METHOD AND DEVICES FOR TRANSMITTING DATA BETWEEN A FIRST NETWORK AND A SECOND NETWORK OF A RAIL VEHICLE
20200053833 ยท 2020-02-13
Inventors
Cpc classification
H04L12/4625
ELECTRICITY
H04W4/42
ELECTRICITY
H04L63/20
ELECTRICITY
H04L12/66
ELECTRICITY
International classification
Abstract
A gateway device, a communication method and to a communication system for a vehicle, in particular a rail vehicle improve the transmission of data between a first network of the vehicle and a second network of the vehicle. The gateway device is configured to control the transmission of data between the first network of the vehicle and the second network of the vehicle in accordance with the state of the vehicle.
Claims
1-16. (canceled)
17. A gateway system for a vehicle, the gateway system comprising: a gateway configured to control a transmission of data between a first network of the vehicle and a second network of the vehicle in dependence on a state of the vehicle.
18. The gateway system according to claim 17, wherein the first network has an operator network and the second network has a control network.
19. The gateway system according to claim 18, wherein the vehicle is configured to adopt as the state of the vehicle at least: a maintenance state which is intended for maintenance of the vehicle; an operating state which is intended for an operation of the vehicle; and said gateway is configured only to allow a transmission of predetermined data from the operator network to the control network in the maintenance state.
20. The gateway system according to claim 18, wherein said gateway is configured to receive state information representing the state of the vehicle from the control network and to control the transmission on a basis of the state information.
21. The gateway system according to claim 18, wherein said gateway includes: a first firewall intended for a data interface facing the operator network and is configured to forward or discard data intended for transmission from the operator network to the control network using a first firewall ruleset; and/or a second firewall intended for a data interface facing the control network and configured to forward or discard data intended for transmission from the control network to the operator network using a second firewall ruleset.
22. The gateway system according to claim 21, wherein said gateway has an intrusion-detector configured to monitor at least data intended for transmission from the operator network to the control network.
23. The gateway system according to claim 22, wherein said gateway has an intrusion-prevention unit configured to prevent transmission of data intended for an unwanted access to the control network.
24. The gateway system according to claim 23, wherein: said intrusion-detector is configured to carry out monitoring using a first detection ruleset; and/or said intrusion-prevention unit is configured to carry out prevention using a first prevention ruleset.
25. The gateway system according to claim 18, wherein said gateway has a limiting unit configured to limit data traffic between the operator network and the control network.
26. The gateway system according to claim 24, wherein said gateway has a vehicle-state managing unit which is configured to: provide said first firewall with a third firewall ruleset in dependence on the state of the vehicle; provide said intrusion-detector with a second detection ruleset in dependence on the state of the vehicle; and/or provide said intrusion-prevention unit with a second prevention ruleset in dependence on the state of the vehicle.
27. The gateway system according to claim 26, wherein: said first firewall is configured to allow, on a basis of the third firewall ruleset, extended access from the operator network to the control network; said intrusion-detector is configured to allow, on a basis of the second detection ruleset, extended access from the operator network to the control network; and/or said intrusion-prevention unit is configured to allow, on a basis of the second prevention ruleset, extended access from the operator network to the control network.
28. The gateway system according to claim 27, wherein provision of the third firewall ruleset, the second detection ruleset and/or the second prevention ruleset can only be initiated by information originating from the control network.
29. The gateway device according to claim 17, wherein said gateway has an application-layer gateway configured to convey the data between the first network and the second network.
30. The gateway device according to claim 17, wherein the vehicle is a rail vehicle.
31. The gateway device according to claim 27, wherein provision of the third firewall ruleset, the second detection ruleset and/or the second prevention ruleset can only be initiated by state information originating from the control network and representing the state of the vehicle.
32. A communication method for a vehicle, which comprises the steps of: transmitting data between a first network of the vehicle and a second network of the vehicle; and controlling a transmission between the first and second networks by means of a gateway in dependence on a state of the vehicle.
33. A communication system for a vehicle, the communication system comprising: a first network for the vehicle; a second network for the vehicle; and a gateway configured to control transmission of data between said first network and said second network in dependence on a state of the vehicle.
