Security unit and method for an industrial control system

Abstract

A security unit for an industrial control system comprises an interface adapted to communicate with a plurality of components of an industrial control system via a data network, a security assignor adapted to access a first component among the plurality of components via the interface, and further adapted to assign a first security level pertaining to the first component to the first component. The security assignor is further adapted to access a second component among the plurality of components via the interface, and to assign a second security level pertaining to the second component to the second component. The security assignor is adapted to assign the first security level and the second security level to the first component and the second component, respectively, in accordance with a system security level pertaining to the industrial control system.

Claims

1. A security unit for an industrial control system, comprising: an interface adapted to communicate with a plurality of components of an industrial control system via a data network; a security assignor adapted to access a first component among said plurality of components via said interface, and adapted to assign a first security level pertaining to said first component to said first component for storage of said first security level in said first component; said security assignor further adapted to access a second component among said plurality of components via said interface, and to assign a second security level pertaining to said second component to said second component for storage of said second security level in said second component, wherein said second component is different from said first component; wherein said security assignor is adapted to assign said first security level and said second security level to said first component and second component, respectively, in accordance with a system security level pertaining to said industrial control system; wherein said second security level is equal to said first security level; and wherein said security assignor is adapted to receive a message from said first component indicating that said first security level has been adopted by said first component, or cannot be adopted by said first component; and/or wherein said security assignor is adapted to receive a message from said second component indicating that said second security level has been adopted by said second component, or cannot be adopted by said second component.

2. The security unit according to claim 1, further comprising a security requestor adapted to access a third component among said plurality of components via said interface, and adapted to request information pertaining to a third security level of said third component from said third component.

3. The security unit according to claim 2, further adapted to compare said information pertaining to said third security level with said system security level, and wherein said security assignor is further adapted to reassign a revised third security level to said third component in accordance with said system security level.

4. The security unit according to claim 1, further comprising a user interface adapted to receive said first security level and/or said second security level and/or said third security level and/or said system security level from a user.

5. An industrial control system comprising a plurality of components connected via a data network; said industrial control system comprising a security unit according to claim 1.

6. A method for operating an industrial control system comprising a plurality of components connected via a data network, comprising: accessing a first component among said plurality of components, and assigning a first security level pertaining to said first component to said first component for storage of said first security level in said first component; accessing a second component among said plurality of components, and assigning a second security level pertaining to said second component to said second component for storage of said second security level in said second component, wherein said second component is different from said first component; wherein said first security level and said second security level are assigned in accordance with a system security level pertaining to said industrial control system; wherein said second security level is equal to said first security level; and wherein said method further comprises: receiving a message from said first component indicating that said first security level has been adopted by said first component, or cannot be adopted by said first component; and/or receiving a message from said second component indicating that said second security level has been adopted by said second component, or cannot be adopted by said second component.

7. The method according to claim 6, further comprising: accessing a third component among said plurality of components, and requesting information pertaining to a third security level of said third component from said third component.

8. The method according to claim 6, further comprising: comparing an operational setting of said first component with said first security level; and/or comparing an operational setting of said second component with said second security level.

9. A computer software program comprising computer-readable instructions, such that said instructions, when read on a computer, cause said computer to perform a method according to claim 6.

Description

BRIEF DESCRIPTION OF THE FIGURES

(1) The features and numerous advantages of the systems and methods according to the present invention will be best understood from a description of exemplary embodiments with reference to the accompanying drawings, in which:

(2) FIG. 1 is a schematic overview of an industrial control system in which the present invention can be employed;

(3) FIG. 2 illustrates the interaction of a security unit according to an embodiment of the invention with the engineering tools and PLC firmware of an industrial control system;

(4) FIG. 3 is a conceptional diagram shoring a security unit according to an embodiment;

(5) FIG. 4 is a schematic system view of a security unit employed on a firmware level according to an embodiment; and

(6) FIG. 5 is a flow diagram illustrating a method for operating an industrial control system according to an embodiment.

