DE102018123766A1 - SWITCH PORT LOCK FOR ADVANCED INTELLIGENT PROCESS CONTROL SYSTEMS - Google Patents

Abstract

An intelligent process-control switch can implement a lock-in routine to lock its communication ports and allow only the use of devices with known physical addresses, so that the intelligent process-control switch can prevent new, potentially hostile devices from communicating with other devices. to which the intelligent process control switch is connected. In addition, the intelligent process control switch may implement an address mapping routine to identify "known pairs" of the physical and network addresses for each device that communicates over a port of the intelligent process control switch. Thus, even if a new enemy device is able to fake a known physical address to bypass locked ports, the intelligent process routing switch can detect the enemy device by retrieving the network address of the enemy device with the expected network address for that " known couple "compares.

Description

TECHNICAL AREA

The present disclosure generally relates to process control systems, and more particularly to techniques for blocking the ports of an intelligent process control system.

STATE OF THE ART

Process control systems, such as distributed or scalable process control systems, such as those used in power generation, in chemical, petroleum or other processes, typically include one or more process controllers (control elements) communicatively communicating with each other via a process control network having at least one Host or operator workstation and connected via analog, digital or combined analog / digital buses with one or more field devices.

The field devices, which may be, for example, valves, valve positioners, switches, and transducers (eg, temperature, pressure, and flow sensors) perform functions within the process or equipment, such as opening or closing valves, on and off Switch off devices and measure process parameters.

The process controllers, typically located within the process plant environment, receive signals indicative of process measurements or process variables generated by or associated with the field devices, and / or other information related to the field devices, and carry controller information. Applications or routines. Each controller uses the received information to implement a control routine and to provide control signals that are sent over the buses to the field devices to control the operation of the process or equipment. The controller routines implement control modules that make processor decisions based on the received information and generate control signals and coordinate with the control modules or blocks in the field devices such as HART® and Fieldbus field devices. The control modules in the process controllers send the control signals over the communication lines or signal paths to the field devices, so as to control the operation of the process.

Field device and process controller information is typically provided to one or more other hardware devices, such as operator workstations, maintenance workstations, personal computers, handheld devices, data historians, report generators, central databases, etc. via the process control network. The information transmitted over the network allows an operator or maintenance person to perform the desired functions related to the process. For example, the information allows an operator to change the settings of the process control routine, modify the operation of the control modules within the process controllers or smart field devices, indicate the current state of the process or the status of particular devices within the process plant, field devices, and process To display warnings generated by the controllers, to simulate the operation of the process for the purpose of training the personnel or to test the process control software, to diagnose problems or hardware faults within the process plant, etc.

The field devices typically communicate with the hardware devices through the process control network, which can be an Ethernet-configured LAN. The network passes the process parameters, network information and other process control data via various network devices to different units in the process control system. The network devices typically allow network flow through the network by controlling its routing, frame rate, timeout, and other network parameters, while not changing the process data itself. Some typical network devices include, for example, Layer 2 network switches, Layer 3 network switches, routers, and / or hubs. The layers mentioned here refer to the network layers of the OSI model.

In general, a Layer 2 network switch receives a message and forwards the received message through one of its ports associated with a MAC address of the target device (identified by the message) in a LAN. A Layer 2 network switch typically stores a table that establishes relationships between MAC addresses and corresponding switch ports. When the Layer 2 network switch receives a message, it identifies the MAC destination address of the message, also identifies a port of the switch corresponding to the MAC address from the table, and forwards the message over that port. When the Layer 2 network switch receives a message with a destination MAC address that is not stored in the table, it sends the message to all ports on the switch, repeating it as needed until the message reaches the target device, where the target device responds, thus informing the switch of the corresponding port "mapped" to the MAC destination address. In particular, Layer 2 switches do not route, use IP addresses to make forwarding decisions, and do not trace intermediate nodes between the switch and the target device. Rather referenced a Layer 2 switch simply uses the table to determine which port on the switch the message should be forwarded to.

On the other hand, Layer 3 devices (such as routers and Layer 3 switches) often route, identify intermediate nodes, and use IP addresses for routing and / or routing. This routing capability and the ability to use network addresses enable Layer 3 devices to forward data to destinations outside a LAN to which the Layer 3 device is connected. While routers and Layer 3 network switches are sometimes suitable for routing process control data within a process control network, routers and Layer 3 switches can be significantly more expensive than Layer 2 switches, especially if they are designed to operate in a process control environment configured (eg two to three times more expensive).

As the process control networks grow in size and complexity, the number and types of network devices increase accordingly. As a result of system and network growth, security and management in these complex systems are becoming increasingly demanding. For example, each network device may include one or more communication ports that provide an access point or port for physically interconnecting the process control system components and other network devices across the network. These network device ports can be used by adding other devices to an access point for network expansion or can allow a device that may be malicious or non-malicious to access the network and cause unwanted, potentially harmful network traffic.