34. A rail vehicle, comprising: a communication system containing a first network, a second network, and a gateway configured to control transmission of data between said first network and said second network in dependence on a state of the rail vehicle.
Description
[0046] An exemplary embodiment of the invention is now explained with reference to the drawings, in which:
[0047]
[0048]
[0049]
[0050]
[0051] The rail vehicle 1 has a communication system 10, which comprises at least a first network 12 and a second network 14. The first network 12 is an operator network 15 of the rail vehicle 1 and the second network 14 is a control network 17 of the rail vehicle 1. The operator network 15 and the control network 17 are in each case designed as Ethernet networks.
[0052] The control network 17 is configured for operation in accordance with the PROFINET standard. The control network 17 comprises a train bus, for example an Ethernet Train Backbone (ETB), and a PROFINET ring to which at least one subsystem control unit 110, 112, 114 or 116 intended to control one or more operating resources of the vehicle is connected. The subsystem control units 110, 112, 114 and 116 are in each case intended to control a task in connection with the functionality assigned to the respective subsystem. The subsystem control units 110, 112, 114 and 116 are in each case connected to the control network 17. In the exemplary embodiment shown in
[0053] The operator network 15 is physically and/or logically separated from the control network 17. For example, a passenger information system 118 and a camera monitoring system 120 is connected to the operator network 15 by means of data technology to monitor the interior and exterior regions of the rail vehicle. The corresponding components of the passenger information system 118 and the camera monitoring system 120 are connected to one another via the operator network 15 by means of communication technology.
[0054] A gateway device 20 is used to transmit data between the first network 12 and the second network 14 according to a method step A. The gateway device 20 has a first data interface, in particular an Ethernet interface 22, via which the gateway device 20 is linked to the operator network 15. The gateway device 20 has a second data interface, in particular an Ethernet interface 24, via which the gateway device 20 is linked to the control network 17.
[0055] In a method step B, the gateway device 20 controls the transmission of data between the control network 17 and the operator network 15 as a function of the state of the vehicle. The rail vehicle 1 can adopt as a state of the vehicle an operating state, which is intended for the operation, for example a travel operation, of the rail vehicle 1. In addition, the rail vehicle 1 can adopt a maintenance state, which is intended for the maintenance of the vehicle, a start-up state and/or a shut-down state. In a method step BB, the gateway device only allows the transmission of predetermined data emanating from the operator network 15 to the control network 17 in the maintenance state. In other words: predetermined data, which is not allowed for transmission emanating from the operator network 15 to the control network 17 in the operating state, can be transmitted in the maintenance state.
[0056] The state of the vehicle is determined by means of the gateway device 20 using state information 39. The state information 39 is emitted by a system server 44 of the control network 17 and received by the gateway device 20.
[0057] Data that emanates from the operator network 15 and enters the gateway device 20 via the first Ethernet interface 22 and is intended for transmission to the control network 17 is filtered by a firewall unit 26. The filtering by means of the firewall unit 26 takes place in that the data is forwarded or discarded using a first firewall ruleset 28.
[0058] Data that emanates from the control network 17 and enters the gateway device 20 via the second Ethernet interface 24 and is intended for transmission to the operator network 15 is filtered by a firewall unit 27. The filtering by means of the firewall unit 27 takes place in that the data is to forwarded or discarded using a second firewall ruleset 29.
[0059] Data that emanates from the operator network 15 and is intended for transmission to the control network 17 and passes the firewall unit 26 is received by an intrusion-detection unit 32, which is designed as an intrusion-detection system, and an intrusion-prevention unit 34, which is designed as an intrusion-prevention system.
[0060] The intrusion-detection unit 32 filters or discards data traffic when it detects a violation of a prespecified pattern and/or a rule. The intrusion-detection unit 32 monitors data using a first detection ruleset 31. If a comparatively significant violation of a prespecified pattern and/or a rule is detected by the intrusion-detection unit 32, in addition the Ethernet interface 22 to the operator network 15 is disconnected.