DESCRIPTION OF EMBODIMENTS

(7) Embodiments of the invention will now be described with reference to a security unit for an industrial control system, such as a manufacturing environment or production hall of an industrial fabrication process. However, the invention is not so limited, and may be employed in any environment in which programable logical controllers (PLC) are employed to control, operate, or monitor a plurality of devices. In the context of the present disclosure, these environments are generally referred to as industrial control systems.

(8) FIG. 1 is a schematic overview of an industrial control system 10 in which a security unit and method for operating an industrial control system according to the present invention may be employed. The industrial control system 10 may correspond to the production hall of an industrial fabrication process and may comprise a plurality of different machines 12.sub.1, 12.sub.2, 12.sub.3, which may be different machines of the industrial fabrication process, such as machines for manufacturing a workpiece, modifying a workpiece, or painting a workpiece in a factory environment. FIG. 1 shows a configuration with three machines 12.sub.1, 12.sub.2, 12.sub.3. However, this is for simplicity only, and in general an industrial control system may comprise an arbitrary number of different machines.

(9) As can be further taken from FIG. 1, each of the machines 12.sub.1, 12.sub.2, 12.sub.3 comprises at least one and in general a plurality of industrial controller components 14.sub.1, . . . , 14.sub.6, which may each comprise a programmable logical controller (PLC) and may be adapted to access and/or control one or a plurality of machine components 16.sub.1, . . . , 16.sub.12. For instance, the machine 12.sub.1 may comprise four industrial controller components 14.sub.1, . . . , 14.sub.4, which are connected via a machine network 18.sub.1 with eight machine components 16.sub.1, . . . , 16.sub.8. Each of the machine components 16.sub.1, . . . , 16.sub.8 may control a specific functionality or component or process of the machine 12.sub.1. The industrial controller components 14.sub.1, . . . , 14.sub.4 may each run an industrial control program, such as in the form of a firmware or software, which accesses the machine components 16.sub.1, . . . , 16.sub.8 via the machine network 18.sub.1 provides instructions for operating the machine 12.sub.1 to the machine components 16.sub.1, . . . , 16.sub.8 and/or receives control feedback or measurement values back from the machine components 16.sub.1, . . . , 16.sub.8.

(10) Similarly, the machine 12.sub.2 comprises an industrial controller component 14.sub.5 which is connected via the machine network 18.sub.2 with three machine components 16.sub.9, 16.sub.10, 16.sub.11 that each control a particular functionality of the machine 12.sub.2.

(11) The machine 12.sub.3 is configured similarly to machines 12.sub.1 and 12.sub.2, but comprises a single industrial controller component 14.sub.6 controlling a single industrial controller component 16.sub.12, via the machine network 18.sub.3.

(12) As can be further taken from FIG. 1, the industrial control system 10 further comprises a central control component 20 which is connected via an industrial control network 22 to each of the machines 12.sub.1, 12.sub.2, 12.sub.3. The central control component 20 may be employed to manage and/or administer the industrial control system 10 on site. For instance, the central control component 20 may provide parameters and/or instructions to the individual industrial controller components 14.sub.1, . . . , 14.sub.6, such as configuration information or parameter values, and may receive and display measurement values received from the industrial controller components 14.sub.1, . . . , 14.sub.6.

(13) The industrial control system 10 further comprises an engineering component 24 connected via the industrial control network 22 to the machines 12.sub.1, 12.sub.2, 12.sub.3 and central control component 20. The engineering component 24 may comprise a programming environment which allows to edit, compile and provide industrial control programs in the form of software and/or firmware to each of the industrial controller components 14.sub.1, . . . , 14.sub.6.

(14) Program files, configuration files, and/or data files comprising parameters for the industrial control programs of the industrial control system 10 may be stored centrally in an automation server component 26, and may be provided to the engineering component 24 and industrial controller components 14.sub.1, . . . , 14.sub.6 via the industrial control network 22.

