Method for safe access to a field device
10257707 ยท 2019-04-09
Assignee
Inventors
- Christoph Spiegel (Oberhausen, DE)
- Markus Dabrowski (Duisburg, DE)
- Rene Keimling (Duisburg, DE)
- Christian Hansen (Hattingen, DE)
Cpc classification
G05B2219/36542
PHYSICS
G05B2219/31255
PHYSICS
H04L67/12
ELECTRICITY
H04W12/068
ELECTRICITY
International classification
G05B19/418
PHYSICS
Abstract
A method for providing safe access of a mobile control unit (1) to a field device (2), wherein, in particular, the field device is protected against unauthorized access via a mobile control unit is achieved in that a connection for transmitting data is established between the mobile control unit (1) and the field device (2), that access data for access is exchanged, that a comparison is made between the access data and stored comparison data and a comparison result is generated, and that access of the mobile control unit (1) to the field device (1) is permitted based on the comparison result.
Claims
1. Method for safe accessing of at least one field device by at least one mobile control unit, comprising: establishing a connection for transmitting data at least between the mobile control unit and the field device, transmitting access data for accessing of the mobile control unit to the field device, comparing the access data with stored comparison data and generating a comparison result, permitting access of the mobile control unit to the field device based on the comparison result indicating that access is permissible, wherein at least one access code is assigned to the field device for access to the field device and wherein the access code is stored as at least a part of the comparison data, wherein an identification code is assigned to the mobile control unit and is transmitted to the field device as at least a part of the access data, and wherein the identification code is stored in the field device as at least a part of the comparison data in the case that the comparison result generated for the comparison of the access data transmitted by the mobile control unit and the stored access code is positive and that in case of a further access of the field device by the mobile control unit only the identification code is transmitted from the mobile control unit to the field device.
2. Method according to claim 1, wherein access codes from at least two field devices are stored in the mobile control unit and wherein the access codes stored in the mobile control unit are shared by the mobile control unit with another mobile control unit.
3. Method according to claim 1, wherein at least the field devices that are accessable are identified by the mobile control unit, and wherein necessary access codes of the identified field devices are retrieved by at least one of another mobile control unit and an administrator device.
4. Method according to claim 1, wherein an adminstrator device is provided via which at least one of storing and sharing of at least one of access codes and identification codes is able to be carried out.
5. Method according to claim 4, wherein the comparison of access data with stored comparison data is performed at least partially by an administrator device.
6. Method according to claim 1, wherein the comparison of access data with stored comparison data is performed at least partially by an administrator device.
7. Method claim 1, wherein data is exchanged in at least partially encrypted form at least between the mobile control unit and the field device.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1)
(2)
(3)
(4)
(5)
(6)
DETAILED DESCRIPTION OF THE INVENTION
(7) An example for safe access of a mobile control unit 1 to a field device 2 is represented in
(8) Here, the field device 2 is a measuring device for determining the fill level of a medium 4 in a container 5.
(9) In the illustrated embodiment, measurement is carried out using the radar principle, wherein an antenna 6 is provided for sending and receiving electromagnetic radiation.
(10) The mounting position of the field device 2 on the container 5 makes direct operation by the operator 7 difficult, e.g., installing software or setting parameters or reading measurement or history data.
(11) Thus, here, the mobile control unit 1 is used in the form of a laptop, which communicates, i.e., in particular exchanges data, wirelessly with the field device 2 or, more specifically, via its wireless interfaceindicated here by an accessory antenna 8.
(12) For data communication, the operator 7 brings his mobile control unit 1 in relative proximity to the field device 2 and starts an application program (e.g., in the form of a so-called app) on the mobile control unit 1, which then wirelessly connects to the field device 2.
(13) Thereby, the mobile control unit 1 transmits access data to the field device 2. The access data, in particular, is the presettable access code of the field device 2 and/or the specific identification code of the mobile control unit 1 itself.
(14) The access code of the field device 2, for example, is thereby preset during manufacture of the field device 2 or at the initial start-up of the field device 2 in the process and, in particular, is also securely stored in the field device 2.
(15) The received access data are, in turn, compared to data stored in a data storage 9 by the field device 2.
(16) Based on the comparison or the comparison result associated with it, the mobile control unit 1 is granted or denied access to the field device 2.
(17) The input or transmission of access data and their comparison to stored dataregardless of whether it is the special access code of the field device 2 or the identification code (quasi the ID) of the mobile control unit 1controls the access to the field device 2 and thereby represents an internal extension of a fence 10, as it symbolically encloses the area around the process system and as it physically prevents unauthorized intrusion.
