Security-Relevant Diagnostic Messages
20220187816 ยท 2022-06-16
Inventors
Cpc classification
H04L41/22
ELECTRICITY
H04L41/069
ELECTRICITY
G05B23/0254
PHYSICS
H04L41/0604
ELECTRICITY
International classification
H04L41/069
ELECTRICITY
Abstract
A method for handling security alarms by a control system of a technical installation includes a) receiving diagnostic messages that have been generated by technical objects (7) of a technical installation; b) analyzing the diagnostic messages such that diagnostic messages relevant to the security of an operation of the technical installation are identified by means of comparative data records, where a machine learning network is used to analyze the diagnostic messages to assess the security relevance of the diagnostic messages, where the network is previously trained using special inputs from operators of the technical installation that have assessed past diagnostic messages with regard to their security relevance; c) if necessary, adapting the previously identified diagnostic messages to requirements of a computer-implemented security module of the technical installation and d) transmitting the previously identified and optionally adapted diagnostic messages to the computer-implemented security module of the technical installation.
Claims
1.-6. (canceled)
7. A method, comprising: a) receiving diagnostic messages generated by technical objects of a technical installation comprising a manufacturing or process installation; b) analyzing the diagnostic messages such that diagnostic messages which are relevant to security of an operation of the technical installation are identified via comparative data records, a machine learning network being utilized to assess the security relevance of the diagnostic messages to analyze the diagnostic messages to assess the security relevance of the diagnostic messages, said neural network having previously been trained utilizing inputs from operators of the technical installation, and said operators having assessed past diagnostic messages with regard to their security relevance; c) adapting the previously identified diagnostic messages to requirements of a computer-implemented security module of the technical installation, if necessary; and d) transmitting the previously identified and optionally adapted diagnostic messages to the computer-implemented security module of the technical installation.
8. The method as claimed in claim 7, wherein the diagnostic messages transmitted to the computer-implemented security module are graphically presented to an operator of the technical installation.
9. The method as claimed in claim 7, wherein at least one of (i) a message class and (ii) a message type of the diagnostic message is taken into account during automated assessment of the security relevance of a diagnostic message.
10. The method as claimed in claim 7, wherein the diagnostic messages previously identified as relevant are adapted to a standard data format before the diagnostic messages are transmitted to the computer-implemented security module of the technical installation.
11. The method as claimed in claim 7, wherein the diagnostic messages previously identified as relevant are adapted to a standard data format before the diagnostic messages are transmitted to the computer-implemented security module of the technical installation.
12. The method as claimed in claim 11, wherein the standard data format comprises a Common Event Format.
13. The method as claimed in claim 7, wherein the machine learning network comprises a neural network.
14. A control system for a technical installation, comprising: an operator station server; a computer-implemented analysis module; a computer-implemented adaptation module; and a computer-implemented security module, the analysis module and the adaptation module being implemented on the operator station server; wherein the computer-implemented analysis module is configured to receive diagnostic messages generated by technical objects of a technical installation and to analyze the diagnostic messages such that diagnostic messages relevant for security of an operation of the technical installation are identified; wherein the computer-implemented analysis module is further configured to utilize a machine learning network to analyze the diagnostic messages to assess the security relevance of the diagnostic messages, said network having previously been trained using special inputs from operators of the technical installation, said operators having assessed past diagnostic messages with respect to their security relevance; wherein the computer-implemented analysis module is configured to forward the diagnostic messages previously identified as relevant to the computer-implemented adaptation module; wherein the computer-implemented adaptation module is configured, if necessary, to adapt the diagnostic messages previously identified as relevant by the computer-implemented analysis module to requirements of the computer-implemented security module; and wherein the computer-implemented adaptation module is further configured to forward the diagnostic messages previously received from the computer-implemented analysis module to the computer-implemented security module.