(15) As can be further taken from FIG. 1, the industrial control system 10 may be connected to an external network 28, such as the Internet, so as to allow the industrial control system 10, central control component 20, the engineering component 24 and/or the automation server component 26 to establish a data communication link with external resources and databases. An interface to the external network 28 may be secured by means of a firewall component 30 of the industrial control system 10, so as to monitor the data traffic to and from the external network 28 and to provide security against cyber attacks. In some embodiments, the central control component 20, engineering component 24, and/or other components of the industrial control system 10 may be equipped with additional firewall components (not shown) to further enhance the network security.

(16) As can be further taken from FIG. 1, the industrial control system 10 may additionally comprise a remote access component 32 allowing wireless access to the central control component 20, industrial controller components 14.sub.1, . . . , 14.sub.6 and/or additional components of the industrial control system. For instance, the remote access component 32 may allow a user to access components of the industrial control system 10 wirelessly from his mobile device, so as to monitor the industrial control system 10 and/or change a setting of parameters of the industrial control system 10.

(17) A modular industrial control system 10 such as shown in FIG. 1 may comprise components from different manufacturers, sources and generations. Each of its components, such as the industrial controller components 14.sub.1, . . . , 14.sub.6, can provide a plurality of user functionalities, but in a given production environment not all of these functionalities are always needed or used. For instance, each of the industrial controller components 14.sub.1, . . . , 14.sub.6 may be provided with a web server, which may or may not be required and used in a given production environment. Some manufacturers of the industrial controller components 14.sub.1, . . . , 14.sub.6 provide network security equipment, such as software certificates, while others do not.

(18) The user of the industrial control system 10 oftentimes has a large degree of flexibility when configuring the system, which increases the overall complexity of the system 10. For instance, the user may use software components and hardware components from a plurality of sources, may add on libraries or applications for the industrial controller components 14.sub.1, . . . , 14.sub.6, or may have different requirements and techniques for establishing an external access to the industrial control system 10, or even each of its components, such as the industrial controller components 14.sub.1, . . . , 14.sub.6.

(19) Protecting such a modular and heterogeneous industrial control system 10 effectively and efficiently against cyberattacks is a challenging task, the more so if the user requires an online access to the industrial control system 10 from the outside, such as via the Internet.

(20) Different technical standards, such as IEC62443, define certain security levels, which correspond to levels of resilience against cyberattacks, as well as tasks or requirements required to guarantee these security levels. However, even if such security levels are assigned to some or all of the components of the industrial control system 10, it remains a challenge to assess the security level of the overall system, and/or to change the security settings of the industrial control system 10. In conventional systems, monitoring the security level or changing the security level may require the user to access each of the numerous components of the industrial control system 10 individually, which may overwhelm a user that lacks the necessary cyber security background. Moreover, a change of settings of the security parameters at one component may have implications on the security level of other components, and hence the entire industrial control system 10. Conventional systems may lack the possibility of identifying these cross-connections, which may compromise the cyber security of the entire industrial control system 10.

(21) The techniques according to some embodiments of the present invention address these security challenges and concerns by assigning unified security levels to some or all components of the industrial control system 10, and managing them centrally by means of a security unit 34. For instance, the security unit 34 may be a software and/or hardware unit located in the central control component 20 of the industrial control system 10. In other embodiments, the security unit may be implemented as part of the automation server component 26, or other components of the industrial control system 10.

(22) The security unit 34 may access the components of the industrial control system 10 via a software and/or hardware interface (not shown in FIG. 1) the industrial control network 22, may query security parameters relating to the security levels from these components, and/or may set security levels at the respective components in accordance with the system security level pertaining to a security required for the industrial control system 10. Any component of the industrial control system 10 may be assigned a security level, and may be accessed by the security unit 34 as described above. This may include the industrial controller components 14.sub.1, . . . , 14.sub.6, some or all of the machine components 16.sub.1, . . . , 16.sub.12, the engineering component 24, the automation server component 26, the central control component 20, as well as the firewall component 30.

