Method for preventing impermissible access to software applications in field devices

Abstract

The invention includes a method and a communication network for preventing impermissible access to software applications implemented in field devices, wherein the field devices are integrated in a communication network of automation technology and wherein each software application exchanges information within the communication network via at least one communication interface. The method includes registering currently activated safety functions of each of the communication interfaces; registering all activatable safety functions of each communication interface; ascertaining at least one shared safety function, which is activatable in each of the communication interfaces; displaying the shared safety functions and selecting at least one displayed, shared safety function; and reconfiguring each of the communication interfaces, wherein currently set safety functions are replaced by the at least one selected, shared safety function, and when no shared safety function was ascertained, each of the communication interfaces is so reconfigured that no safety function is activated.

Claims

1. A method for preventing impermissible access to software applications implemented in field devices, wherein the field devices are integrated in a communication network of automation technology and wherein each software application exchanges information within the communication network via at least one communication interface, the method comprising: registering safety- and/or functional characteristic based safety functions that are currently activated in each of the communication interfaces of the software applications; registering all safety functions that are activatable in each communication interface; when at least one activatable safety function is present, ascertaining at least one shared safety function that is activatable in each of the communication interfaces; displaying the at least one shared safety function and selecting at least one displayed, shared safety function; and reconfiguring each of the communication interfaces and replacing currently activated safety functions in the communication interfaces with the at least one selected, shared safety function; and when no shared safety function is present, reconfiguring each of the communication interfaces so that no safety function is activated in the respective communication interface.

2. The method as claimed in claim 1, further comprising: evaluating the communication network; when the evaluation is negative and at least one activatable safety function is present, displaying the at least one shared safety function and selecting at least one displayed, shared safety function; and reconfiguring each of the communication interfaces, wherein currently set safety functions are replaced by the at least one selected, shared safety function; and when the evaluation is negative and no shared safety function is present, reconfiguring each of the communication interfaces so that no safety function is activated.

3. The method as claimed in claim 1, further comprising: modeling and visualizing a flow of information of mutually communicating software applications, wherein pertinent communication interfaces and their activatable safety functions are illustrated.

4. The method as claimed in claim 3, further comprising: graying out the activatable safety functions in the visualization that do not belong to the shared safety functions settable in each of the communication interfaces.

5. The method as claimed in claim 3, wherein the selecting of at least one shared safety function occurs via the visualizing of the flow of information.

6. The method as claimed in claim 1, further comprising: executing the method after an addition or removal of a software application.

7. The method as claimed in claim 1, further comprising: executing the method after each updating of any one of the software applications.

8. A communication network, comprising: a computer unit including a control software; a first field device including a first software application having a first communication interface; and a second field device including a second software application having a second communication interface, wherein the control software is configured to: register safety functions that are currently activated in the first communication interface and in the second communication interface; register all safety functions that are activatable in the first communication interface and in the second communication interface; when at least one activatable safety function is present in the first communication interface and in the second communication interface, ascertain at least one shared safety function that is activatable in the first communication interface and in the second communication interface; display the at least one shared safety function; select at least one displayed, shared safety function; and reconfigure the first communication interface and the second communication interface and replace currently activated safety functions in the first communication interface and in the second communication interface by the at least one selected, shared safety function; and when no shared safety function is present, reconfigure the first communication interface and the second communication interface so that no safety function is activated in the first communication interface and in the second communication interface.

9. The communication network as claimed in claim 8, wherein the communication network is a wireless network.

10. The communication network as claimed in claim 8, wherein the communication network is a wired network based on a fieldbus protocol of automation technology.

Description

BRIEF DESCRIPTION OF THE DRAWING

(1) The invention will now be explained in greater detail based on the appended drawing, the figures of which show as follows:

(2) FIG. 1 shows an embodiment of the communication network of the invention; and

(3) FIG. 2 shows an embodiment of the method of the invention based on the safety goal, integrity.

