en) | 2005-01-06 | 2006-01-06 | Firewall method and apparatus for industrial systems |
US13/182,808 Active 2026-09-12 US8774186B2 (en) | 2005-01-06 | 2011-07-14 | Firewall method and apparatus for industrial systems |
US14/278,225 Active US9369436B2 (en) | 2005-01-06 | 2014-05-15 | Firewall method and apparatus for industrial systems |
US14/278,229 Abandoned US20140250493A1 (en) | 2005-01-06 | 2014-05-15 | Firewall method and apparatus for industrial systems |
US14/285,863 Abandoned US20140259099A1 (en) | 2005-01-06 | 2014-05-23 | Firewall method and apparatus for industrial systems |
US15/167,289 Active 2026-01-11 US10091208B2 (en) | 2005-01-06 | 2016-05-27 | Firewall method and apparatus for industrial systems |
Family Applications Before (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/326,742 Active 2030-01-14 US7990967B2 (en) | 2005-01-06 | 2006-01-06 | Firewall method and apparatus for industrial systems |
US13/182,808 Active 2026-09-12 US8774186B2 (en) | 2005-01-06 | 2011-07-14 | Firewall method and apparatus for industrial systems |
US14/278,225 Active US9369436B2 (en) | 2005-01-06 | 2014-05-15 | Firewall method and apparatus for industrial systems |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/285,863 Abandoned US20140259099A1 (en) | 2005-01-06 | 2014-05-23 | Firewall method and apparatus for industrial systems |
US15/167,289 Active 2026-01-11 US10091208B2 (en) | 2005-01-06 | 2016-05-27 | Firewall method and apparatus for industrial systems |
Country Status (4)
Country | Link |
---|---|
US (6) | US7990967B2 (en) |
EP (1) | EP1878192B1 (en) |
AT (1) | ATE514269T1 (en) |
WO (1) | WO2006074436A2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210092098A1 (en) * | 2019-09-24 | 2021-03-25 | Siemens Aktiengesellschaft | Method and Arrangement for Control Data Exchange of an Industrial Edge Device |
Families Citing this family (64)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020165947A1 (en) * | 2000-09-25 | 2002-11-07 | Crossbeam Systems, Inc. | Network application apparatus |
US9009084B2 (en) * | 2002-10-21 | 2015-04-14 | Rockwell Automation Technologies, Inc. | System and methodology providing automation security analysis and network intrusion protection in an industrial environment |
US8909926B2 (en) * | 2002-10-21 | 2014-12-09 | Rockwell Automation Technologies, Inc. | System and methodology providing automation security analysis, validation, and learning in an industrial controller environment |
US7467018B1 (en) | 2002-11-18 | 2008-12-16 | Rockwell Automation Technologies, Inc. | Embedded database systems and methods in an industrial controller environment |
WO2005114957A1 (en) * | 2004-05-21 | 2005-12-01 | Computer Associates Think, Inc. | Method and apparatus for providing security to web services |
US7314169B1 (en) * | 2004-09-29 | 2008-01-01 | Rockwell Automation Technologies, Inc. | Device that issues authority for automation systems by issuing an encrypted time pass |
US7990967B2 (en) | 2005-01-06 | 2011-08-02 | Rockwell Automation Technologies, Inc. | Firewall method and apparatus for industrial systems |
US7706895B2 (en) | 2005-02-25 | 2010-04-27 | Rockwell Automation Technologies, Inc. | Reliable messaging instruction |
US7565351B1 (en) * | 2005-03-14 | 2009-07-21 | Rockwell Automation Technologies, Inc. | Automation device data interface |
US7233830B1 (en) | 2005-05-31 | 2007-06-19 | Rockwell Automation Technologies, Inc. | Application and service management for industrial control devices |
US7873998B1 (en) * | 2005-07-19 | 2011-01-18 | Trustwave Holdings, Inc. | Rapidly propagating threat detection |
