Method and device for checking the integrity of modules of a wind turbine
11650558 ยท 2023-05-16
Assignee
Inventors
Cpc classification
Y04S40/20
GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
H04L9/0866
ELECTRICITY
H04L9/088
ELECTRICITY
H04L9/0877
ELECTRICITY
International classification
Abstract
A method and a device for checking the integrity of modules of a technical facility. The technical facility has multiple modules and sets of controls for controlling the technical facility. For starting up each set of controls and the overall technical facility, a master key is used which is utilized for decrypting an encrypted region of the set of controls. The master key for starting up a set of controls of the technical facility is derived from features of all sets of controls installed in the technical facility, and a start or a start-up of the technical facility can take place only when the master key is found to be satisfactory.
Claims
1. A method for checking the integrity of modules of a technical facility, wherein the technical facility has multiple modules and sets of controls for controlling the technical facility, wherein for starting up each set of controls and the overall technical facility, a master key is used which is utilized for decrypting an encrypted region of the set of controls, the method comprising: deriving the master key for starting up a set of controls of the technical facility from features of all sets of controls installed in the technical facility, and authorizing a start or a start-up of the technical facility can take place only when the derived master key is found to be satisfactory.
2. The method according to claim 1, further comprising: during a boot operation of the set of controls, initially setting the set of controls to a pre-operational state in which with the aid of a security module, a token is generated based on data and features that include the characteristics and/or environmental data and/or input parameters of the set of controls, transmitting the tokens of all sets of controls installed in the facility to a decision module, generating the master key in the decision module based on the tokens, with the aid of an algorithm, supplying the master key to the sets of controls, decrypting, by the master key, the encrypted region of the sets of controls, and responsive to the decrypting of the encrypted region, switching the sets of controls from the pre-operational state into the operating state, as the result of which the technical facility starts operating.
3. The method according to claim 2, wherein the transmission of the tokens takes place in an encrypted manner.
4. The method according to claim 2, wherein the tokens are cryptographically checked for integrity and origin in order to ensure that the particular tokens also unequivocally originate from an authorized set of controls in the environment.
5. The method according to claim 1, wherein the method is used in a technical facility in the form of a wind turbine.
6. The method according to claim 1, wherein the master key is not stored on any of the sets of controls.
7. The method according to claim 1, wherein the step of deriving the master key comprises: generating a token for each set of controls based on data and features that include the characteristics and/or environmental data and/or input parameters of each set of controls, and generating the master key based on the tokens.
8. A method for checking the integrity of modules of a technical facility, wherein the technical facility has multiple modules and sets of controls for controlling the technical facility, wherein for starting up each set of controls and the overall technical facility, a master key is used which is utilized for decrypting an encrypted region of the set of controls, characterized in that the master key for starting up a set of controls of the technical facility is derived from features of all sets of controls installed in the technical facility, wherein a start or a start-up of the technical facility can take place only when the master key is found to be satisfactory, wherein during a boot operation of the set of controls, the set of controls initially assumes a pre-operational state in which with the aid of a security module, a token is generated based on data and features that include the characteristics and/or environmental data and/or input parameters of the set of controls, wherein the tokens of all sets of controls installed in the facility are transmitted to a decision module, wherein the master key is generated in the decision module based on the tokens, with the aid of an algorithm, wherein the master key is supplied to the sets of controls, and by the master key, the encrypted region of the sets of controls is enabled, and the sets of controls switch from the pre-operational state into the operating state, as the result of which the start-up of the technical facility can take place.
Description
(1) The invention is explained in greater detail below with reference to drawings that illustrate only one implementation approach. In this regard, further features and advantages of the invention that are essential to the invention emerge from the drawings and their description.
(2) In the drawings:
(3)
(4)
(5)
(6)
(7) A higher-order monitoring controller 4, which is referred to below in general as the set of controls A or set of controls B or set of controls C, is situated in the nacelle 2.
(8) Also present in the nacelle 2 is a converter 5 that includes a control module, which likewise is referred to below in general as the set of controls A, B, or C.
(9) A rotor controller 14, which likewise is referred to below in general as the set of controls A or set of controls B or set of controls C, is present in the area of the rotor 3.
(10) Each of the modules 4, 5, and 14 mentioned above can take over the task of the set of controls A or set of controls B or set of controls C described below.