To address malicious unit security concerns, some control switches have a disabling mechanism for disabling a port (such as an unused port) to prevent a device from communicating over the disabled port. In addition, some control switches sometimes have locking mechanisms ("lockdown mechanisms," as in US Pat. No. 8,590,033 disclosed), which may "lock" a port to restrict communication over the locked port to a single device that was connected to that port at the time of the lockout. However, these traditional locking mechanisms are limited. In particular, the traditional locking mechanisms may not (i) block ports with more than two attached devices and / or (ii) ports connected to a second switch (sometimes called an "uplink port"). Uplink ports are generally excluded from network security lockout (ie, they remain unlocked) to maintain uplink port functionality during lockdown and to avoid the inadvertent implementation of a too restrictive lock that interferes with plant operation. In addition, some switches categorize a port that is daisy chained as an uplink port if you identify multiple devices attached to the port and assume that the port is connected to a switch. Thus, while some control switches implement conventional locking mechanisms to prevent an enemy device from being connected via a port that was previously unused (eg, by disabling that port) or connected to only a single terminal (e.g. by locking this port) to a network, these switches will remain on any port connected to an uplink switch, to more than two terminals, or to a single device with multiple physical addresses (for example, virtualized systems). , vulnerable.

BRIEF SUMMARY OF THE INVENTION

The methods and systems described enable a process-control switch to lock all its ports and / or identify "known pairs" of physical and network addresses for each device that communicates over each port of the process-routing switch.

In one embodiment, a process control switch includes a plurality of ports and a circuit set communicatively coupled to the plurality of ports. The circuit set may be implemented to disable the plurality of ports, wherein the circuit set: (A) generates a static address table, (i) maps the known physical addresses for devices in a process control environment to one or more of the plurality of ports where the devices are connected, and (ii) that is not updated with new known physical addresses while the majority of the ports are locked, the static address table mapping a plurality of known physical addresses on a single port that is unlockable or unmanaged Switch or a chain of devices connected; and / or (B) limits the traffic at each of the plurality of ports, wherein the circuit set: (i) controls the number of messages forwarded at each port to comply with a traffic threshold and (ii) authenticates the source physical addresses that are included in each of the messages received on each port. To authenticate the physical source addresses, the circuit set may: (a) parse the message to identify a physical source address contained in the message; (b) forward the message over one of the plurality of ports if the static address table uses the physical source address as a known physical one List the address shown on the single port; and (c) terminate the message if the static address table does not list the physical source address as a known physical address mapped to the single port.

In one embodiment, a process control switch includes a plurality of ports and a circuit set communicatively coupled to the plurality of ports. The circuit set may be configured to implement a locking operation in which the circuit set: (a) determines that one of the plurality of ports is connected to a second switch; (b) analyze a handshake with the second switch to determine whether or not the second switch is lockable; (c) forwards the messages received from the second switch if the circuit set determines that the second switch is lockable without authenticating the source physical addresses for the messages; and / or (d) authenticating the physical source addresses contained in messages received at the port if the circuit set determines that the second switch is not lockable so that a message received on the port is analyzed to determine if the received message identify a physical source address included in a list of known physical addresses or not.

Note: This summary has been created to introduce a selection of concepts, which are explained in more detail below in the detailed description. As explained in the detailed description, certain embodiments may include features and advantages not described in this summary, and certain embodiments may omit one or more features and / or advantages described in this summary.