DETAILED DESCRIPTION

(4) FIG. 1 shows an embodiment of the communication network KN, KN′ of the invention in greater detail. Connected to a communication network KN′ are a plurality of computer units (workstations) R1, R2. Computer unit R1 serves here as superordinated unit (control system, or control unit) for, among other purposes, process visualizing, process monitoring and for engineering, as well as for servicing and monitoring of field devices. Computer unit R2 serves here as plant asset management system (PAM). The communication network KN′ works e.g. according to the Profibus DP standard or according to the HSE (High Speed Ethernet) standard of the Foundation Fieldbus. Via a gateway G, which is also referred to as a linking device, field controller or also as a segment coupler, the communication network KN′ is connected with an additional section of a communication network KN. Connected to this communication network KN is a plurality of field devices F1, F2, F3, F4. The field devices F1, F2, F3, F4 can include both sensors and actuators. The communication network KN is embodied, for example, as a wired fieldbus, which works according to one of the known fieldbus standards, such as, for example, Profibus®, Foundation® Fieldbus or HART®. As explained in the introductory part of the description, also the gateway G falls under the concept of a field device.

(5) Each of the field devices F1, F2, F3, F4, G has at least one software application S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G. The software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G exchange information with one another via communication interfaces. The software applications S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G can, in such case, have either two separate communication interfaces KI, wherein one of the communication interfaces KI serves for transmitting information and wherein the other communication interface KI serves for receiving information. It can, however, also be provided that one communication interface KI can both transmit information, as well as also receive information.

(6) In addition to the field devices F1, F2, F3, F4, G, also the computer units R1, R2 can have software applications S.sub.R1, S.sub.R2 with corresponding communication interfaces KI.

(7) The information can, in such case, be sent via the communication network KN, KN′. It can also be provided that at least two or more software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G are implemented in a field device F1, F2, F3, F4, G. In this case, the information can also be transmitted within a field device F1, F2, F3, F4, G.

(8) One of the two computer units R1, R2 registers currently activated safety functions of each of the communication interfaces KI of the software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G of the field devices F1, F2, F3, F4, G. Furthermore, the computer unit R1, R2 registers supplementally all activatable safety levels of each of the communication interfaces KI. It can, in such case, be provided that the computer unit R1, R2 must authenticate for each of the software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G, in order to obtain access to the currently set safety levels and the supplementally activatable safety levels of each of the communication interfaces.

(9) The computer unit R1, R2 ascertains from the registered data at least one safety function, which is available in each of the communication interfaces KI. This ascertained shared safety function or the ascertained plurality of shared safety functions are displayed to the user for selection on the computing unit R1, R2.

(10) Preferably, the computer unit models the flow of information of the software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G communicating with one another in the communication network. In this way, it can be displayed, which software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G actually communicate actively, which software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G do not participate in the communication, via which communication interfaces KI the software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G communicate and which software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G communicate with which software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G.

(11) The visualizing can occur in tabular form; alternatively, it can, however, also be shown in a virtual plant plan. Preferably, for a communication interface KI, all safety functions activatable in such communication interface KI are displayed. In such case, those safety functions are grayed out or not presented for selection, which are not contained in the set of ascertained, shared safety functions.

(12) After selection of one or more shared safety functions, the computing unit R1, R2 reconfigures all communication interfaces KI of each of the software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G. If no shared safety function could be ascertained, then the individual communication interfaces KI are in such a manner reconfigured that a safety function is activated in none of the communication interfaces KI. The is especially necessary when a preconfigured new field device F1, F2, F3, F4, G is added to the communication network KN, KN′, or a new software is employed in a field device F1, F2, F3, F4, G. In such case, safety functions already activated by default in the new communication interfaces KI, but not in all communication interfaces KI of the remaining software applications S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G, could lead to incorrect interpretations of exchanged information.

(13) In an additional method step, it can be provided to evaluate the communication network KN, KN′ after the reconfiguration of all communication interfaces KI. In such case, all communication interfaces KI are checked concerning whether the shared safety function was correctly activated. Furthermore, it is checked whether the flow of information between the individual software components S.sub.F1, S.sub.F2, S.sub.F3, S.sub.F4, S.sub.G has changed. If the evaluation is negative, the method of the invention is repeated from the step of selecting one or more shared, activatable software functions.

(14) Alternatively to the computer unit R1, R2, also a mobile servicing device (not shown in FIG. 1) can be used for registering the safety levels of each of the communication interfaces KI, for ascertaining a shared safety level, for selecting the safety level, for reconfiguring each of the safety interfaces KI and for visualizing. The mobile unit can be a handheld servicing device or a laptop, or, however, also a mobile end device such as a tablet or a smart phone.