US9191396B2 (en) * | 2005-09-08 | 2015-11-17 | International Business Machines Corporation | Identifying source of malicious network messages |
GB2432992B (en) * | 2005-11-18 | 2008-09-10 | Cramer Systems Ltd | Network planning |
US8208914B1 (en) * | 2005-11-30 | 2012-06-26 | Kyocera Corporation | System and method for transparent communication over a wireless communication network |
US20070234413A1 (en) * | 2006-03-31 | 2007-10-04 | Roger Borchers | Method for displaying customers with real-time feedback on firewall activity |
US7966659B1 (en) * | 2006-04-18 | 2011-06-21 | Rockwell Automation Technologies, Inc. | Distributed learn mode for configuring a firewall, security authority, intrusion detection/prevention devices, and the like |
US7769842B2 (en) * | 2006-08-08 | 2010-08-03 | Endl Texas, Llc | Storage management unit to configure zoning, LUN masking, access controls, or other storage area network parameters |
US8234702B2 (en) * | 2006-08-29 | 2012-07-31 | Oracle International Corporation | Cross network layer correlation-based firewalls |
US20080137266A1 (en) * | 2006-09-29 | 2008-06-12 | Rockwell Automation Technologies, Inc. | Motor control center with power and data distribution bus |
US8458350B2 (en) * | 2006-11-03 | 2013-06-04 | Rockwell Automation Technologies, Inc. | Control and communications architecture |
CN101212414A (en) * | 2006-12-29 | 2008-07-02 | 朗迅科技公司 | Data packet routing method in communication system |
US7752234B2 (en) * | 2007-07-31 | 2010-07-06 | Embarq Holdings Company, Llc | Method and apparatus for auditing utility poles |
WO2009027756A2 (en) | 2007-08-28 | 2009-03-05 | Abb Research Limited | Real-time communication security for automation networks |
US8402151B2 (en) * | 2007-12-07 | 2013-03-19 | Roche Diagnostics Operations, Inc. | Dynamic communication stack |
US8555373B2 (en) | 2008-02-14 | 2013-10-08 | Rockwell Automation Technologies, Inc. | Network security module for Ethernet-receiving industrial control devices |
US9088610B2 (en) * | 2008-09-30 | 2015-07-21 | Rockwell Automation Technologies, Inc. | Method and apparatus for communications accelerator on CIP motion networks |
US8737398B2 (en) * | 2008-12-31 | 2014-05-27 | Schneider Electric USA, Inc. | Communication module with network isolation and communication filter |
US20100180711A1 (en) | 2009-01-19 | 2010-07-22 | Comau, Inc. | Robotic end effector system and method |
EP2399364B1 (en) * | 2009-02-19 | 2014-08-13 | Koninklijke Philips N.V. | Lighting control network |
WO2010107872A2 (en) * | 2009-03-17 | 2010-09-23 | Comau, Inc. | Industrial communication system and method |
DE102009039098A1 (en) * | 2009-08-27 | 2011-03-03 | Siemens Aktiengesellschaft | Method for operating communication network, involves accessing communication network which is provided perpendicularly, if predetermined data communication takes place inside communication network |
EP2296340A3 (en) | 2009-09-14 | 2014-10-01 | Hirschmann Automation and Control GmbH | Method for operating a firewall device in automation networks |
US9386097B2 (en) * | 2010-04-23 | 2016-07-05 | Cisco Technology, Inc. | Using values represented as internet protocol (IP) addresses to access resources in a non-internet protocol address space |
JP5713580B2 (en) | 2010-04-28 | 2015-05-07 | キヤノン株式会社 | COMMUNICATION DEVICE, ITS CONTROL METHOD, AND PROGRAM |
US9027083B2 (en) * | 2011-08-05 | 2015-05-05 | Bank Of America Corporation | Management of access identifiers |
US8683568B1 (en) * | 2011-09-22 | 2014-03-25 | Emc Corporation | Using packet interception to integrate risk-based user authentication into online services |