list of figures

• 1A ist eine schematische Darstellung eines Prozessleitsystems in einer Prozessanlage, in der ein intelligenter Prozessleit-Switch implementiert werden kann, um die Netzwerksicherheit zu erhöhen und das Netzwerkmanagement und die -wartung zu ermöglichen.
• 1B ist eine zweite schematische Darstellung eines Prozessleitsystems in einer Prozessanlage, in der der in 1A gezeigte intelligente Prozessleit-Switch implementiert werden kann, um die Netzwerksicherheit zu erhöhen und das Netzwerkmanagement und die Netzwerkwartung zu ermöglichen.
• 1C zeigt eine Grundeinheit von Daten oder einen Rahmen, der über das Prozessleitsystem in der Regel über das Ethernet-Protokoll kommuniziert werden kann.
• 2A ist ein Netzwerkdiagramm eines beispielhaften Prozessleitnetzwerks, in dem ein Satz intelligenter Prozessleit-Switches, von denen jeder den in den 1A und 1B gezeigten ähnlich ist, implementiert wird, um die Sperrleistung zu verbessern und die Netzwerksicherheit zu erhöhen.
• 2B ist ein Netzwerkdiagramm eines zweiten beispielhaften Prozessleitnetzwerks, in dem eine Reihe intelligenter Prozessleit-Switches implementiert ist, um die Sperrleistung zu verbessern und die Netzwerksicherheit zu erhöhen.
• 2C ist ein Blockdiagramm des in 1A, 1B und 2A dargestellten intelligenten Prozessleit-Switches.
• 3A zeigt eine beispielhafte Methode zum Sperren und Entsperren von Ports für einen oder mehrere der in 1A-2C gezeigten intelligenten Prozessleit-Switches.
• 3B zeigt eine beispielhafte Methode zur Sperrung der Ports des in 1A-2C gezeigten intelligenten Prozessleit-Switches nach Erhalt eines Sperrbefehls.
• 3C zeigt eine beispielhafte Methode zum Entsperren des in 1A, 1B, 2A und 2B gezeigten intelligenten Prozessleit-Switches.
• 4A zeigt ein Beispiel einer Benutzeroberfläche, die bereitgestellt werden kann, um das Sperren und Entsperren der in 1A - 2C gezeigten intelligenten Prozessleit-Switches zu ermöglichen.
• 4B zeigt die in 4A gezeigte beispielhafte Benutzeroberfläche, die mit einem Satz entsperrter Switches versehen ist.
• 4C zeigt die in 4A und 4B gezeigte, beispielhafte Benutzeroberfläche, die mit einem Satz gesperrter Switches versehen ist.
• 4D zeigt die in 4A, 4B und 4C gezeigte, beispielhafte Benutzeroberfläche, die mit einem Satz der Switches mit dem Status „Auf Sperre warten“ versehen ist.
• 5 zeigt ein Beispiel für die in 2C dargestellte Adressabgleichtabelle.
• 6 zeigt ein Blockdiagramm einer beispielhaften Methode zur Implementierung der in 2C und 5 dargestellten Adressabgleichtabelle zur Verbesserung der Sicherheit eines Prozessleitsystems in einer Prozessanlage.
• 7 zeigt ein Blockdiagramm einer beispielhaften Methode zur Feststellung von Sicherheitsproblemen im Zusammenhang mit den in 1A-2C dargestellten intelligenten Prozessleit-Switches.

Each of the figures described below represents one or more aspects of the disclosed system (s) and / or method (s) according to one embodiment. The detailed description refers to the reference numerals contained in the following figures.

• 1A is a schematic representation of a process control system in a process plant in which an intelligent process control switch can be implemented to increase network security and to enable network management and maintenance.
• 1B is a second schematic representation of a process control system in a process plant in which the in 1A can be implemented to increase network security and enable network management and maintenance.
• 1C shows a basic unit of data or a frame that can be communicated via the process control system usually via the Ethernet protocol.
• 2A FIG. 10 is a network diagram of an exemplary process control network in which a set of intelligent process control switches, each of which is incorporated into the 1A and 1B is implemented to improve blocking performance and increase network security.
• 2 B FIG. 10 is a network diagram of a second exemplary process control network implementing a number of intelligent process control switches to improve blocking performance and increase network security.
• 2C is a block diagram of the in 1A . 1B and 2A illustrated intelligent process control switches.
• 3A shows an example method for locking and unlocking ports for one or more of the 1A-2C shown intelligent process control switches.
• 3B shows an exemplary method for blocking the ports of in 1A-2C shown intelligent process control switches after receiving a lock command.
• 3C shows an exemplary method to unlock the in 1A . 1B . 2A and 2 B shown intelligent process control switches.
• 4A shows an example of a user interface that can be provided to lock and unlock the user interface 1A - 2C enable intelligent process control switches shown.
• 4B shows the in 4A shown exemplary user interface, which is provided with a set of unlocked switches.
• 4C shows the in 4A and 4B shown exemplary user interface provided with a set of locked switches.
• 4D shows the in 4A . 4B and 4C shown exemplary user interface provided with a set of switches with the status "wait for lock".
• 5 shows an example of the in 2C illustrated address matching table.
• 6 shows a block diagram of an exemplary method for implementing the in 2C and 5 shown Address matching table for improving the safety of a process control system in a process plant.
• 7 FIG. 12 is a block diagram of an exemplary method for detecting security issues associated with the present invention 1A-2C illustrated intelligent process control switches.

DETAILED DESCRIPTION

The present disclosure describes an intelligent process control switch 146 (shown in 1A . 1B and 2C , and sometimes as a "switch 146 (I) adapted to (i) implement a lockout or routine for disabling its communication ports for use solely by devices having known physical addresses, and / or (ii) an address mapping operation or routine for identification "Known pairs" physical and network addresses for each device through the switch 146 communicates, to implement.

Basically, switches can be divided into two categories: configurable switches and non-configurable switches. Configurable switches (sometimes called "managed switches") are capable of configuring various network settings (eg, port speed, virtual LANs, redundancy, port mirroring and quality of service (QoS) for traffic prioritization, etc.) by a user so that the switch can be adapted to a particular implementation. Non-configurable switches (sometimes called "unmanaged switches") are typically configured by a manufacturer to OEM specifications with network settings that an end user can not easily change. While configurable switches are often found in environments (e.g., industrial environments) where inputs and traffic control are desired, non-configurable switches are typically designed for environments requiring less demanding usage (e.g., homes or businesses) small offices).

