Serial communication tapping and transmission to routable networks

Abstract

Apparatuses and methods for tapping serial communications and transforming the serial data into a format appropriate for routable networks are significant for purposes of security and troubleshooting, especially in critical infrastructure networks. Communication taps should be completely passive such that any failure would not interrupt the serial communications. Furthermore, automatic determination of unspecified serial protocol frames allow general implementation across various networks, or across devices within a single network, without the need to customize for each implementation.

Claims

1. A tap apparatus comprising: a pass-through configured to tap a communication line that is configured to communicate a signal between a plurality of devices, wherein the pass-through is configured to receive the signal from the communication line; a processing device comprising an input configured to receive the signal from the pass-through; wherein the processing device is configured to identify a plurality of frames present within the signal; and wherein the processing device is configured to output the frames externally of the tap apparatus after the identification.

2. The tap apparatus of claim 1 wherein the processing device is configured to generate a plurality of packets including the identified frames and to output the packets including the frames externally of the tap apparatus.

3. The tap apparatus of claim 1 wherein the frames are based upon a protocol that is unknown prior to the identification of the frames.

4. The tap apparatus of claim 1 wherein the tap apparatus is configured to be passive wherein failure of the tap apparatus does not interrupt communication of the signal between the devices.

5. The tap apparatus of claim 1 wherein the processing device is configured to process characteristics of the signal to identify the frames, and the frames within the signal are unknown prior to the processing of the characteristics of the signal.

6. The tap apparatus of claim 1 wherein the processing device is configured to use a plurality of time gaps to identify at least one of the frames.

7. The tap apparatus of claim 1 wherein the processing device is configured to use a frame synchronization delimiter and a length field to identify at least one of the frames.

8. The tap apparatus of claim 1 wherein the processing device is configured to use a frame synchronization delimiter and a frame end delimiter to identify at least one of the frames.

9. The tap apparatus of claim 1 wherein the processing device is configured to identify statistically significant deviations in the signal from a baseline time gap to identify the frames.

10. The tap apparatus of claim 1 wherein the processing device is configured to identify frequencies of occurrences of a plurality of different byte sequences in the signal to identify the frames.

11. The tap apparatus of claim 1 wherein the processing device is configured to identify frequencies of occurrences of a plurality of different byte sequences in the signal, a baseline time gap in the signal and statistically significant deviations in the signal from the baseline time gap to identify the frames.

12. The tap apparatus of claim 1 wherein the signal is a serial communication signal.

13. The tap apparatus of claim 1 wherein the frames are based on a process control serial protocol.

14. The tap apparatus of claim 13 wherein the process control serial protocol is distributed network protocol 3.

15. The tap apparatus of claim 13 wherein the process control serial protocol is Modbus.

16. The tap apparatus of claim 1 wherein the frames are based upon a protocol that is known prior to the identification of the frames.

17. The tap apparatus of claim 1 wherein the pass-through comprises a resistor that is configured to conduct the signal from the communication line to the processing device.

18. The tap apparatus of claim 1 wherein the pass-through comprises an inductive coupling that is configured to receive the signal from the communication line.

19. The tap apparatus of claim 1 wherein the pass-through comprises a capacitive coupling that is configured to receive the signal from the communication line.

20. The tap apparatus of claim 1 wherein the pass-through has an impedance greater than an impedance of the communication line.

21. The tap apparatus of claim 1 further comprising another pass-through that is configured to tap another communication line that is configured to communicate another signal, and wherein the processing device is configured to identify a plurality of frames present within the another signal.

22. The tap apparatus of claim 10 wherein the processing device is configured to use the frequencies of occurrences of the different byte sequences to identify one of the byte sequences as being statistically significant, and to use the identified one byte sequence to identify the frames.

23. The tap apparatus of claim 10 wherein the processing device is configured to identify the one byte sequence as being statistically significant as a result of the one byte sequence having a highest frequency of occurrence of the different byte sequences.

24. The tap apparatus of claim 1 wherein the processing device is configured to process the signal to identify the frames.

Description

DESCRIPTION OF DRAWINGS

(1) Embodiments of the invention are described below with reference to the following accompanying drawings.

(2) FIG. 1 is a diagram depicting one embodiment of the present invention in which the pass-through includes a pair of serial ports.

(3) FIG. 2 is a diagram depicting one embodiment of the present invention in which the pass-through includes an inductive coupling.

