A method and arrangement for providing data from an industrial automation arrangement to an external application operated in a data cloud and arranged outside a first data network, where an industrial Edge device processes raw data from the data source and makes the processed data available to the external application, the external application transmits a work order to the gateway component, the work order is checked by the gateway component, the raw data are captured and processed according to the work order, and the processed, abstracted and/or anonymized data are provided to the external application or a destination defined in the work order, such that an external user can automatically control access and hence use the data without accessing the underlying raw data because the level of data access is automatically negotiated and produced between the components involved (data source, gateway component) while taking into account requirements and rules.

A centralized control system including a centralized control device including a storage unit configured to store biometric information of an operator, and operation authority information indicating a range of authority of an operation by the operator for an operation target device in association with each other, a biometric information acquisition unit configured to acquire the biometric information from the operator, a selection information acquisition unit configured to acquire selection information for selecting the operation target device, a biometric authentication unit configured to authenticate the operation of the operator on the basis of the biometric information acquired by the biometric information acquisition unit and the biometric information stored in the storage unit whenever the selection information acquisition unit acquires the selection information, a specific operation reception unit configured to receive a specific operation for the operation target device on the basis of the authentication result by the biometric authentication unit, and the operation authority information stored in the storage unit, and an operation information output unit configured to output specific operation information indicating the specific operation received by the specific operation reception unit to an operation target device, and a network configured to connect the centralized control device and the operation target device with each other.

A comprehensive authentication and identity system and method are disclosed. A central profile is created for a user which includes user information that can be passed back or otherwise utilized by websites (e.g. for registrations, logins, etc.) The user information may include the user's username, password, contact information, personal information, marketing preferences, financial information, etc. For website registrations, the user may provide a mobile communication number that is utilized to perform a type of mobile communication device verification process. As part of a website login, the user may provide identifiable information (e.g. a username) that is looked up by the system or website to determine a mobile communication number for the user, which is used for a verification process. If the verification process is completed successfully, the user may be logged into the website. For accessing the system directly, a user may go through a mobile communication device verification process.

A comprehensive authentication and identity system and method are disclosed. A central profile is created for a user which includes user information that can be passed back or otherwise utilized by websites (e.g. for registrations, logins, etc.) The user information may include the user's username, password, contact information, personal information, marketing preferences, financial information, etc. For website registrations, the user may provide a mobile communication number that is utilized to perform a type of mobile communication device verification process. As part of a website login, the user may provide identifiable information (e.g. a username) that is looked up by the system or website to determine a mobile communication number for the user, which is used for a verification process. If the verification process is completed successfully, the user may be logged into the website. For accessing the system directly, a user may go through a mobile communication device verification process.

Techniques to facilitate protecting control programs used in an industrial automation environment are disclosed herein. In at least one implementation, control system content provided by a primary entity is received along with a primary security authority provided by the primary entity, wherein the primary security authority defines primary usage rights for the control system content granted to a secondary entity. A secondary security authority provided by the secondary entity is received, wherein the secondary security authority defines secondary usage rights for the control system content that further restrict the primary usage rights. A request is received from a user associated with the secondary entity to perform an action associated with the control system content, and the request is processed with the secondary security authority to determine if the user is authorized to perform the action associated with the control system content based on the secondary usage rights.

A span of responsibility access control system for use in plant process management and similar applications. The system leverages span-of-responsibility enabled user accounts and corresponding resource properties to assign, verify, and control access to assets and other resources in the plant process management system on a per user basis. Aspects of the system include configuration of properties for each monitored or controlled asset and association of a span of responsibility based on asset properties, such as asset type and location, with a user account. An access control module compares asset properties to the span of responsibility associated with the user account to determine whether the user is entitled to access any given asset, independent of determining permissions to act on such asset.

Techniques to facilitate protecting control programs used in an industrial automation environment are disclosed herein. In at least one implementation, control system content provided by a primary entity is received along with a primary security authority provided by the primary entity, wherein the primary security authority defines primary usage rights for the control system content granted to a secondary entity. A secondary security authority provided by the secondary entity is received, wherein the secondary security authority defines secondary usage rights for the control system content that further restrict the primary usage rights. A request is received from a user associated with the secondary entity to perform an action associated with the control system content, and the request is processed with the secondary security authority to determine if the user is authorized to perform the action associated with the control system content based on the secondary usage rights.

Systems and methods for configuring industrial devices through a secured wireless side channel may include a compute device. The compute device may have primary communication circuitry configured to communicate through a network and side channel communication circuitry configured to communicate through a wireless side channel that is different from the network. The compute device may additionally include circuitry configured to obtain, via the wireless side channel, configuration data indicative of a configuration for one or more operations of an industrial device of an industrial process plant. Additionally the circuitry may be configured to configure, in response to obtaining the configuration data, the one or more operations of the industrial device.

The invention relates to an operating unit (1) for a production plant (2). The operating unit (1) comprises an authorization receiving module (71) so as to receive authorization identifications (61, 62, 63, 64) which are sent out by operating modules (51, 52, 53, 54) of the operating unit (1), an authorization storage module (72) so as to store in an authorization data storage (8) authorization data including allocations of user identifications (31, 32, 33, 34, 41, 42) to the received authorization identifications (61, 62, 63, 64), and an authorization checking module (73) so as to receive at least one authorization identification (61, 62, 63, 64) from the operating modules (51, 52, 53, 54) and to determine at least one user identification (31, 32, 33, 34, 41, 42), and to unlock an operating module (51, 52, 53, 54) if in the authorization data storage (8) an allocation of the at least one user identification (31, 32, 33, 34, 41, 42) to the at least one authorization identification (61, 62, 63, 64) is stored.

A method of providing cyber security to an industrial control system is described. The method includes detecting an anomaly and recording and reporting the detected anomaly to a control system within a network associated with the industrial control system. Detecting the anomaly may include recording all unauthorized attempts to connect to a communication port in the network, capturing identifying information associated with the unauthorized attempts, detecting scanning activity of a hacker in the network, detecting an attempt to manipulate a log file to conceal malicious activity in the network; and recording and reporting the detected anomaly to a controller within the network.