Basically, the term "managed switch" is not synonymous with the term "configurable switch" as described above, and the term "unmanaged switch" is not synonymous with the term "non-configurable switch" as described above. Rather, the terms "managed" and "unmanaged" refer to the lockability of a switch. That is, a "managed switch" for this purpose refers to a switch having the lock functionality described herein, and an "unmanaged switch" to a switch that lacks the lock functionality described herein. Because the switch 146 is executed so that it implements the described locking process, the switch 146 be referred to as a "managed switch".

The locking procedure allows the blocking of the ports of the switch 146 so devices attached to their ports become "known" devices that are allowed to continue to use this port while any "new" device is not allowed to communicate over the port. That is, the switch 146 stops communication from "new" devices that are connected to the switch 146 connect after the switch 146 was locked, so the switch 146 protect its ports from attack by a newly attached enemy device. In general, the term "connect" refers to a device and a port of the switch 146 A physical connection between the port and a physical medium (such as an Ethernet cable such as a CAT5 or CAT6 cable) that controls the communication between the switch 146 and the device allows. The physical medium can be connected directly or indirectly to the device via one or more intermediate devices that enable communication with the device.

When implementing the lock process, the switch can 146 create an entry (eg, a static address table) of physical addresses (eg, MAC addresses) for all known devices that directly or indirectly connect to each port of the switch 146 are connected. Unlike traditional control switches, the switch can 146 Create an entry of more than two physical devices connected to a single port. For example, if three, four, five, or more devices are chained to a single port, the switch can 146 generate an entry of the physical address for each of the plurality of devices chained to the single port. Consequently, the switch can 146 "lock" each port and communicate through the switch 146 only for devices with known physical addresses (for example, physical source addresses that match the physical addresses entered at the time of blocking). If, in such a scenario, an enemy device physically locks with a port of the switch after the blocking 146 connects, the switch forwards 146 the enemy device's messages stop (assuming its physical address does not match a physical address of a device connected to that port at the time of blocking). Consequently, the switch can 146 Prevent an enemy device from joining the control network, preventing the enemy device from gathering sensitive information from the control network or taking unauthorized control over devices attached to the control network.

The locking process can be done by the switch 146 Running after the switch 146 receives a lock command sent in response to a device that has detected a security threat on a network where the switch is located 146 connected. The lock command can z. From a device (eg, a computer such as a server, a workstation, or a controller) in the control system (eg, the Delta V control system) that is in communication with the switch 146 connected system is implemented. As another example, the lock command may be transmitted by a security system (eg, a specially designed hardware such as an ASIC or a group of computers running security software) that monitors network activity. The security system may include one or more network activity monitoring systems, e.g. For example: access control systems, anti-keylogger systems, anti-malware systems, anti-spyware systems, anti-subversion systems, anti-virus systems, cryptographic systems, firewall systems, intrusion detection systems (IDS), intrusion prevention Systems (IPS), Safety Information Management Systems or Safety Information and Event Management Systems (SIEM). One or more of these security systems may work in coordination to generate a lock command. For example, a firewall system may detect a security threat and notify the SIEM (which may be configured to aggregate security threats from multiple sources), and the SIEM may respond with the transfer of the lock command. Exemplary security threats can be detected in various ways. For example, the security system may use signature-based detection (eg, detection of a known network signature of a known threat, such as malware) and / or abnormal-based detection (eg, detection of discrepancies, such as when a new logical port is opened on a node where only certain logical ports are to be opened and used, such as those associated with a particular protocol associated with the node).

The lock routine may be used in conjunction with a traffic handler that limits the traffic on each port to a predetermined threshold. Each threshold for each port may be determined based on the type of devices connected to the port. For example, if a controller is connected to a port, the controller's traffic utilization is expected to drive certain amounts of input / output traffic per port (eg, 512 kbps input or 1500 packets per second output). Traffic, etc.), whereby the traffic threshold for this port can be set accordingly.

Field devices may consume more or less traffic, so ports connected to field devices may have different traffic thresholds. In some cases, traffic control is an important feature for process-control switches. For example, process-control switches without traffic control can allow any amount of data exchange between any devices, thus avoiding basic denial-of-service attacks that would be easily recognized if the specific communication requirements of a particular process control system are met therefore, it is not difficult to set thresholds based on the protocol and device types used for these particular applications.