(4) FIG. 3 is a diagram depicting one embodiment of the present invention in which the pass-through includes a capacitive coupling.

(5) FIG. 4 is a block diagram depicting methods according to embodiments of the present invention.

(6) FIG. 5 is a diagram depicting a microcontroller for processing serial communications intercepted according to one embodiment of the present invention.

(7) FIG. 6-11 are diagrams depicting various approaches to determining an unspecified serial protocol frame according to embodiments of the present invention.

(8) FIG. 12 is a diagram depicting the wrapping of a serial protocol frame to form a routable packet according to one embodiment of the present invention.

(9) FIG. 13 is a diagram of a system implementing various embodiments of the present invention.

DETAILED DESCRIPTION

(10) The following description includes the preferred best mode of one embodiment of the present invention. It will be clear from this description of the invention that the invention is not limited to these illustrated embodiments but that the invention also includes a variety of modifications and embodiments thereto. Therefore the present description should be seen as illustrative and not limiting. While the invention is susceptible of various modifications and alternative constructions, it should be understood, that there is no intention to limit the invention to the specific form disclosed, but, on the contrary, the invention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention as defined in the claims.

(11) FIGS. 1-13 show a variety of embodiments and aspects of the present invention. Referring first to FIG. 1 a diagram depicts the pass-throughs interfacing the serial communication cable and the interception circuitry passing the serial data to a microprocessor. In this embodiment, each pass-through taps a line between serial ports 101 directly connected to the serial communication cable. Accordingly, the apparatus is connected in line with the serial communication cable. In such instances, the interception circuitry must have an impedance greater than that of the serial communication cable. The impedance in the interception circuitry can be increased using resistors 102 and/or including components having relatively large impedances. The large impedance in the interception circuitry ensures that the serial communications will still transmit through the serial communications cable in the event that the apparatus fails. In preferred embodiments, the impedance of the interception circuitry is at least 10% higher than that of the serial communication cable.

(12) Referring to FIG. 2, the diagram depicts each pass-through as an inductive coupling. The inductive coupling can capture the leading and trailing edges of a bit, which are then amplified by components in the interception circuitry, by electromagnetic induction which is the induction of a voltage in one wire based on the change in current flow of through a primary wire. In a particular embodiment, the inductive coupling utilizes a transformer 201. A coil of wire of the serial signal can be wound on the primary side of the transformer while a passive capture signal can be wound around the secondary side of the transformer. The coupling can be increased by a transformer so the magnetic field of the primary coil will pass through to the secondary coil such that a change in current flow through one coil will induce a voltage in the other.

(13) Referring to FIG. 3, the diagram depicts the pass through as a capacitive coupling. The capacitive coupling can comprise a capacitor 301 in series between the serial communications cable and the interception circuitry. The capacitive coupling can remove the DC bias from an AC signal. In some embodiments, a DC bias can be reintroduced in the interception circuitry to recreate the original serial communication.

(14) The serial data intercepted by the pass through is provided to a processor. FIG. 4 is a block diagram depicting the steps that can be executed by a processor to tap one or more serial communications and transmit the communications to a centralized location for purposes of security and troubleshooting. Serial communications that have been passively intercepted 400 by a serial communications pass-through connected to the processor can have a serial protocol frame that is unspecified. Accordingly, the processor first determines 401 the serial protocol frames according to characteristics of the serial communications. Once the serial protocol frames are known, routable packets are formed 402 by wrapping the serial protocol frames in a routable protocol. The processor can then transmit 403 the routable packets to one or more routable addresses through an interface connecting the processor to a routable network.

(15) The processor can be a microcontroller having at least two universal synchronous and/or asynchronous receiver/transmitter (USART) ports, at least some memory to store processor-executable instructions, and at least one port for network communication, such as an Ethernet port. Referring to FIG. 5, one embodiment of a microcontroller includes an ARM9 microcontroller 501. Serial communication data intercepted from the serial communication cable is provided through USART 1 and USART 2 ports 502. Since embodiments described herein can tap bi-directional communication, two signals are intercepted and sent to the microcontroller processor. The ARM9 microcontroller processor receives the serial communications, which are of an unknown protocol, wraps the data to form a UDP packet and then transmits routable packets through the 10/100/1000 Mbit Ethernet controller and port 503 to a network 504.