(18) In order to simplify access of the trustworthy mobile control unit 1 to the field device 2, the identification code of the respective mobile control unit 1 is stored in the field device, in particular after successful access. That means that, when attempting to make contact again, the mobile control unit 1 only has to transmit its identification code to the field device and is immediately identified as trustworthy by the field device based on the stored data, and access is allowed.
(19) If a potential data thief 11 should attempt to access the field device 2, the thief will not succeed, because, on the one hand, the thief does not have the specific access code of the field device 2 or, respectively, he is not using a mobile control unit 1 that has previously carried out authorized data exchange with the field device 2.
(20) The field device 2 has an input device 12, for example, in the form of a keyboard, and preferably also a display device for the user 7 to assign the access code to the field device 2. The input device 12 is called human-machine interface (HMI) in the prior art.
(21) The specific access code is entered via the input device 12 at initial installation and then securely stored in the data storage 9.
(22) The input device 12 can be directly used at initial installation despite the awkward mounting position, since the operator 7 is usually in immediate proximity to the field device 2 during installation.
(23) Preferably, data communication is blocked via the interface with the accessory antenna 8 until the access code is securely stored in the field device 2 and, thereby, safe data transfer can be ensured.
(24) Furthermore, an administrator device 13 is also provided, e.g., in the form of a server.
(25) The field device 2 transmits the identification code of the respective mobile control unit 1 to the administrator device 13 after a successful access attempt. Thus, a database of trustworthy mobile control devices 1 is formed using the effective identification.
(26) In the following diagrams illustrating different procedures of safe access to a field device, essentially identical steps are marked with the same reference numbers.
(27) Transmission of data between the mobile control unit 1 and the field device 2 takes place with encryption. The communication can thereby be carried out over further intermediary devices or intermediary stations.
(28) The steps of an access procedure of a mobile control device to a field device are shown in
(29) In step 100, an access code is preset in the field device via an input device and is securely stored in the field device. Thereby, for example, it is ensured that this code cannot be subsequently changed.
(30) In step 101, the interface is unlocked, via which data communication between the field device and a mobile control unit can be implemented. The unlocking is possible, since it can be ensured with the retrieval of access data, that access to the field device is only possible for a chosen circle of people or only using trustworthy mobile control units.
(31) In step 102, an application programappis activated on the mobile control unit.
(32) The application program, thereby, is an implementation of a stand-alone program, i.e., a so-called stand-alone app. In another implementation, the application program is a component of another program. Overall, the application program is used for authorized access of the mobile control unit to the field device.
(33) The preset access code of the field device provided in step 100 is input in the mobile control unit in step 103 via the application program activated in step 102 and is stored in the mobile control unit in step 104. Thus, the mobile control unit can autonomously access the respective field device in one variation.
(34) Alternatively, step 104 is omitted and the access code of the field device has to be input directly in the mobile control unit each time for access to the field device.
(35) In step 105, the mobile control unit is brought in proximity to the field device so that data transfer between the two is possible.
(36) Communication is thereby carried out, for example, using WLAN or a Wi-Fi or BLUETOOTH connection, wherein, possibly, also parts of the transmission paths are crossed with industrial application protocols and, specifically, process automation protocols.
(37) In step 106, connection establishment takes place between the mobile control unit and the field device. In the case of a Bluetooth connection, this is called pairing. Direct access of the mobile control unit to the field device is not yet granted, thereby.
(38) Additionally, the mobile control unit transmits access data to the field device. This access data thereby is composed of at least the access code assigned to the field device, which was stored in the mobile control unit in step 104.
(39) In step 107, the field device compares the received access data to the access code assigned to the field device.
(40) If there is a deviation, the procedure returns to step 106, so that the operator or the mobile control unit has a further chance to input the correct access data.
(41) If there is agreement, i.e., in the case that the transmitted access data contains at least the access code, access of the mobile control unit to the field device is allowed in step 108.
(42) Then, in step 109, the mobile control unit and the field device exchange further communication data with one another.
(43) As part of the pairing, or here, as special step 110, the mobile control unit transmits its identification code, e.g., in the form of an ID clearly assigned to the mobile control unit, to the field device.
(44) The identification code is stored in the field device in step 111 for future access of the mobile control unit to the field device.
(45) In step 112, the actual communication between the mobile control unit and the field device takes place. This, for example, is the input of parameters or the installation of software in the field device or the reading of measurement or history data from the field device.