(15) FIG. 2 shows an embodiment of the method of the invention based on the safety goal, integrity. Provided by way of example for the communication are the software components S.sub.F1 and S.sub.F2, which are implemented in field devices F1, or F2.

(16) After performing the registering of the currently activated safety functions of the communication interfaces KI, KI′ and the registering of all activatable safety functions of the communication interfaces KI, KI′, the user is shown on a computer unit R1, R2 the registered shared safety functions I1. In this example, there is one, the safety function I1, output escaping, based on the protection goal, integrity, which is available on all communication interfaces KI, KI′.

(17) Besides the safety function I1, output escaping, the communication interface KI of the software application S.sub.F1 enables the adding of a checksum to the sent information. This safety function I2 is based likewise on the protection goal, integrity.

(18) Besides the safety function I1, output escaping, the communication interface of the software application S.sub.F2 enables the encrypting of the sent information by means of SSL. This safety function C1 is based on the protection goal, confidentiality.

(19) This additional safety functions I2, C1 are displayed to the user, but they are grayed out or shown in other manner not selectable by the user.

(20) Since the user has selected the shared safety function I1, output escaping, the computer unit R1, R2 reconfigures the pertinent communication interfaces KI, KI′ of the software applications SF1, SF2. Furthermore, the communication network KN is evaluated after transpired reconfiguration of the communication interfaces KI, KI′.

(21) A communication between the software applications S.sub.F1, S.sub.F2 will now be described by way of example in the following:

(22) The software application S.sub.F2 sends to the software application S.sub.F1 a request for transmission of the TAG of the field device F1, in which the software application S.sub.F1 is implemented. The software application S.sub.F1 identifies the TAG of the field device F1, “abc<xyz”. Since the reference character “<” is a safety critical reference character, the communication interface KI of the software application SF1 replaces this before the transmission according to the method of output escaping, for example, with the HTML entity “&lt” corresponding to the reference character “<”. Transmitted as information is thus the TAG “abc&ltxyz”.

(23) The communication interface KI′ of the software application S.sub.F2 receives this transmitted information. Since, also in this communication interface, the safety function I1, output escaping, is activated, the communication interface KI detects the alteration of the TAG and converts the TAG back to its original form before forwarding it to the software application S.sub.F2 as the original character sequence “abc<xyz”.

(24) Now, based on the example of an embodiment shown in FIG. 2, it will be illustrated, why the safety functions have to be activatable on all communication interfaces: In this example, the communication interface KI′ of the software application S.sub.F2 permits the encryption of data by means of SSL. If this safety function is activated, then the information transmitted by this communication interface KI′ cannot be decoded by the communication interface KI of the software application S.sub.F1.

(25) Of course, the method can be used for any type and number of software applications in field devices F1, F2, F3, F4, G in a communication network KN, KN′ and is not limited to the examples, safety functions I1, I2, C1 and protection goals used in this embodiment.

Method for preventing impermissible access to software applications in field devices

Assignee

Inventors

Cpc classification

Classification Explorer

H04W12/08

ELECTRICITY

Classification Explorer

H04L63/10

ELECTRICITY

Classification Explorer

H04L63/102

ELECTRICITY

Classification Explorer

H04L63/168

ELECTRICITY

Classification Explorer

G05B19/0425

PHYSICS

Classification Explorer

G05B2219/24024

PHYSICS

Classification Explorer

G05B2219/2642

PHYSICS

Classification Explorer

G06F21/00

PHYSICS

Classification Explorer

G06F8/65

PHYSICS

Classification Explorer

H04L67/12

ELECTRICITY

Classification Explorer

G06F21/629

PHYSICS

Classification Explorer

G06F21/57

PHYSICS

International classification

Classification Explorer

G06F21/62

PHYSICS

Classification Explorer

G06F21/00

PHYSICS

Classification Explorer

H04L67/12

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

G05B19/042

PHYSICS

Classification Explorer

G06F21/57

PHYSICS

Classification Explorer

G06F8/65

PHYSICS

Classification Explorer

H04W12/08

ELECTRICITY

Abstract

Claims

Description