(23) FIG. 2 is a schematic diagram that illustrates the interaction between the security unit 34 and the components of both a firmware level 36 and an engineering level 38 of the industrial control system 10 according to an embodiment.

(24) For instance, the firmware level 36 may comprise components of the machines 12.sub.1, 12.sub.2, 12.sub.3, such as industrial components 14.sub.1, and 14.sub.5, as well as the remote access component 32. Each of the components 14.sub.1, 14.sub.5, 32, may be able to operate according to one or a plurality of security levels (SL). The security levels may be security levels attributed to these component in accordance with a technical standard such as IEC62443, which distinguishes between five different security levels SL0, . . . , SL4 in order of increasing security, or any other system of security levels. The security levels SL may indicate or pertain to a level of resilience against a cyberattack.

(25) For instance, the security levels of the components 14.sub.1 and 14.sub.5 may refer to the security of an OPC UA, which has a possibility of communicating unencrypted (corresponding to security level SL1), with signature (SL2), or encrypted and with signature (SL3).

(26) In the specific example of FIG. 2, the first component 14.sub.1 may be adapted to switch between two different operational or parameter settings corresponding to two different security levels SL2 and SL3. In contrast, the second component 14.sub.5 may be set to operate according to a fixed security level SL3, and the remote access component 32 according to a fixed security level SL2.

(27) Other components to which security levels according to the present invention may be assigned include software components of the industrial control software or firmware, such as plugins, applications, and libraries.

(28) Similarly, security levels may be assigned to components of the engineering level 38, such as tools of the engineering component 24. These may include any components that may be employed in the design, programming, and/or editing of industrial control software or firmware, such as a plugin component 40, an application component 42, or a library component 44.

(29) For instance, the plugin component 40 may correspond to a plugin for user access management. A security setting SL1 may correspond to a configuration for which a user name and a password are required, whereas a security level SL2 may correspond to a user name and a password according to certain password specifications (such as more than 8 characters, comprising both numbers and special characters). A security level SL3 may correspond to a two-way authentication by means of password and certificate. Once a user tries to access the system by means of the plug-in component 40, the plugin component 40 may require user identification in accordance with the adopted security level.

(30) The application component 42 may operate unprotected (corresponding to security level SL1), with certificate signature (SL2), or with certificate signature and encrypted by means of a password (SL3).

(31) The library component 44 may correspond to an IEC61131-3 library for HTTP/HTTPS communication and may be adapted to communicate both via HTTP and HTTPS (corresponding to security level SL1), or HTTPS only (security level SL2).

(32) In the specific example of FIG. 2, the plugin component 40 may allow to choose between two different security settings, pertaining to security levels SL1 and SL3, wherein the application component 42 may allow to select between security settings according to levels SL1 or SL2. In contrast, the library component 44 may operate according to a fixed security level SL2 only.

(33) The security unit 34 is connected to the firmware level 36 and to the engineering level 38 via the industrial control network 22 and allows to access the individual components 14.sub.1, 14.sub.5, 32, 40, 42, 44 and query their respective security level settings. As further shown in FIG. 2, the security unit 34 may hold the current settings in the database 46 which lists the respective components and the associated security settings.

(34) The security unit 34 may be further adapted to compare the current settings stored in the database 46 with a required security level, such as an overall system security level which the user prescribes for the cyber security of the industrial control system 10. For instance, the user may prescribe a minimum system security level SL2 for the industrial control system 10, which may entail that each of the components should attain at least the security level SL2. The security unit 34 may then compare the security level stored for the respective components in its database 46 with the system security level. The comparison may show that all the components 14.sub.1, 14.sub.5, 32, 42, 44 satisfy the system security level SL2, whereas the plugin component 40 is currently set to the lower security level SL1 only. The security unit 34 may hence access the plugin component 40 of the engineering component 24 via the industrial control network 22, and may trigger the plugin component 40 to switch to setting 2, which pertains to a security level SL3 higher than the minimum security level SL2. The plugin component 40 may confirm to the security unit 34 that it has adopted the new setting 2 corresponding to security level SL3.