(46) For another mobile control unit, the procedure would begin at step 105 in the following, since the input of the access code for the field device is accordingly no longer required or, preferably, is no longer possible.
(47) Further contact establishment between the field device and the mobile control unit following the first part of the procedure in
(48) In step 105, the required proximity between the mobile control unit and the field device is created, whereupon the mobile control unit transmits its identification code as access data to the field device.
(49) That data or the coderegardless of whether access or identification codecan thereby consist in general of a plurality of preferably alphanumeric characters. However, in one variation, it is possible to use just one character, and, thus, just one piece of data.
(50) In step 113, the field device compares the received identification code to the data, which was stored during the previous contact establishment between the field device and the mobile control unit or, respectively, during the very first accesssee
(51) Based on the comparison result, the field device allows access in the case of a positive comparison, and thus, preferably, also data transfer between the mobile control unit and the field device in step 112.
(52) The advantage of this variation is that the mobile control unit identifies itself as such and that, for that reason, based on previous data communication, it can already be verified whether access to the field device is allowable.
(53)
(54) In step 114, a mobile control unit receives the access code from an administrator device, which is, for example, a server.
(55) Subsequently, the operator approaches the field device with his mobile control unit in step 105 so that data communication is possible based on the technical conditions. This is dependent on whether only direct connection is to take place between the field device and the mobile control unit or whether other devices are interposed for data transmission.
(56) In step 106, the transmission of access data from the mobile control unit to the field device follows. This access data is, thereby, preferably that data, which was provided in step 114 from the administrator device to the mobile control unit.
(57) In step 107, the comparison of received access data to the data stored in the field device is carried out again, wherein, here, in the case of a negative comparison result, an alarm is triggered in step 115.
(58) In the case of a positive result, i.e., the agreement between the data transmitted from the mobile control unit and the data stored in the field device, the mobile control unit allows access to the field device in step 108 and the procedure follows as in
(59) A variation of the embodiment according to
(60) In this variation of
(61) For this reason, the interface for data communicationhere a wireless interface for wireless communication with a mobile control unitis configured so that although data exchange, e.g., in the form of pairing, i.e., the exchange of parameters, etc. required for data communication is possible, further access to the actual data of the field device, such as measurement data, history data, measurement or control parameters, or parts of software or firmware is not possible.
(62) In the first step 116, the mobile control unit is brought in proximity to the field device.
(63) When thereby entering the access code, it can also be provided that a direct connection, e.g., via a service interface, is created in the field device or that e.g., a seal or a sticker acting as seal is destroyed on the field device.
(64) If data communication is physically possible, then an application program is started on the mobile control unit in step 117, which specifically allows the input of access codes.
(65) The input of thethereby henceforth validaccess code of the field device takes place in the mobile control unit.
(66) Thus, the operator enters, for example, the sequence of numbers and letters using a real or virtual keyboard of the mobile control unit.
(67) In step 119, this access code is transmitted from the mobile control unit to the field device and stored there in step 120.
(68) Since an access code ensuring the authorized access is now provided and, therefore, access to the field device is ensured, the mentioned interface of the field device is also principally unlocked for further access to the field device in this step 120.
(69) In the following, the procedure shown in
(70) Two field devices 2, 2 are provided in
(71) Additionally, a transmitter device 14 is also shown, which implements data communication between or, respectively, safe separation of the two application areas consumer electronics (left side, here) and industry electronics or, respectively, process automation electronics (right side, here).
(72) In a furthernot shown hereimplementation, the transmitter device 14 is connected to the field device 2 via a cable.
(73) In anotheralso not shownimplementation, the transmitter device 14 is directly connected to the field device 2 and is located, for example, in a common housing.
(74) In order to indicate that the devices used, common protocols and safety mechanisms definitely differ from one another, a border 15 is provided.
(75) Conversely, this means that mobile control units from the consumer sector can also be used for application in the field of process automation with the field devices.
(76) The mobile control units 1, 1 are thereby designed so that they exchange access codes for different field devices with one another via the administrator device 13 or directly with one another.
(77) Additionally or alternatively, the field devices 2, 2 also receivefor example, here, via the administrator device 13the identification code of the mobile control units 1 that may be granted access.
(78) Procedures, methods and programs from the application field of information technology for consumers is used in the mobile control units 1, 1 and also in the administrator device 13.
(79) In one variation, the mobile control units 1, 1 scan the network, which results, in particular, from the devices in the wireless range of the mobile control units, for field devices 2, 2 or other mobile control units 1, 1, with which connection is possible and for which possibly the necessary access data is present or has to be installed.