Further referring to the locking process, the switch may 146 determine when a port is connected to a second switch (eg, via bridge protocol bridge unit (BPDU) frames) and handshake with the second switch to determine if the second switch is a second switch 146 or an "unmanaged switch" (e.g., a switch that does not have the disclosed lock capabilities). If the second switch is an unlockable or "unmanaged" switch, the switch can 146 identify and record the physical address of each end device via the unlockable or "unmanaged" switch on the port of the switch 146 connected.

If desired, the switch can 146 leave certain ports unlocked during the lock. For example, the switch 146 determine when a port is connected to a second switch (such a port can be referred to as an "uplink port") and a handshake with the second switch to determine if the second switch is "managed" (ie "lockable"). like the switch 146 ) or "unmanaged" (ie not "lockable" like the switch 146 ). If the second switch is managed, the switch can 146 leave the uplink port unlocked (and thus not check the physical source address of messages received over the uplink port and / or check the physical source address of messages, but not delete messages with an unknown physical source address). Such an uplink port may be referred to as a "managed uplink port". If the second switch is unmanaged, the switch can 146 identify and record the physical address of each terminal connected to the uplink port via the unmanaged switch, and the uplink port may be referred to as an unmanaged uplink port. The switch 146 can then lock the uplink port so that the switch 146 Messages originating from an unknown device connected to the unmanaged switch terminate and prevent the unknown device (for example, a potentially hostile device) from accessing the wider network to which the switch belongs 146 connected. It should be noted that locked ports of the switch 146 continue to broadcast broadcast and multicast messages from known devices, and that in such cases an unknown or unauthorized device (ie, a device without a known physical address for a particular port) can listen to these transmitted broadcast and multicast messages. However, in such cases, the unauthorized device will be unable to respond to these messages or otherwise receive messages through the locked port of the switch 146 transferred to.

Address mapping allows the switch 146 After the lock, verify that a device with a known physical address is a known device by confirming that the device has not simply forged the known physical address. The switch 146 performs this check by tracking a network address (eg, IP address) for each known physical address. Therefore, any known device for a particular port should have a known address pair (ie, a physical and a network address) that is from the switch 146 is tracked. So even if there is an enemy device with a locked port on the switch 146 connects and successfully fakes a physical address of a known device for this locked port, the switch detects 146 in that the network address of the hostile device does not match the network address in the entry paired with the physical address. Consequently, the switch generates 146 a warning and / or stop the messages he has received from the enemy device.

The switch 146 can implement port mirroring on request. For example, the switch 146 Copy packets that enter or leave a specific port and send the copied packets to an analyzer (for example, through an assigned port connected to the analyzer). The analyzer can be any machine that is executed to analyze the copied packages (eg by software). Port mirroring allows the copied packets to be diagnosed and / or debugged without significantly affecting the devices that transmit and / or receive the original packets.

1A and 1B are schematic representations of a process control system 100 in a process plant where the switch 146 can be implemented to increase network security and enable network management and maintenance. The process control system 100 includes a process control network 150 that forms a collection of nodes (eg, devices or systems that can send, receive, and / or forward information) and communications links that are interconnected to facilitate telecommunications between the nodes. The nodes of the network 150 include one or more switches 146 ; one or more process controllers 110 ; one or more host workstations or computers 120 - 122 (eg, authorized workstations and / or servers), at least one of which includes a display screen; one or more input / output cards 140 (I / O); one or more field devices 130 . 133 and or 142 ; a gateway 143 ; and / or a data historian 145 , Some embodiments do not include the field device 142 and the gateway 143 ,

The network 150 is a local area network (LAN). In some cases, a wide area network (WAN) and / or telecommunications network may be part of the plant networks, but in some circumstances not an integral part of the network 150 , The network 150 can be configured for Ethernet communications and / or any suitable communications protocol (e.g., TCP / IP, proprietary protocols, etc.) and can be implemented using hardwired (preferred) or wireless technology. Other aspects of the network 150 are described in more detail at the end of the Detailed Description.

The one or more process controllers 110 (each of which may be, for example, the DeltaV ™ controller sold by Fisher Rosemount Systems, Inc.) are via one or more switches 146 and with the network 150 and with one or more host workstations or one or more computers 120 - 122 communicatively connected. Every controller 110 may include one or more network interface cards (sometimes called "communication interfaces") and may communicate with the field devices via the I / O cards 140 130 Each communicates via a backplane communicatively with one of the controllers 110 can be connected. The field devices 130 can communicate with the network 150 coupled (eg using the DeltaV electronic marshalling technology). Over the network 150 You can also connect to Ethernet-based I / O nodes such as DeltaV CHARM I / O Cards (CIOC), Wireless I / O Cards (WIOC), Ethernet I / O Cards (EIOC), etc. connected to field devices using open protocols and data to one or more process controllers 110 return. The communication between the controllers 110 and I / O nodes can be explicitly proprietary in this case.