(35) In some embodiments, a given or required system security level may not be attainable by all components. For instance, if the user prescribes a minimum security level SL3, only the plugin component 40, industrial controller component 14.sub.1, and industrial controller component 14.sub.5 can switch to a corresponding setting, whereas the remote access component 32, application component 42 and library component 44 can operate only up to security level SL2, and hence are unable to switch to a setting that would correspond to security level SL3. In this example, the external component 32, application component 42 and library component 44 may report to the security unit 34 that they are unable to adopt a security level SL3. The security unit 34 may hence inform the user that a system security level SL3 may not be attainable. In some examples, the user may be able to add an exception for some components. For instance, field busses may not offer sophisticated security options, but are often physically separated from other networks, and hence may be considered non-critical for the overall system integrity. Hence, a corresponding exception may be set and registered for field bus components.

(36) Based on the current settings stored in the database 46, the security unit 34 may also be adapted to determine an overall security level pertaining to the entire industrial control system 10. In some examples, the current overall security level may correspond to the minimum security level SL currently attained by its components. For instance, in the configuration of FIG. 2, the minimum security level is SL1 at the plugin application 4o, and hence the overall current security level is SL1. The security unit 34 may output the current security level to the user upon a request. The output for the user may also comprise a protocol comprising a list of active components in the industrial control system 10, and their current security level. Based on this information, the user may decide whether to increase the overall system security level to SL2, which would require the security level of the plugin component 40 to be increased to SL3, as described above.

(37) FIG. 3 is a conceptional diagram illustrating a security unit 34 as described above with reference to FIGS. 1 and 2 in additional detail.

(38) The security unit 34 comprises a security assignor 48, which may be adapted to communicate with the database 46 and may be adapted to communicate via an interface 50 that is coupled to the industrial control network 22 with a plurality of components of the industrial control system 10, as described above with reference to FIGS. 1 and 2, such as the industrial controller components 14.sub.1, 14.sub.5, the remote access component 32, the plugin component 40, the application component 42, and/or the library component 44. The security assignor 48 may be realized as a hardware circuit, but may also be realized in software or firmware on a general data processing device, and may adapted to assign security levels to the respective components, as described above with reference to FIGS. 1 and 2.

(39) The security unit 34 may optionally further comprise a security requestor 52 coupled to the database 46 and the security assignor 48. The security requestor 52 may be adapted to access components of the industrial control system 10 via the interface 50 and industrial control network 22, and may be adapted to request information pertaining to a security level of said respective components from said components, as described above with reference to FIGS. 1 and 2. Similarly to the security assignor 48, the security requestor 52 may be implemented as a hardware circuit or as a software or firmware on a general data processing device. In some embodiments, the security assignor 48 and the security requestor 52 may be implemented on a common data proceeding device.

(40) The interface 50 may be realized in hardware and/or software or firmware, or in a combination of hardware and software, and may be adapted to establish two-way communication between the security unit 34 and the industrial control network 22, in particular the components 14.sub.1 to 14.sub.6, 16.sub.1 to 16.sub.12, 20, 24, 26, 30, 32, 40, 42, 44 of the industrial control system 10.

(41) As can be further taken from FIG. 3, the security unit 34 may optionally further comprise a user interface 54 adapted to receive information pertaining to the security levels from a user. The user interface 54 may also be adapted to output information pertaining to the security levels to the user. For instance, the security unit 34 may be adapted to provide the user via the user interface 54 with a list of all or a subset of active components within the industrial control system 10, and information pertaining to their attainable security levels and/or their current security level based on data stored in the database 46. The security unit 34 may also employ the user interface 54 to provide information as to how a user may attain a prescribed security level at a given component, such as information pertaining to a suitable choice of password. In addition, the security unit 34 may employ the user interface 54 to provide the user with a protocol containing events pertaining to a change of a security level over time of some or all of the components in the industrial control system 10.

