Software Technology for System and methodology for automation security analysis and network intrusion prevention in an industrial environment

Invented by David D. Brandt, Kenwood Hall, Mark Burton Anderson, Craig D. Anderson, George Bradford Collins, Rockwell Automation Technologies Inc

The Rockwell Automation Technologies Inc invention works as follows

Background for System and methodology for automation security analysis and network intrusion prevention in an industrial environment

Industrial controllers are computers that are designed for industrial automation. They can control manufacturing equipment and other factories. The industrial controller is a computer that measures or alters one or more process variables, inputs, or other indicators according to a control program. Both binary inputs or outputs (e.g. on or off) can be used. Analog inputs and outgoings can also be used, assuming a continuous range.

Measured inputs from such systems and their outputs are generally passed through one or more input/output modules. These I/O module serve as an electrical interface for the controller. They can be located near or far from the controller, and may also include remote network interfaces to related systems. The inputs and outputs can be stored in processor memory in an I/O tableau. Input values may be read asynchronously from one or more input module and output values may be written to the I/Otable for communication with the control system using specialized communications circuitry (e.g. back plane interface, communications modules). In order to control devices such as motors, valves, solenoids, amplifiers, etc., output modules can interface directly with control elements by receiving an input from the I/O tableau.

An industrial controller is the heart of an industrial control system. It can be a Programmable Logic Controller, a Programmable Automation Controller or a PC-based controller. These controllers can be programmed by system designers to control manufacturing processes using user-designed logic programs. They can also be used for sequential function charts, block diagrams, structured texts, and other user programs. Although the user programs are usually stored in memory, they are executed by controllers in a sequential fashion. However, interrupt routines such as instruction jumping, looping, and looping are common. A number of variables or memory elements are associated with the user program. These variables provide dynamic control over controller operations and programs. These variables can be set up by the user and can include bits, bytes and words as well as floating point numbers, integers, floating points numbers, counters and/or any other data type.

Remote applications and systems frequently attempt to update or acquire information about industrial controllers or other device information using a variety of competing, often incompatible and insecure network technologies. This type of remote access to industrial controllers and control systems generally raises concerns about the security provided when data is sent or received to and from the controller and/or its associated equipment. Complex and dangerous operations are common in factories and industrial settings. Potentially dangerous results could result if a controller connected to the network is accidentally accessed or, worse, intentionally sabotaged by an individual or machine.

Simple password protection is one way to provide security for industrial control systems. This could be done by a plant or controls administrator entering an alpha-numeric string which is then typed by an operator every time access attempts are made. The controller will grant access based upon successful typing of this password. However, these passwords can be easily hacked or discovered. Users often use passwords that are easy to guess (e.g. person’s name, birthday). Users may share passwords with others, have the password overheard or come in contact with the password through an unauthorized authorization. Even though security levels are higher, sophisticated hackers can still penetrate sensitive control systems. These techniques can be used to modify control algorithms and take control of production equipment. They also allow for the alteration of I/O streams between control system components and controlled equipment. To avoid potentially dangerous consequences, only authorized users and/or system should have access to such information.

The following provides a summary of the disclosed matter to give a general understanding of certain aspects. This summary does not give a complete overview of all the disclosed subject matter. This summary is not intended to identify the key elements or crucial components of the disclosed matter. It also does not define the scope of the disclosed matter. It is intended to provide a summary of some concepts that are part of the disclosed subject matter, in order to help you understand the detailed description which will be presented later.

The disclosed subject matters relate to a system or methodology that facilitates network and/or device security in an industrial automation environment. There are many systems and methods that can be used to increase security within and/or across networks, and according to different capabilities of automation devices. One aspect of the disclosed subject is a Security Analysis Methodology and Tool. This tool, component and process generates a set of security guidelines, security information, and/or components. The input to the tool may be an abstract description of or model of a factory. This description will identify one or more assets that need to be protected as well as the associated access routes. The tool generates security data that includes recommended security components, interconnection topology, connection configurations and application procedures. It also contains security policies, rules, procedures, security procedures, rules, and/or practices.

