CONTROL UNIT AND METHOD FOR THE TAMPER-PROOF CAPTURE OF INTEGRITY MONITORING DATA RELEVANT TO OPERATIONAL SAFETY

Abstract

A control unit which includes at least one processor designed to carry out the following steps: tamper-proof detection of operational safety-related integrity monitoring data of a system which is equipped with an operational safety-critical function and which is connected or can be connected to a communications network by radio transmission, the integrity monitoring data describing integrity monitoring of the system and external access to the radio transmission; and tamper-proof recording and/or storing of the integrity monitoring data in order to evaluate same in the event of a use of the operational safety-related function is provided.

Claims

1. A control unit comprising at least one processor which is configured to carry out the following steps: tamper-proof capturing of integrity monitoring data which are relevant to operational safety and relate to a system which is equipped with a function critical to operational safety and is connected connected to a communication network by radio transmission, wherein the integrity monitoring data describe integrity monitoring of the system and external unauthorized access to the radio transmission, and tamper-proof recording and/or storing of the integrity monitoring data for evaluating the latter if a function relevant to operational safety is used.

2. The control unit as claimed in claim 1, wherein the processor is also configured to output the recorded and/or stored integrity monitoring data in order to initiate evaluation of the latter on a basis of a received item of alarm and/or warning information which has been emitted on account of the safety-critical function being performed.

3. The control unit as claimed in claim 1, wherein the integrity monitoring data are recorded and/or stored during operation of the system.

4. The control unit as claimed in claim 1, wherein the integrity monitoring data also describe at least one property of the radio signal of the radio transmission and/or a digitized section of the radio signal.

5. The control unit as claimed in claim 1, wherein the integrity monitoring data also comprise system control commands.

6. The control unit as claimed in claim 1, wherein the recording and/or storing of the integrity monitoring data is/are rendered tamper-proof by means of a cryptographic checksum.

7. The control unit as claimed in claim 1, wherein the recording and/or storing of the integrity monitoring data can be rendered tamper-proof by means of an attestation.

8. The control unit as claimed in claim 1, wherein the control unit is an application locally arranged in the system or a cloud and/or server service arranged outside the system.

9. The control unit as claimed in claim 1, wherein for the tamper-proof capture of the integrity monitoring data, the latter are set as a transaction in a blockchain data structure.

10. The control unit as claimed in claim 1, wherein the tamper-proof recording and/or storing of the integrity monitoring data, the latter are written to a cryptographically secure log file.

11. A method comprising: tamper-proof capturing of integrity monitoring data which are relevant to operational safety and relate to a system which is equipped with a function critical to operational safety and has been or is connected to a communication network by radio transmission, wherein the integrity monitoring data describe integrity monitoring of the system and external unauthorized access to the radio transmission, and tamper-proof recording and/or storing of the integrity monitoring data for the purpose of evaluating the latter if the function relevant to operational safety is used.

12. The method as claimed in claim 11, wherein the recorded and/or stored integrity monitoring data are output in order to initiate evaluation of the latter on a basis of a received item of alarm and/or warning information which has been emitted on account of the safety-critical function being performed.

13. The method as claimed in one claim 11, wherein the integrity monitoring data are recorded and/or stored during operation of the system.

14. The method as claimed in claim 11, wherein the integrity monitoring data also describe at least one property of the radio signal of the radio transmission and/or a digitized section of the radio signal.

15. The method as claimed in claim 11, wherein the integrity monitoring data also comprise system control commands.

16. The method as claimed in claim 11, wherein the recording and/or storing of the integrity monitoring data has/have been or is/are rendered tamper-proof by means of a cryptographic checksum.

17. The method as claimed in claim 11, wherein the recording and/or storing of the integrity monitoring data has/have been or is/are rendered tamper-proof by means of an attestation.

18. The method as claimed in claim 11, wherein the control unit is an application locally arranged in the system or a cloud and/or server service arranged outside the system.

19. The method as claimed in claim 11, wherein the tamper-proof capture of the integrity monitoring data, the latter are set as a transaction in a blockchain data structure.

20. The method as claimed in claim 11, wherein the tamper-proof recording and/or storing of the integrity monitoring data, the latter are written to a cryptographically secure log file.

21. A computer program comprising program code which can be executed by at least one processor and causes the at least one processor to carry out the method as claimed in claim 11.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0037] Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:

[0038] The FIGURE schematically shows an environment in which a system critical to operational safety is used.

DETAILED DESCRIPTION

[0039] A system equipped with a function critical to operational safety may be a device, an automation system/installation, a vehicle etc. Functions critical to operational safety are implemented, in particular in the case of autonomous driving and cloud robotics, on IT-based systems using radio transmission (for example 5G cloud robotics).