US9100324B2 (en) | 2011-10-18 | 2015-08-04 | Secure Crossing Research & Development, Inc. | Network protocol analyzer apparatus and method |
US9990509B2 (en) * | 2011-11-11 | 2018-06-05 | Rockwell Automation Technologies, Inc. | Systems and methods for error detection and diagnostics visualization |
US8812466B2 (en) | 2012-02-10 | 2014-08-19 | International Business Machines Corporation | Detecting and combating attack in protection system of an industrial control system |
US20130212668A1 (en) * | 2012-02-13 | 2013-08-15 | International Business Machines Corporation | Suspension of Processes in Industrial Control System When an Anomaly Occurs |
JP5792654B2 (en) * | 2012-02-15 | 2015-10-14 | 株式会社日立製作所 | Security monitoring system and security monitoring method |
KR20140147583A (en) * | 2013-06-20 | 2014-12-30 | 한국전자통신연구원 | Apparatus for preventing illegal access of industrial control system and method thereof |
US9832126B1 (en) * | 2013-12-13 | 2017-11-28 | West Corporation | Reduction in network congestion |
JP2015201021A (en) * | 2014-04-08 | 2015-11-12 | 三菱電機株式会社 | Access controller |
CA2950301C (en) * | 2014-06-02 | 2021-06-29 | iDevices, LLC | Systems and methods for secure communication over a network using a linking address |
KR20160002058A (en) * | 2014-06-30 | 2016-01-07 | 한국전자통신연구원 | Modbus Communication Pattern Learning Based Abnormal Traffic Detection Apparatus and Method |
JP2017521979A (en) * | 2014-07-03 | 2017-08-03 | アトラス・コプコ・インダストリアル・テクニーク・アクチボラグ | Method, node and computer program for tool communication network |
US10110561B2 (en) * | 2014-11-26 | 2018-10-23 | Rockwell Automation Technologies, Inc. | Firewall with application packet classifer |
WO2016088178A1 (en) * | 2014-12-01 | 2016-06-09 | 東京電力ホールディングス株式会社 | Information processing system, information processing method, and storage medium |
CN105187519B (en) * | 2015-08-26 | 2019-01-08 | 福建星网锐捷通讯股份有限公司 | A kind of socket transmission system based on AIO |
FR3047374B1 (en) | 2016-01-28 | 2018-07-27 | Overkiz | METHOD FOR CONFIGURING, CONTROLLING OR SUPERVISING A DOMOTIC FACILITY |
AU2017257501A1 (en) * | 2016-04-25 | 2018-11-15 | Intertrust Technologies Corporation | Data management systems and methods |
US10341293B2 (en) * | 2017-02-22 | 2019-07-02 | Honeywell International Inc. | Transparent firewall for protecting field devices |
US10873589B2 (en) * | 2017-08-08 | 2020-12-22 | Sonicwall Inc. | Real-time prevention of malicious content via dynamic analysis |
US11151252B2 (en) | 2017-10-13 | 2021-10-19 | Sonicwall Inc. | Just in time memory analysis for malware detection |
EP3503493A1 (en) * | 2017-12-22 | 2019-06-26 | Siemens Aktiengesellschaft | Communication device and method for processing a network package |
US10685110B2 (en) | 2017-12-29 | 2020-06-16 | Sonicwall Inc. | Detection of exploitative program code |
US11232201B2 (en) | 2018-05-14 | 2022-01-25 | Sonicwall Inc. | Cloud based just in time memory analysis for malware detection |
CN110661761B (en) | 2018-06-29 | 2021-12-14 | 西门子股份公司 | Access control device, method, computer program product and computer readable medium |
US11095610B2 (en) * | 2019-09-19 | 2021-08-17 | Blue Ridge Networks, Inc. | Methods and apparatus for autonomous network segmentation |
CN112003839B (en) * | 2020-08-07 | 2022-08-23 | 杭州安恒信息安全技术有限公司 | Equipment anti-identity recognition method and device, electronic device and storage medium |
CN112910836B (en) * | 2020-12-26 | 2023-04-07 | 北京珞安科技有限责任公司 | Industrial control network safety protection equipment and method |