(11) An Ethernet connection 6 or some other suitable bus connection leads from the nacelle 2 via the tower 44 to the tower base 7, where a number of further modules are present, and a main controller 8 is also installed.
(12) The main controller 8 is in functional connection with a terminal 11, for example, which includes a display device and an input device and user inputs, for example, this terminal 11 being connected via a signal connection 12 in the main controller 8.
(13) Even further modules may also be present; a monitoring module 10 and a network changeover switch 9 are mentioned as examples.
(14) The overall wind turbine 1 is connected via the main controller 8 to a high-speed communication bus 13, via which the wind turbine is connected to other wind turbines and can communicate with them.
(15)
(16) The set of controls B 17 includes a CPU 47 for processing data, which are supplied to the set of controls B 17 via the Ethernet connection 6 and/or multiple signal inputs, wherein a sensor input, a temperature input, a status input 1, and a status input 2, for example, may be provided. The set of controls B 17 may have a number of further signal inputs.
(17) The CPU 47 controls a hardware security module 45, which generates an internal key 46 from which a token 48 is generated under the influence of the CPU 47. This token 48 is supplied via a logical path 27 to a decision module 15, in which a decision is made concerning the validity of the token 48, and lastly, a master key 49 that is valid for all combined modules is also generated.
(18) The sets of controls 16, 17 illustrated in
(19) Thus, the set of controls A 16 also generates a token 48, which is supplied to the decision module 15 via the logical path 27. The same applies for the set of controls C 18 (see
(20) It is preferred that the set of controls B, which is in the pre-operational state and still must be checked, is generated from a request (request 25) in order to prompt the decision module 15 to check its transmitted token B against the other tokens A, C of the other sets of controls A, C, which are brought together in the decision module 15.
(21) The functioning of a decision module 15 is illustrated in
(22)
(23) It is assumed that the set of controls B 16 has been newly installed in the wind turbine, or that changes have been made to the set of controls B 16.
(24) Accordingly, when the set of controls B 16 is booted, the procedure described below is carried out.
(25) For simplification, it is assumed that the set of controls A 17 and the set of controls C 18 are already in the normal operating state. The set of controls B 16 is started and runs through the method for deriving a master key.
(26) After start-up, the set of controls B 16 switches into a pre-operational state and requests the respective token 19, 21 from the sets of controls A 17 and C 18. The sets of controls A 17 and C 18 transmit their respective token 19, 21 to a merge node 22, 23. The validity of the tokens 19, 21 is checked by the set of controls A. If the tokens are valid, the master key is derived. If the master key is also valid, the set of controls B switches into the normal operating state.
(27) The two other sets of controls 17 and 18 generate a valid token, which is supplied to an associated merge node 22, 23 of the protocol module via the logical paths 19 and 21.
(28) It is assumed that the set of controls 16 is not yet operative, and its integrity must therefore be checked. A master key that is stored in the set of controls is not necessary for this purpose. Rather, according to the invention a token that is generated by the set of controls 16 and supplied to a function status module 24 via the logical path 20 is sufficient. The function status module 24 generates a pre-operational state of the set of controls B 16, which indicates that the integrity of the set of controls B 16 has not yet been checked, and therefore the overall wind turbine must not yet be put into operation.
(29) In this pre-operational state of the set of controls B 16, starting from the function status module 24, a request is sent to the two merge nodes 22 and 23 via the logical paths 25 and 26 to evaluate whether the tokens on the logical paths 19 and 21 as well as the token on the path 20, or the paths 25, 26, are valid.
(30) Accordingly, in a first decision step in the merge nodes 22 and 23, a validity check of the individual tokens 19, 20, 21 from the individual sets of controls 17, 16, 18 takes place, wherein the set of controls B 16 is still in the preoperational state until the validity of the token 20 has been checked.
(31) If the result of the comparison of the tokens in the merge node 22 and 23 is satisfactory, a further merge node 30 is controlled via the logical paths 27, 28, 29.
(32) It is preferred that the set of controls 16 to be checked, which is in the pre-operational state, makes a request 25, 26 to the merge node 22, 23, which is used to prompt, via the merge nodes 22, 23, the respective set of controls 17 and 18 to send their token from the merge node 22, 23, in particular via the logical path 27 and 29, whereupon a total of three tokens are collected in the downstream merge node 30 via the paths 27, 28, 29, and are subsequently transmitted via the logical path 31 to the decision node 32, which then checks all three arriving tokens for validity.