[0040] For reliable radio transmission in the broader sense, it is not only necessary to comply with methods which are robust with respect to disruptions and in which QoS (Quality of Service) parameters are caused. It is also necessary to detect disruptions and to be able to react to the latter. Conventional intrusion detection systems (IDS) and integrity monitoring are generally not sufficient.

[0041] The FIGURE shows devices ID1 to ID5 which are relevant to operational safety. They may be connected to an automation network AN using a gateway GW. They may also be connected to a cloud EC via a radio transmission 5G. An item of security integrity monitoring information (integrity monitoring data) which captured by means of a monitoring unit or device M by radio transmission and, concomitantly integrated in an event data recorder ER, recorded and/or stored in the control unit according to the embedment of the present invention in a tamper-proof manner. In the event of an accident, this makes it possible to detect a device which has been tampered with, a data transmission which has been tampered with, and disruption of a radio transmission. The captured security integrity information can comprise the following: [0042] a device security health check, that is to say the checking of the integrity of program code and/or configuration data at the runtime or during operation of the device, [0043] status of the host/network/wireless intrusion detection system (IDS), [0044] radio range: information relating to the signal quality (signal strength, bit error rate, channel estimation, determined jamming information, that is to say derived information relating to interferers, type of interferer), [0045] raw radio snippets (digitized baseband signal) or a continuous digitized baseband signal.

[0046] This information or data relating to security integrity monitoring is recorded in an event data recorder in a tamper-proof manner, with the result that said information can be evaluated in the event of an accident. The event data recorder can be locally implemented as a special hardware appliance, that is to say a combination of hardware, possibly firmware and software, and has a processor P. However, it may also be implemented as a cloud service in a cloud EC, for example a central cloud or a so-called edge cloud.

[0047] The integrity monitoring data are made available to the event data recorder in a manner protected by a cryptographic checksum. This may be, for example, an attestation (for example a device attests that its device health check provides the status OK). The attestation includes a time stamp or a counter value, with the result that the up-to-dateness can be verified. The captured information may be, in particular, a secure log or may be set as a transaction in a blockchain data structure or a distributed ledger data structure.

[0048] According to the embodiment of the present invention, device integrity attestations DA and radio integrity measurement data RA are captured and are captured and/or recorded and/or stored as part of the integrity monitoring data in an event data recorder in order to be available for possibly required evaluation. The event data recorder may also be in the form of an application (app) in an edge cloud. Various other implementations are conceivable. For example, it is possible to use a conventional cloud instead of an edge cloud or the integrity monitoring data can be locally controlled and recorded in a control network which is physically or logically separated and is not illustrated in the FIGURE.

[0049] Although the present invention has been described and illustrated more specifically in detail by means of the exemplary embodiment, the present invention is not restricted by the disclosed examples and other variations can be derived therefrom by a person skilled in the art without departing from the scope of protection of the present invention.

[0050] The processes or method sequences described above can be implemented on the basis of instructions which are available on computer-readable storage media or in volatile computer memories (referred to collectively below as computer-readable memories). Computer-readable memories are, for example, volatile memories such as caches, buffers or RAM and non-volatile memories such as removable data storage media, hard disks, etc.

[0051] The functions or steps described above may be present in this case in the form of at least one instruction set in/on a computer-readable memory. In this case, the functions or steps are not tied to a particular instruction set or to a particular form of instruction sets or to a particular storage medium or to a particular processor or to particular execution schemes and may be executed by means of software, firmware, microcode, hardware, processors, integrated circuits etc. operating alone or in any desired combination. In this case, a wide variety of processing strategies can be used, for example serial processing by means of an individual processor or multiprocessing or multitasking or parallel processing etc.

[0052] The instructions may be stored in local memories, but it is also possible to store the instructions on a remote system and to access them via a network.

[0053] The term processor, central signal processing, control unit or data evaluation means, as used here, comprises processing means in the broadest sense, that is to say, for example, servers, universal processors, graphics processors, digital signal processors, application-specific integrated circuits (ASICs), programmable logic circuits such as FPGAs, discrete analog or digital circuits and any desired combinations thereof, including all other processing means known to a person skilled in the art or developed in future. In this case, processors may consist of one or more apparatuses or devices or units. If a processor consists of a plurality of apparatuses, they can be designed or configured for parallel or sequential processing or execution of instructions.

[0054] Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.

[0055] For the sake of clarity, it is to be understood that the use of a or an throughout this application does not exclude a plurality, and comprising does not exclude other steps or elements.