(42) For instance, the user interface 54 may be a wireless interface adapted to communicate with a user via a wireless network. In other embodiments, the user interface 54 may be integrated into the interface 50.

(43) FIG. 4 is a schematic overview of the functionality of a security unit 34′ according to an embodiment. The security unit 34′ generally corresponds to the security unit 34 as described with reference to FIGS. 1 to 3 above, but may be implemented as a software unit in the firmware level 36 of the industrial control system 10.

(44) The security unit 34′ communicates with the engineering level 38 of the industrial control system 10 via the industrial control network 22. For instance, the security unit 34′ may receive a message pertaining to a required security level from the engineering component 24 of the engineering level 38, and/or may provide information pertaining to a current security level to the engineering level 38.

(45) As further shown in FIG. 3, the security unit 34′ may communicate with firmware components of the industrial control system 10, such as an industrial controller component 14.sub.1 relating to the machine 12.sub.1 of the industrial control system 10. As described previously with reference to FIG. 2, the industrial controller component 14.sub.1 may allow to choose between two operational settings, a Setting 1 corresponding to a security level SL2 and a Setting 2 corresponding to a security level SL3.

(46) Once the industrial controller component 14.sub.1 is started up, it may register with the security unit 34′. As part of the registration, it may provide its current security level, which may correspond to a default setting of the industrial controller component 14.sub.1. For instance, if the default setting of the industrial controller component 14.sub.1 is Setting 1, the industrial controller component 14.sub.1 may report the security level SL2 during the startup phase. The security unit 34′ may compare the security level reported by the industrial controller component 14.sub.1 with the required security level, such as a system security level requested by a user. In case the security level reported by the industrial controller component 14.sub.1 is no lower than the required security level, the component 14.sub.1 may finalize its initialization and may start operating. If, however, the security level reported by the industrial controller component 14.sub.1 is lower than the required security level, the security unit 34′ may access the industrial controller component 14.sub.1 and trigger the industrial controller component 14.sub.1 to change its setting to Setting 2, corresponding to the higher security level SL3.

(47) In some examples, the security unit 34′ may provide instructions to adopt a prescribed security level to the industrial controller component 14.sub.1 by means of a configuration file or data file. In other examples, the security unit 34′ may provide instructions relating to a specific security setting as part of an industrial control software or firmware, such as an industrial control program provided by the engineering component 24.

(48) FIG. 5 is a flow diagram illustrating a method for operating an industrial control system according to an embodiment, such as the industrial control system 10 described above with reference to FIGS. 1 to 4. The industrial control system comprises a plurality of components connected via a data network.

(49) In a first step S10, a first component among said plurality of components is accessed, and the first security level pertaining to said first component is assigned to said first component.

(50) In a second step S12, a second component among said plurality of components is accessed, and a second security level pertaining to said second component is assigned to said second component, wherein said first security level and said second security level are assigned in accordance with a system security level pertaining to said industrial control system.

(51) The descriptions of the examples and the Figures merely serve to illustrate the invention and the beneficial effects associated therewith, but should not be interpreted in a limiting sense. The scope of the invention is to be determined solely from the appended claims.

REFERENCE SIGNS

(52) 10 industrial control system 12.sub.1, 12.sub.2, 12.sub.3 machines 14.sub.1-14.sub.6 industrial controller components 16.sub.1-16.sub.12 machine components 18.sub.1, 18.sub.2, 18.sub.3 machine networks 20 central control component 22 industrial control network 24 engineering component 26 automation server component 28 external network 30 firewall component 32 remote access component 34, 34′ security unit 36 firmware level of industrial control system 10 38 engineering level of industrial control system 10 40 plugin component 42 application component 44 library component 46 database of security unit 48 security assignor 50 interface 52 security requestor 54 user interface