SAM can be modeled on a risk-based/cost-based approach, if desired. You can choose a level of protection that is appropriate to protect integrity, privacy, availability, and/or the cost of assets. The tool can also process descriptions of shop floor access and Intranet access as well as Internet access and/or wireless connectivity. Multiparty involvement (IT, Manufacturing and Engineering) can all be accommodated. The tool can be modified to allow for sign-off and partitioned security specification entry. Structured security data formats (e.g. SQL, XML) can be used to generate the security data for the SAM tool. This allows for further validation and compliance testing of security data, if necessary.

A security validation method and associated tools may be provided in another aspect of the disclosed subject material. These validation tools can perform live security assessments of a physical system, both in the initial and ongoing phases. This allows security weaknesses or flaws to be identified. The tools can be used to inspect a system before security changes are made in order to evaluate current security levels. A second aspect of the tools is to verify that a system conforms to security recommendations, such as ISO (International Organization for Standardization) or other security standards. Validation tools can be executed on host-based devices, and/or as an independent device that’s operatively coupled with a network (network-based) at certain points. Host-validation tools can be used to scan and audit devices for vulnerabilities. This includes revision checks, improper configuration check, file system/registry/database permissions check, user privilege/password and/or account policy checks, for example.

One function the network validation tools has is to audit and perform vulnerability scanning on the networks. This includes scanning for vulnerable services and searching for open TCP/UDP port ports. These tools can also be used to identify end devices and gain information that could allow hackers access. The network validation tools can also be used to audit and scan firewalls and routers and other security devices. A complementary tool is also available to evaluate CIP-based factory automation systems in terms of security. It will be network-based as factory automation devices are often not as powerful as general purpose computing. It can be used in an assessment mode to identify system flaws. The tool can also operate in validation mode to verify system security against the security analysis method determinations. Other functions include the non-destructive mapping of the topology and automation devices, checking revisions, configurations, user attributes and checking access control lists. The validation tools described herein can also be adapted to automatically correct security problems (e.g., automatically adjust security parameters/rules/policies, install new security components, remove suspicious components, and so forth).

According to another aspect of disclosed subject matter, a Security Learning System is provided. It can include network-based and/or host-based security aspects that are similar to some of those described above in relation to the Validation tools. The network-based security component (also known as the learning component) monitors an automated network for a predetermined time period. This includes monitoring network activities for a week. The learning component monitors the activity or patterns of the network, including read/write, role/identity/time of requests, status data (e.g. network access counters, error code), and/or virtually any other data type or pattern that can be retrieved from either the asset or the network.

After the training period, a learning component monitors the network and/or assets for deviations from the data patterns learned during that period. A user interface is available that allows the user to set one or more thresholds. You can choose the data patterns you want to monitor/learn from the user interface. The user interface can also allow you to choose the data patterns that you want to monitor/learn. For example, if there have been approximately 1000 network requests per hour over the past month, the user interface can set a threshold to trigger an alarm or cause an automated event if any deviation occurs beyond the threshold.

The following description and annexed drawings illustrate certain aspects of the disclosed matter. These are just a few examples of how the principles of disclosed subject matter can be used. The disclosed subject matter is intended for all of these aspects and any equivalents. The following description of the disclosed matter, when viewed in conjunction with the drawings, will reveal other advantages and new features.

The disclosed subject matter concerns a system and method that facilitate automation security in an industrial controller environment. There are many components, systems, and methods that can be used to provide different levels of security, depending on security validation tools, security analysis tools, and/or security-learning systems. Security analysis tools take abstract factory models and descriptions as input. They then generate an output that may include security guidelines, components and topologies. In the automation security network, validation tools are used to perform security checks and/or auditing functions. For example, they check if security components are properly installed and/or working. The security learning system monitors network traffic patterns and triggers alarms or other events when they are not in line with the patterns. Security learning components can use the unique data traffic patterns found in automation networks (as opposed to general-purpose networks like those in an office or home) to detect corrupt or unexpected data traffic. The security learning system can also be used to regulate industrial processes or equipment.