US11831688B2 (en) * | 2021-06-18 | 2023-11-28 | Capital One Services, Llc | Systems and methods for network security |
DE102022130818A1 (en) | 2022-11-22 | 2024-05-23 | Endress+Hauser Process Solutions Ag | Method and device for ensuring data exchange between a field device and an external server platform |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5446868A (en) * | 1992-09-11 | 1995-08-29 | R. J. Reynolds Tobacco Company | Network bridge method and apparatus |
US6219706B1 (en) | 1998-10-16 | 2001-04-17 | Cisco Technology, Inc. | Access control for networks |
US6826694B1 (en) * | 1998-10-22 | 2004-11-30 | At&T Corp. | High resolution access control |
US7359368B1 (en) * | 2000-05-25 | 2008-04-15 | Cisco Technology, Inc. | System and method for routing calls using dialing partitions |
US7219158B2 (en) | 2000-07-21 | 2007-05-15 | Hughes Network Systems Llc | Method and system for improving network performance using a performance enhancing proxy |
US6771651B1 (en) * | 2000-09-29 | 2004-08-03 | Nortel Networks Limited | Providing access to a high-capacity packet network |
US7533409B2 (en) * | 2001-03-22 | 2009-05-12 | Corente, Inc. | Methods and systems for firewalling virtual private networks |
US7995603B2 (en) * | 2001-05-22 | 2011-08-09 | Nds Limited | Secure digital content delivery system and method over a broadcast network |
US7110356B2 (en) * | 2001-11-15 | 2006-09-19 | Fujitsu Limited | Pre-provisioning a light path setup |
FI20012338A0 (en) | 2001-11-29 | 2001-11-29 | Stonesoft Corp | Firewall for filtering tunneled data packets |
US20030172264A1 (en) * | 2002-01-28 | 2003-09-11 | Hughes Electronics | Method and system for providing security in performance enhanced network |
US7174566B2 (en) | 2002-02-01 | 2007-02-06 | Intel Corporation | Integrated network intrusion detection |
US6845452B1 (en) | 2002-03-12 | 2005-01-18 | Reactivity, Inc. | Providing security for external access to a protected computer network |
ATE306163T1 (en) * | 2002-04-16 | 2005-10-15 | Bosch Gmbh Robert | METHOD FOR MONITORING AN ACCESS PROCESS CONTROL FOR A COMMUNICATIONS MEDIUM A COMMUNICATIONS CONTROL OF A COMMUNICATIONS SYSTEM |
JP4264339B2 (en) * | 2003-12-11 | 2009-05-13 | 富士通株式会社 | Linked information management device |
US6975130B2 (en) * | 2003-12-30 | 2005-12-13 | Teradyne, Inc. | Techniques for controlling movement of a circuit board module along a card cage slot |
US7607166B2 (en) * | 2004-07-12 | 2009-10-20 | Cisco Technology, Inc. | Secure manufacturing devices in a switched Ethernet network |
US7374524B2 (en) * | 2004-08-17 | 2008-05-20 | Delaware Capital Formation, Inc. | Method, system and program product for enabling rapid connection of automated tools to a device network |
US7990967B2 (en) | 2005-01-06 | 2011-08-02 | Rockwell Automation Technologies, Inc. | Firewall method and apparatus for industrial systems |
-
2006
- 2006-01-06 US US11/326,742 patent/US7990967B2/en active Active
- 2006-01-06 WO PCT/US2006/000663 patent/WO2006074436A2/en active Application Filing
- 2006-01-06 EP EP06717820A patent/EP1878192B1/en not_active Not-in-force
- 2006-01-06 AT AT06717820T patent/ATE514269T1/en not_active IP Right Cessation
-
2011
- 2011-07-14 US US13/182,808 patent/US8774186B2/en active Active
-
2014
- 2014-05-15 US US14/278,225 patent/US9369436B2/en active Active
- 2014-05-15 US US14/278,229 patent/US20140250493A1/en not_active Abandoned
- 2014-05-23 US US14/285,863 patent/US20140259099A1/en not_active Abandoned
-
2016