(16) As described elsewhere herein, embodiments of the present invention can automatically determine unspecified serial protocol frames, thereby enabling implementation and operation without foreknowledge of the protocol frames. FIGS. 6-12 are schematic diagrams depicting various ways that embodiments described herein can automatically determine the unspecified serial protocol frames.

(17) Referring to FIG. 6, the serial protocol frame determination can be based on timing-based signals. In such instances, the processing device can execute further programming to associate timing gaps 601 above a selected time threshold between the timing-based signals with frame edges that define the serial protocol frames. In other words, a substantial time gap can delineate one frame edge from another.

(18) Referring to FIG. 7, determination can be based on frame synchronization delimiters and length fields. The processing device can execute further programming to define the beginning and the length of serial protocol frames according to a frame synchronization delimiter 701 and length field 702, respectively. For example, optional offsets can be utilized. The offsets can be variable in length because some protocols utilize a header and then a length field. The offsets can address such instances and others that are similar.

(19) Referring to FIG. 8, determination of serial protocol frames can be based on frame synchronization delimiters 801 and frame end delimiters 802. The processing device executes further programming to define the beginning and the end of serial protocol frames according to the frame synchronization delimiters and frame end delimiters, respectively.

(20) Determination can alternatively include time variance between signals. The processing device can execute further programming to identify a baseline time gap in the signals and to define statistically significant deviations from the baseline time gap as the beginnings and the ends of serial protocol frames. As used herein, a baseline time gap can refer to the mean value of some or all of the previously processed signal time gaps and the associated standard deviation range. Statistically significant deviations from the baseline time gap can be determined by time gaps that fall outside a standard deviation range from the mean. The gap can be used to identify one frame from another. As depicted in FIG. 9, one approach involves the processing device calculating the mean (p) and standard deviation (a) of time gaps between each data block in the communication. A protocol frame edge can determined by any time gap that is greater than two standard deviations from the mean.

(21) Additional alternatives encompass the use of byte frequency. As used herein, byte frequency can refer to frequencies of occurrence for patterns of 2 or more byte sequences that occur in the serial traffic. Statistically significant byte frequency patterns can refer to byte frequencies that have a higher frequency percentage of occurrences relative to other byte frequencies. They can be determined by continuously calculating the frequencies of occurrence for patterns in the data. Those byte frequencies with the highest frequency of occurrence can be designated as statistically significant according to predetermined criteria, such as threshold for a percentage of occurrence. The processing device executes further programming to identify statistically significant occurrences of byte frequency patterns and to define the statistically significant occurrences with the beginnings and the ends of serial protocol frames. Referring to FIG. 10, the byte frequency for most data blocks is approximately 7%. However the frequency of 0x01 is 210%. Accordingly, it is identified as the beginning and end between serial protocol frames.

(22) Referring to FIG. 11, determination of the protocol frames can include byte frequency as well as time variance between signals. The processing device executes further programming to identify statistically significant occurrences of byte frequency patterns, to identify a baseline time gap in the signals, and to define statistically significant deviations from the baseline time gap combined with statistically significant occurrences of byte patterns as the beginnings and the ends of the serial protocol frames.

(23) Once the serial protocol frames are identified, data can be wrapped in order to form routable packets. Referring to one example depicted in FIG. 12, a universal datagram protocol (UDP) header 1202 is added to a determined serial frame 1201. An IP header 1203 can then be added to the UDP frame. Finally, an Ethernet header 1204 and CRC 1205 is added to wrap the IP frame.

(24) FIG. 13 includes an illustration depicting a legacy process control system 1300 in which various sensor and relays are connected to the system via serial communications. As depicted, a breaker fault protection device 1302, a recloser 1303, a line distance relay 1304, and a line differential relay 1305 communicate data to and from a com processor 1308 via serial cables. The serial cables are tapped by SerialTap devices 1307 according to embodiments of the present invention. The SerialTap devices are interfaced to a security network via Security LAN 1309. Communications intercepted by the SerialTap devices can be monitored in a control room 1301 using a workstation 1306 separate from the process control system and the SCADA LAN 1310 by which the legacy system communicates. Failure of one or more of the SerialTap devices has no impact on the regular operation of the process control system.

(25) While a number of embodiments of the present invention have been shown and described, it will be apparent to those skilled in the art that many changes and modifications may be made without departing from the invention in its broader aspects. The appended claims, therefore, are intended to cover all such changes and modifications as they fall within the true spirit and scope of the invention.