(33) If an error occurs, an end state 34 is flagged as an error via the decision output 33, and the wind turbine 1 cannot be put into operation.
(34) However, if the decision node 32 makes a decision on the validity of the three tokens A, B, C to be checked, a key derivation 37 takes place on the downstream logical path 35, and from the key a master key 49 is now generated, which is supplied to the decision node 38.
(35) The validity of the master key 49 is checked in the decision node 38. If an error occurs, the decision output 39 determines an error state as the end state 40, and the wind turbine 1 cannot be put into operation.
(36) However, if a valid master key 49 is present, at the output of the decision node 38 a continuation message is then sent to the central controller on the logical path 41, and the central controller thus acknowledges the set of controls B 16 as valid. The function status module 24 places the set of controls B 16 from the pre-operational state into the normal operating state, and the wind turbine can be put into operation.
(37) The advantage of this measure is that initially, in a first step in the area of multiple parallel merge nodes 22, 23 situated in parallel a request is made to all sets of controls to send a token, so that this token may be checked in a downstream second merge node 30.
(38) Only when the validity of all tokens in this downstream merge node 30 has been recognized does a key derivation take place, from which a master key is then generated.
(39) For example, a function known as the password-based key derivation function 2 (PBKDF2) may be used for the key derivation. This is a normalized function for deriving a key from a password and using the key in a symmetrical method.
(40) When such a method is used, it is preferred to apply a pseudorandom function, such as a cryptological hash function or an HMAC, together with a salt value, to the password. The function is subsequently applied multiple times to the result. This linkage makes it difficult to deduce the original password from the key, using the brute force method. In addition, the use of rainbow tables is greatly impeded due to utilizing salt. By increasing the number of passes, the function may also be adapted to the increasing power of computers.
(41) The PBKDF2 method is only one example of such a key derivation 37 for generating a master key 49. However, there are other preferred methods that are suitable for deriving a key from a password and using the key in a symmetrical method.
(42) In particular, the invention is not dependent on the use of a hardware security module 45 for generating a key 46.
(43) There are also other methods that use cryptographic operations, which allow the trustworthiness and integrity of data and the associated information to be ensured.
(44) Such a described hardware security module is a very simple case, which in other embodiments may be implemented in a much more extensive and complex manner.
(45) Hardware security modules usually provide numerous functions for secure management of the device and the keys. Examples are the authentication of operators and administrators by hardware tokens (chip cards or security tokens, for example), access protection using the four eyes principle (k out of n persons necessary), encrypted backup of the keys and configuration data, and secure cloning of the hardware security module.
(46) In principle, the hardware security module may thus be used to cryptographically generate a token.
LIST OF REFERENCE NUMERALS
(47) 1 wind turbine
(48) 2 nacelle
(49) 3 rotor
(50) 4 monitoring controller
(51) 5 converter
(52) 6 Ethernet connection
(53) 7 tower base
(54) 8 main controller
(55) 9 changeover switch (network)
(56) 10 monitoring module
(57) 11 terminal
(58) 12 signal connection
(59) 13 communication bus
(60) 14 rotor controller
(61) 15 decision module
(62) 16 set of controls B
(63) 17 set of controls A
(64) 18 set of controls C
(65) 19 logical path (A)
(66) 20 logical path (B)
(67) 21 logical path (C)
(68) 22 merge node
(69) 23 merge node
(70) 24 function status module
(71) 25 request
(72) 26 request
(73) 27 logical path
(74) 28 logical path
(75) 29 logical path
(76) 30 merge node
(77) 31 logical path
(78) 32 decision node (token)
(79) 33 decision output
(80) 34 end state
(81) 35 logical path
(82) 36 decision node
(83) 37 key derivation
(84) 38 decision node (key)
(85) 39 decision output
(86) 40 end state
(87) 41 logical path
(88) 42 start process
(89) 43 decision device
(90) 44 tower
(91) 45 hardware security module
(92) 46 key
(93) 47 CPU
(94) 48 token
(95) 49 master key
(96) 50 protocol module