A modular security control device for controlling an apparatus or an installation includes a basic control apparatus which is configured such that an apparatus or an installation which is at least connectable to the basic control apparatus is at least controllable via a sequence of a control program in the basic control apparatus, and includes a security module which is configured to provide or perform a cryptographic functionality for the basic control apparatus, where the security module is connected to the basic control apparatus by a data connection via a data interface, the basic control apparatus is configured to interact with the security module to achieve a security function of the security control device, and where the basic control apparatus is configured to query an identity and/or authenticity of the security module.

An industrial device is configured to implement a lightweight file authentication sequence that rapidly verifies the integrity of mobile code supplied to the industrial device. The industrial device generates a file authentication code (FAC), which is stored on the industrial device and only made accessible to users via a local connection to the industrial device. The device-specific file FAC is installed on the program development application used to develop or edit the mobile code to be executed on the industrial device. The development application provides the mobile code to the industrial device together with a hash-based message authentication code (HMAC) generated using a retrieved copy of the FAC. The industrial device only permits execution of the mobile code if the HMAC included with the mobile code matches a locally created HMAC generated by the industrial device based on the mobile code and the device's local copy of the FAC.

A method for providing access information for access to a field device for process automation is disclosed. The method includes the steps of determining, at a users operating device, at least one access information issued to the user for an access to at least one field device via the operating device, assigning, at the users operating device, a further user to the determined at least one access information, and sending an access permission comprising information relating to the determined at least one access information and to the further user assigned to the determined access information such that the determined at least one access information is provided to the further user based on the access permission.

The present inventors have determined that implementation of an authentication process which can be selectively applied to safeguard parameters which modify dispensing of particulate material during agricultural operations can advantageously allow users of varying levels of experience and understanding to maintain ease of conducting field operations while reducing the possibility of waste and expense. A control system can determine a level of access for an operator or user on an individual basis. Upon determining a level of access for the operator to be sufficient for modifying a parameter, the control system can apply an input from the operator to modify the parameter, and can accordingly adjust dispensing of particulate material.

The operator identification system is capable of managing the information required for authentication of operators centrally with high operation rate. The operator identification system includes a manufacturing cell including a manufacturing machine and a cell controller that can communicate with the manufacturing machine. The cell controller includes a first operator identification information acquisition unit for acquiring operator identification information, a first operation permission/inhibition information storage unit for storing operation permission/inhibition information of the operator on the manufacturing machine, and a first operator identification unit for determining an operation executable by the operator on the manufacturing machine based on the operator identification information and the operation permission/inhibition information. The manufacturing machine includes a second operator identification information acquisition unit, a second operation permission/inhibition information storage unit, a second operator identification unit, and an operation unit for accepting the operation by the operator. The operation unit executes the operation determined to be executable by the first operator identification unit or the second operator identification unit.

A machine tool includes a maintenance unit that can be replaced by a predetermined unit. The machine tool includes a monitoring section and a determination section. The monitoring section monitors a feature amount that gradually changes accompanying deterioration of the maintenance unit. The determination section determines whether the maintenance unit has been replaced on the basis of a trend of a change in the feature amount monitored by the monitoring section. With such a configuration, the machine tool is able to determine whether the maintenance unit has been replaced.

An engineering assistant system 1 includes: an engineering server 10 that issues a work list including information related to work necessary for performing the engineering of a process control system 100; and an at least one engineering client 20 that grants work authority for each worker based on the work list issued by the engineering server 10 and makes it possible to perform work on a constituent apparatus that constitutes the process control system 100 within a range of granted work authority.

Techniques for authenticating industrial devices in an industrial automation environment are disclosed herein. In at least one implementation, a physical unclonable function response of an industrial device is extracted. The industrial device transmits a security certificate signed by a certificate authority that includes a device public key to a system, wherein the system validates the security certificate, encrypts an authentication challenge using the device public key, and transmits the authentication challenge to the industrial device. The industrial device generates a device private key using the physical unclonable function response and decrypts the authentication challenge using the device private key. The industrial device generates an authentication response based on the authentication challenge, encrypts the authentication response using the device private key, and transmits the authentication response to the system, wherein the system decrypts the authentication response using the device public key and authenticates the industrial device based on the authentication response.

A device for securely operating a field device includes: the field device, which includes at least one human-machine interface having a display device and a keyboard for operating the field device, and a communications interface for connecting a local operating device having a secure connection to a trusted server via a communications network, the secure connection being based upon an authentication feature of a local operator. The field device during use as intended does not have a secure connection to a network for process control. The field device provides and stores a query key. The field device is connected, at least logically, to the local operating device. The trusted server has a private key for providing a signed response key. The signed response key is based upon the query key.

A span of responsibility access control system for use in plant process management and similar applications. The system leverages span-of-responsibility enabled user accounts and corresponding resource properties to assign, verify, and control access to assets and other resources in the plant process management system on a per user basis. Aspects of the system include configuration of properties for each monitored or controlled asset and association of a span of responsibility based on asset properties, such as asset type and location, with a user account. An access control module compares asset properties to the span of responsibility associated with the user account to determine whether the user is entitled to access any given asset, independent of determining permissions to act on such asset.