An I / O network 155 , which is a subnetwork of the network 150 can be, allows communication between the controllers 110 (eg via the I / O cards 140 ) and the field devices 130 . 133 and 142 , The I / O network 155 may contain intermediate nodes that are not in 1A are shown, such as. B. additional switches 146 (please refer 1B) , The I / O network 155 can be performed for Ethernet communication and / or any suitable communication protocol (eg, TCP / IP, ModbusIP, etc.), and can be done with hardwired or wireless technology, depending on the design. Some embodiments do not include the I / O network 155 or contain a modified version of the I / O network 155 (For example, some embodiments do not include switches between the controllers 110 and the field devices).

The I / O cards 140 are communicative with the field devices 130 connected via any hardware and software, eg. With standard 4 - 20 mA devices, standard Ethernet protocols, and / or any intelligent communication protocols such as the FOUNDATION Fieldbus protocol (Fieldbus), the HART protocol, or any other desired communication or control protocol.

The field devices 130 can be all types of devices, such as As sensors, valves, transmitters, positioners, etc. In the in 1A illustrated embodiment, the field devices 130 HART devices that have analog standard 4-20 mA leads 131 with a HART modem 140 communicate while the field devices 133 smart devices like fieldbus field devices are those that have a digital bus 135 or an I / O network 155 with an I / O card 140 communicate using Fieldbus protocol communication. Of course, the field devices 130 and 133 comply with any other desired standards or protocols, including any standards or protocols developed in the future.

The field device 142 can be through a special network device like the gateway 143 to the digital bus 135 be connected. For example, the field device 142 only understand Profibus PA commands, and the I / O network 135 can implement the PROFIBUS DP protocol. For this purpose, the gateway 143 Provide bidirectional PROFIBUS DP / PA translation. A switch 146 can also be at or near the gate 143 be positioned.

The controller 110 , which may be one of many distributed controls in the plant with one or more processors, implements or monitors one or more process control routines. The routines may include one or more control loops stored in or associated with the controller. The controller 110 also communicates with the devices 130 or 133 , the host computers 120 - 122 and the data historian 145 over the network 150 and the associated network devices 146 to control a process in any way. It should be noted that all of the control routines or elements described herein may include components that may be implemented or executed by various controllers or other devices as desired. Likewise, the control routines described herein or elements within the process control system 100 be implemented, take any forms, including software, firmware, hardware, etc. For this purpose, a process control element may be any part or portion of a process control system, eg. A routine, block or module stored on any computer-readable medium. Control routines, which may be modules or parts of a control method such as subroutines, parts of a subroutine (e.g., lines of code), etc., may be implemented in any software format, e.g. Using ladder logic, sequential function diagrams, functional block diagrams, object-oriented programming, or any other software programming language or design paradigm. Also, for example, the control routines may be hard coded into one or more EPROMs, EEPROMs, application specific integrated circuits (ASICs), or other hardware or firmware elements. In addition, the control routines can be designed using any design tool, including graphical design tools or any other type of software / hardware / firmware programming or design tools. So can the controller 110 be designed to implement a control strategy or control routine in any manner.

The data historian 145 may be any type of data acquisition unit with any desired type of memory and any desired or known software, hardware or firmware for storing data and may be from one of the workstations 120 - 122 be separate or form part of it. The data historian 145 can over the switch 146 with the network 150 and / or the hosts 120 and 122 be coupled communicatively.

1C shows a basic unit of data or a frame 175 via the process control system 100 in general and via the process control network 150 can be communicated using the Ethernet protocol. An Ethernet frame 175 contains seven fields, each containing information between the devices, such as: B. a switch 146 or another component of the process control system 100 , The fields can be a number of bytes of data 178 contained by the receiving device are interpreted and processed. For example, the destination MAC address field 180 a physical address of the intermediate or destination node of the process control system 100 included while the MAC source address field 182 a physical address of a sender or intermediate node of the process control system 100 may contain. The MAC destination address field 180 and the MAC source address 182 can be used in conjunction with the data from Switch 146 to be used by the process control network 150 to process sent data. In some embodiments, the fields 180 . 182 are compared with one or more tables stored in a receiving network device when the device is in a "locked" state. The results of the comparison can be used to reject or otherwise deny the received data or other physical or logical connections to the locked network device.

2A is a network diagram of an example process control network 200A in which a set of switches 146A-D , each of which gives an example of the in 2C shown switch 146 implemented to improve blocking performance and increase network security. The solid lines represent communication links connected to a locked port, and the dotted lines represent communication links connected to an unlocked port. Advantageously, each port of the switches 146A-D be locked. Even if, therefore, an enemy device connects to a process control device, a hub or an unmanaged switch that connects to a port on one of the switches 146A-D connected, the enemy device can not communicate through this port, if the corresponding switch 146A-D Is blocked.