As used here, the terms ‘component,’ and?system,? are interchangeable. ?system,? ?platform,? ?layer,? ?controller,? ?terminal,? ?station,? ?node,? ?interface? The term “interface” is intended to describe a computer-related entity, or an entity that is related to, an operational apparatus with one of several specific functionalities. Such entities can either be hardware, a combination hardware and software, or software in execution. A component could be, for example, a process that runs on a processor or a hard drive. It can also include multiple storage devices (of optical and magnetic storage medium), affixed (e.g. bolted or screwed) solid-state storage drives. An object, executable, thread of execution, a computer-executable programme, and/or a machine. A component can include both the application and the server. A process or thread can contain one or more components. Components can be located on one computer or distributed across multiple computers. Components described herein may be executed from a variety of computer-readable storage media with different data structures. The components can communicate with each other via local or remote processes, such as by using a signal that contains one or more data packets. This means that data from one component may interact with another component in a distributed system, local system, or across a network like the Internet. Another example is a component, which can be an apparatus that provides specific functionality through mechanical parts or electronic circuitry. The processor then executes software or firmware applications on the apparatus. The processor can be either internal or external and executes at most a portion of the software. Another example is a component that provides specific functionality using electronic components. The electronic components may include a processor to execute firmware or software that at least partially provides the functionality of those components. Interface(s) may include input/output components, as well as processors, applications, or Application Programming Interface components. Although the examples above are focused on components, the features or aspects that were exemplified can also be applied to systems, platforms, interfaces, layers, controllers, terminals, and other similar entities.

As used herein the terms ‘to infer? “To infer?” and “inference?” are used interchangeably herein. Inference refers to reasoning about or inferring the states of a system, environment, or user from a collection of observations captured through events and/or other data. Inference can be used to identify a context or act, or generate a probability distribution of states. Probabilistic inference is the calculation of a probability distribution for states of interest using data and events. Inference may also be used to construct higher-level events using a collection of data and events. This inference allows for the creation of new events or actions using a collection of events and/or data. It does not matter if the events are closely correlated or if the data comes from one or more event and data sources.

In addition, the expression?or? “In addition, the term?or? is meant to refer to an inclusive?or. It is not intended to be an exclusive ‘or.? This means that the phrase ‘X employs A and B, unless otherwise stated or made clear by the context. is meant to refer to any of the natural inclusive permutations. The phrase “X uses A or B?” is intended to mean that the phrase “X” can be used in any of the natural inclusive permutations. X employs either A or B, or both A and B. The articles?a? Additionally, the articles?a????? and?an?? As used in this application and the attached claims, it should be understood to refer to?one or more? Except where otherwise stated or made clear by context, the meaning of “one or more” is to refer to a single form.

Furthermore the term’set? The term?set? as used herein excludes an empty set, i.e., a set that has no elements. A?set? is thus defined. A?set? in the subject disclosure can refer to one or more elements, entities or combinations. A set of controllers may include one or more controllers. A set of data resources can contain one or more data resource. The term “group” is also used herein. As used herein, the term “group” refers to a collection or combination of entities. For example, a group consisting of one or several nodes.

Various features and aspects will be described in terms of systems, which may include multiple devices, components, or modules. It should be understood that different systems could include additional components, modules, or devices. All of the components, devices, modules, etc. may not be included. These are discussed in conjunction with the figures. These approaches can also be combined.

FIG. “FIG. The control system 106 could represent any industrial processor operating under the control of controller. The controlled system 106 may include a variety of controlled devices 108A, 108B, and 108C that either receive or send output signals to controller 104 via any combination of hardwired, or networked connectivity to control the controlled process. The controller 104 may include, for example, a programable automation controller (PAC), which is a soft controller that can be executed on a personal computer, server, or another controller. It can also include one or more processors that can execute a control programme.

Controller104 can contain one or more local I/O module 110 that provide hardwired connectivity 112. to at least a subset controlled equipment and telemetry device, such as controlled devices 110 A. I/O module 110 share a chassis with the controller and interface over a backplane with the controller. Alternately, controller104 can also exchange status and control data with a subset controlled devices (e.g. controlled devices 108B) over a direct link 134 to the plant networking 122. Plant network 122 may include, for instance, a control protocol (CIP), network such as DeviceNet and Controlnet. Other networks that are suitable include Ethernet, DH/DH+ and Remote I/O. Controlled devices 108B that communicate with controller 104 over a direct network connection usually include an integrated network interface which places the device on a network. The controller can map the data to be exchanged with the controller and address it within the control program.