15. The control system as claimed in claim 14, further comprising: an operator station client configured to receive diagnostic messages from the operator station server and to present said received diagnostic messages to an operator of the technical installation.
16. The control system as claimed in claim 14, wherein the technical installation comprises a manufacturing or process installation.
17. The control system as claimed in claim 14, where the machine learning network comprises a neural network.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0039] The above-described properties, features and advantages of this invention, and the way in which they are achieved, become clearer and more readily understandable in connection with the following description of the exemplary embodiment, which is explained in greater detail in connection with the drawings, in which:
[0040]
[0041]
DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENT
[0042] A part of an inventive control system 1 of a technical installation established as an industrial installation is represented in the
[0043] A user or operator has access to the operator station server 2 via the operator station server 3 via the terminal bus 4 in the context of control and process monitoring. The terminal bus 4 can, without being restricted thereto, be formed as an Industrial Ethernet, for example.
[0044] The operator station server 2 has a device interface 5 that is connected to an installation bus 6. Via this, the operator station server 2 can communicate with an (external) device 7. Here, the connected device 7 can alternatively also be an application, in particular a web application. For the purpose of the disclosed embodiments of the invention, any number of devices and/or applications can be connected to the operator station server 2. The installation bus 6 can, without being restricted thereto, be formed, for example, as an Industrial Ethernet. The device 7 can in turn be connected to any number of subsystems (not shown).
[0045] A visualization service 8 is integrated into the operator station server 2, via which a transmission of (visualization) data to the operator station client 3 can occur. Furthermore, the operator station server 4 has a process image 9 and an alarm service 10. In turn, the alarm service 10 comprises a computer-implemented analysis module 11 and a computer-implemented adaptation module 12.
[0046] The alarm service 10 accesses the process image 9, in order to obtain diagnostic messages from the individual devices 7. The received diagnostic messages are first analyzed by the computer-implemented analysis module 11 such that diagnostic messages relevant for the security of an operation of the technical installation are identified. To this end, the computer-implemented analysis module 11 accesses a database 13, in which rules for classification of the individual diagnostic messages with respect to the operating security of the technical installation are stored.
[0047] If necessary, the computer-implemented adaptation module 12 adapts the diagnostic message previously identified as relevant to particular specifications, such as the Common Event Format.
[0048] The diagnostic messages identified as relevant and optionally transformed are then transmitted to an alarm control 14 of the control system 1. The corresponding operating images of the alarm control 14 are graphically presented to an operator of the control system 1 on the operator station client 3. Furthermore, the cited diagnostic messages are transmitted to the computer-implemented security module 15 designed as a SIEM system for further processing.
[0049] If a new and unknown type of diagnostic message is received, then the alarm service 10 transmits to the operator, via the alarm control 14, the information that a new rule has to be stored in the database 13 in order to be able to proceed correctly with this type of diagnostic message in future.
[0050]
[0051] Next, b) analyzing the diagnostic messages are analyzed such that diagnostic messages relevant to security of an operation of the technical installation are identified via comparative data records, as indicated in step 220. In accordance with the invention, a machine learning network, preferably a neural network, is utilized to assess the security relevance of the diagnostic messages to analyze the diagnostic messages to assess the security relevance of the diagnostic messages, the neural network having previously been trained utilizing inputs from operators of the technical installation, and the operators having assessed past diagnostic messages with regard to their security relevance.
[0052] Next, c) the previously identified diagnostic messages are adapted to requirements of a computer-implemented security module 15 of the technical installation, if necessary, as indicated in step 230.
[0053] Next, d) the previously identified and optionally adapted diagnostic messages are transmitted to the computer implemented security module 15 of the technical installation, as indicated in step 240.
[0054] Although the invention has been illustrated and described in greater detailed by the preferred exemplary embodiment, the invention is not restricted by the disclosed examples and other variations can be derived therefrom by the person skilled in the art, without departing from the scope of protection of the invention.
[0055] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described and the devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.