Except the switches 146A-D includes the network 200A the devices 111A - 111L (collectively as "devices 111 " designated), 113A - 113D (collectively as "devices 113 ") And a hub 112 , The devices 111 are process control devices that are specially designed for operation in a process control system and for communication via a process control network. Each of the devices 111 has one or two physical addresses (eg for redundancy). The physical address (es) for the devices 111 are usually configured so that the devices 111 from other process control devices in the process control network 100D be recognized. For example, the physical address of each device 111 begin or end with a particular recognized character pattern (eg, F9-C3-XX-XX-XX-XX) so that each device is recognizable as a device specifically configured for implementation in a process control environment. The exemplary devices 111 include process controllers, I / O cards, workstations, data historians and specially configured network devices.

The devices 113 include (i) devices that are not specifically configured for a process control network (sometimes called "standard devices" or "universal devices") and / or (ii) devices with more than two physical addresses (including both specially configured process controllers and "universal devices"). can include). The hub 112 is a universal network hub.

The switches 146A-D can block all ports regardless of the type or number of devices attached to the ports, preventing an attack by a hostile device connected (directly or indirectly) to any port on any of the switches 146A-D combines. 2A shows a number of examples in which the switches 146A-D improve the current process control switches. Below are four specific examples of the benefits of the switches 146A-D describe: (i) disabling a port connected to a "universal device" or device (process control or "universal device") having more than two physical addresses; (ii) disable a port connected to an unmanaged switch; (iii) disable a port associated with a set of the daisy-chained devices; and (iv) disabling a port connected to an unmanaged network device, such as a hub, that is connected to multiple devices.

The first example concerns the switch 146A who has a port 201 contains, which can be locked when using the device 113A which may be (i) a "universal device" with any number of physical addresses or (ii) a process control device having more than two physical addresses. In operation, the switch implements 146A a lock routine to the port 201 to lock. After the lock, the switch allows 146A no device with a different physical address than that of the device 113A , over the port 201 to communicate. In other words, the switch 146A analyzes each at the port 201 received message to identify a physical source address contained in the message. If the message does not contain a physical source address that matches the physical address of the device 113A matches the switch 146A At the time of blocking, the message is from the switch 146A Instead of passing the message through one of its other ports, the switch 146A generates a port violation warning. In comparison, a typical process control switch can handle the device 113A connected port may not lock because of the device 113A either a "universal device" or a device with more than two physical addresses, with process-control switches normally having such ports Do not lock, even if a blocking procedure has been initiated.

The switch 146A also contains a port 211 that with the switch 146B connected is. Like the one with the port 211 connected solid line shows, is the port 211 blocked. Accordingly, the switch 146A Store physical addresses of all devices at the time of locking over the port 211 communicate including all physical addresses of the devices attached to one of the switches 146B-D are connected. In some cases, each of the switches 146B-D get a notification that he is using an upstream switch 146 connected (eg switch 146A) and therefore can not authenticate physical addresses during the suspension, assuming that the upstream switch 146 authenticates the physical addresses listed in the messages to ensure that the specified physical address is a known address. In other cases, one or more of the switches authenticate 146B-D along with the switches 146A the physical addresses during the blocking.

The second example concerns the switch 146B who has a port 203 which can be disabled if it is connected to an unmanaged switch (that is, a switch that lacks the described blocking capabilities or that can not transmit BPDU frames). The port 203 and any other port connected to a second switch (for example, the port 211 of the switch 146A and the ports 213 . 215 and 217 ), can be called an "uplink port". Note: Under certain circumstances, the switches can 146 can be designed to identify only managed uplink ports when they identify uplink ports, and therefore the switch port can 203 from the switch 146B can not be categorized as an uplink port (for example, the switches can 146 be run so that they only categorize such ports as uplink ports that are compatible with other switches 146 are connected). The devices 111G-I be with the unmanaged switch 109 physically connected to the port 203 connected is. As the unmanaged switch 109 its ports can not lock (as the dotted lines that make up the switch 109 with the devices 111G-I connect), a hostile device can connect to the switch 109 connect to others at the switch 109 connected devices (eg the devices 111G - 111I) to communicate. In other words, even if someone tries to lock all the switches on the network 200A (eg the switches 146A - 146D) A new device with an unknown physical connection to the switch may lock itself 109 connect, the switch 109 Messages from the enemy device to the port of the switch 109 which has been mapped to the destination address contained in the message of the enemy device.

However, since the port 203 through the switch 146B is locked (as by the solid line between the switches 146B and 109 displayed), every message is from a new unknown device, on the port 203 is received from the switch 146B completed. The message is terminated because it creates an entry of known physical addresses of all known devices when the switch 146B is locked over the port 203 even if these known devices communicate via an unmanaged uplink switch such as the switch 109 communicate (the switch 146B can create this entry by specifying the source and destination addresses of the port 203 monitors and records transmitted and received messages). In the example shown, the switch "locks" 146B the entry of known physical addresses, so that only the physical addresses of the devices 111G-I the port 203 assigned. Consequently, any device that deals with the switch 109 connects (for example, via a hardwired or wireless connection), not to other devices on the network 200A over the port 203 of the switch 146B communicate (if the new device has a physical address, that of one of the devices 111G-I matches, the switch can 146 the address mapping table 222 use it to determine that the new device is not one of the devices 111G-I is). In a nutshell, though the port 203 with an unmanaged switch (the switch 109 ), which does not lock its ports, the switch can 146B the port 203 lock, so only at the time of locking to the switch 109 connected devices via the switch 146B to be able to communicate.