[0061] The intrusion-prevention unit 4 filters or discards data from a sender if this data does not satisfy a prespecified property and/or specification. The intrusion-prevention unit 32 prevents transmission of data using a first prevention ruleset 37. Received data, in particular data transmitted via an OPC connection (OPC: Open Platform Communications) is analyzed by means of deep packet inspection with respect to the observance of specifications. In addition, the intrusion-prevention unit 34 analyzes received data that is transmitted via an HTTP connection. A HTTP connection is, for example, established when the vehicle adopts a maintenance state. In a maintenance state, the HTTP connection is for example used to retrieve workshop messages. The retrieval is, for example, initiated by a member of the maintenance staff who accesses the control network 17 using a maintenance PC 33 via an access interface 35 on the operator network 15. In addition, HTTP connection can be used for software deployment for components such as a system server and/or a subsystem control unit 110, 112, 114 or 116.
[0062] The intrusion-detection unit 32 and the intrusion-prevention unit 34 are designed to log an event representing an intrusion and in addition to compile and sent a workshop message intended to be read during the course of maintenance and also to compile and sent an operational message intended to be read during the operation of the rail vehicle 1 is intended. The operational message can be provided to a rail vehicle driver or conductor by means of a man-machine interface with a display.
[0063] Data emanating from the operator network 15 and intended for transmission to the central network 17 and which passes the intrusion-detection unit 32 and an intrusion-prevention unit 34 is received by an application-layer gateway-unit 36. The application-layer gateway unit 36 is designed to analyze data at the application level of the OSI reference model and optionally convert it and forward it. The application-layer gateway unit 36 is embodied as an application-layer gateway.
[0064] The application-layer gateway unit 36 maintains a connection to a train server 42 of the operator network 15 and a further connection to the system server 44 of the control network 17 and is used as a conveying instance 40 between the operator network 15 and control network 17. In other words: there is no direct data connection between the train server 42 and the system server 44. For example, a data connection of the train-Servers 42 for transmission of data to the control network 17 is terminated at the application-layer gateway unit 36 and a new data connection is initiated with the system server 44.
[0065] A vehicle-state managing unit 38 of t gateway device 20 is designed to receive process data or process signals from the control network 17. The process data or process signals can be used by the vehicle-state managing unit 38 as the basis for determining whether or not the rail vehicle 1 adopts a maintenance state as a state of the vehicle. Process data or process signals that influence the provision of the firewall ruleset are received by the vehicle-state managing unit 38 exclusively from the control network 17.
[0066] The vehicle-state managing unit 38 in particular receives state information 39 representing the state of the vehicle from the system server 44 of the control network 17. The vehicle-state managing unit 38 determines the state of the vehicle on the basis of the state information 39. If the maintenance state is determined as a state of the vehicle, the vehicle-state managing unit 38 provides the firewall unit 26 with a third firewall ruleset 46 on the basis of which extended access from the operator network 15 to the control network 17 is enabled.
[0067] In other words: while the rail vehicle 1 adopts the operating state as a state of the vehicle, the firewall unit 26 uses the firewall ruleset 28 to filter data. When the rail vehicle 1 adopts the maintenance state, the vehicle-state managing unit 38 provides the third firewall ruleset 46 to the firewall unit 26. The firewall unit 26 uses the third firewall ruleset 46 to filter the data.
[0068] The intrusion-detection unit 32 or the intrusion-prevention unit 34 can also be provided with an amended ruleset, for example a second detection ruleset or a second prevention ruleset by means of the vehicle-state managing unit 38 for the maintenance state. Alternatively or additionally, a ruleset used by the firewall unit 27, the intrusion-detection unit 32 and the intrusion-prevention unit 4 for the maintenance state can be deactivated by the vehicle-state managing unit 38 in order to allow extended access from the operator network 15 to the control network 17.
[0069] For example, the provision of a third ruleset 46 to the firewall unit 27 and the second detection ruleset to the intrusion-detection unit 32 and the second prevention ruleset to the intrusion-prevention unit 34 enables maintenance staff to access the control net 17 via an access interface of the operator network 15 using a maintenance PC 33 (PC: personal computer).
[0070] The gateway facility 38 also comprises a limiting unit 48, which is designed to limit data traffic between the operator network 15 and the control network 17 with respect to the amount of data transmitted at each point in time (i.e. traffic).