- 2016-05-27 US US15/167,289 patent/US10091208B2/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20210092098A1 (en) * | 2019-09-24 | 2021-03-25 | Siemens Aktiengesellschaft | Method and Arrangement for Control Data Exchange of an Industrial Edge Device |
US11652796B2 (en) * | 2019-09-24 | 2023-05-16 | Siemens Aktiengesellschaft | Method and arrangement for control data exchange of an industrial edge device |
Also Published As
Publication number | Publication date |
---|---|
US7990967B2 (en) | 2011-08-02 |
EP1878192A2 (en) | 2008-01-16 |
WO2006074436A2 (en) | 2006-07-13 |
US10091208B2 (en) | 2018-10-02 |
US20060155865A1 (en) | 2006-07-13 |
US20140259099A1 (en) | 2014-09-11 |
ATE514269T1 (en) | 2011-07-15 |
US20160277416A1 (en) | 2016-09-22 |
US20110283350A1 (en) | 2011-11-17 |
US8774186B2 (en) | 2014-07-08 |
US20140250520A1 (en) | 2014-09-04 |
WO2006074436A3 (en) | 2006-08-31 |
US9369436B2 (en) | 2016-06-14 |
EP1878192B1 (en) | 2011-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10091208B2 (en) | Firewall method and apparatus for industrial systems | |
US8782771B2 (en) | Real-time industrial firewall | |
US20060236374A1 (en) | Industrial dynamic anomaly detection method and apparatus | |
US5987611A (en) | System and methodology for managing internet access on a per application basis for client computers connected to the internet | |
US5473608A (en) | Method and apparatus for managing and facilitating communications in a distributed heterogeneous network | |
AU757668B2 (en) | Method and system for enforcing a communication security policy | |
US20080126352A1 (en) | Client side state cache for industrial control systems | |
US7538664B2 (en) | Customized industrial alarms | |
US6131163A (en) | Network gateway mechanism having a protocol stack proxy | |
EP1203297B1 (en) | Method and system for extracting application protocol characteristics | |
EP0986229A2 (en) | Method and system for monitoring and controlling network access | |
EP2378716B1 (en) | Systems for conducting communications among components of multidomain industrial automation system | |
EP0658837A2 (en) | Method for controlling computer network security | |
US20020174208A1 (en) | Network communications management system and method | |
US20070255861A1 (en) | System and method for providing dynamic network firewall with default deny | |
EP2378740B1 (en) | Method for conducting communications among components of multidomain industrial automation system | |
EP2378741A1 (en) | Systems and Methods for Conducting Communications Among Components of Multidomain Industrial Automation System | |
EP2622496B1 (en) | System and method for controlling access to a plant network | |
US8463921B2 (en) | Method and system for controlling a computer application program | |
CN1893371A (en) | Network device for secure packet dispatching via port isolation | |
US20020147806A1 (en) | Remote maintenance system and data processing system using electronic mail | |
JP2001077857A (en) | Filtering processing device, network provided with it and its storage medium | |
JP5160652B2 (en) | Method and system for controlling computer application programs | |
Lippert et al. | Security Analysis for the Middleware Assurance Substrate | |
EP1669865A1 (en) | Message communication over a computer network including a message store |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ROCKWELL AUTOMATION TECHNOLOGIES, INC., OHIO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BRANDT, DAVID D;BATKE, BRIAN A;SINGER, BRYAN L;AND OTHERS;SIGNING DATES FROM 20140317 TO 20140430;REEL/FRAME:034284/0308 |
|
STCB | Information on status: application discontinuation |
Free format text: EXPRESSLY ABANDONED -- DURING EXAMINATION |