Third example: 2A shows the switch 146C with a port 205 which can be locked if a set of linked devices 111E and 111F at the port 205 are connected. The device 111E is physically connected to the port 205 connected, and the device 111F is with the device 111E linked, so that the device 111F about his connection with the device 111E and the port 205 with other devices on the network 200A can communicate. In general, the daisy-chain connection is a passthru connection that is common to all daisy-chained devices ( 111E and 111F ) direct access to port 205 allows. In particular, the device locks 111E his with the device 111F connected access point, such as the dotted line between the devices 111E and 111F shows. That's why an enemy device could become attached to the device 111E or 111F each of which could forward the messages received from the enemy device. However, if a new device is connected to the same port 205 Linked link is connected or a device is replaced from the chaining by a new device, the switch indicates 146C a port violation for port 205 and may not allow communication from a device attached to the daisy chain. In some Cases can happen that the switch 146C when blocking messages from the new device just ended. The message is terminated when the port 205 is locked because the switch 146C creates an entry with known physical addresses for all known devices that use port 205 communicate (eg devices 111E and 111F ), and terminate messages identifying another physical source address (eg, a host device physical address) as the known physical addresses. Thus, while an enemy device with the device 111E or 111F could connect any message from the enemy device from the switch 146C terminated (ie not over other ports of the switch 146C forwarded).

As a fourth example shows 2A finally the switch 146D with a port 207 which can be locked when it is at the unlockable hub 112 connected to multiple devices. In short, the switch handles 146D the hub 112 similar to the switch 146B the unmanaged switch 109 , The devices 113D . 111K and 111L are with the hub 112 physically connected to the port 207 connected is. Because the hub 112 its ports can not lock (as the dotted lines indicate, which is the hub 112 with the devices 113D . 111K and 111L connect), an enemy device can become with the hub 112 connect to others at the hub 112 communicate with connected devices. However, since the port 207 through the switch 146D Locked, every message is from a new unknown device on the port 207 is received from the switch 146D completed.

In particular, the devices 113D . 111K and 111L can over the network 200 communicate because their physical addresses are in the memory of the switch 146D and or 146B are registered. In some cases, the uplink ports are the switches 146A-D (eg the ports 213 and 215 ) are not locked due to better usability and increased ease of use, but all physical addresses mapped to the uplink ports are registered (eg at the switch 146B and or 146D ), and a change in the address table is marked, with warnings being generated by the switches. If someone tries the switch 146D from the switch 146B to disconnect and a new hub for example to the port 215 connect, the switch detects 146B any unknown address of a device trying to get across the new hub and the switch 146B to communicate. If someone tries to use the new hub as an intermediary between the switch 146B and the switch 146D Both switches can be inserted 146B and 146D detect the new hub (and / or any new address for a new device connected to the hub), and one or both may issue a warning about the new physical address that is now being used with the switches 146B and 146D connected is. The uplink port detection mechanism allows users to detect when such a physical access intervention is being performed.

2 B is a network diagram of an example process control network 200B in which the set of switches 146A-D is implemented. The network 200B is similar to the network 200A , Each of the switches 146A-D in the network 200B is designed to detect when one of its ports is connected to a second switch (an uplink port) and only blocks the uplink port when the second switch is an unmanaged switch. Every switch 146A-D can analyze a handshake with a second switch to determine if the second switch is a managed switch or not (for example, if the second switch is a switch) 146 is or not). During the lock, each switch can 146A-D Treat messages received over the uplink port differently, depending on whether the connected second switch is lockable. In other words, each Switch146 AD can lock or unlock an uplink port, depending on whether the second switch is lockable.

For example, the switch contains 146A an uplink port 211 that with the switch 146B connected is. Because the switch 146B lockable, leaves the switch 146A the uplink port 211 unlocked. Similarly, the switch leaves 146B the uplink ports 213 and 215 Unlocked as it with the lockable switches 146C and 146D are connected. The switch 146A can from the switch 146B forward received messages without authenticating the physical source addresses contained in the messages. You could say that the switch 146A "Assumes" that the switch 146B manages the lock on its ports and therefore the uplink port 211 even during the lock does not lock. The switch 146B can also do the ports 213 and 215 leave unlocked. In some cases, the switches are monitoring 146A and 146B the physical source addresses through the uplink ports 211 - 215 received messages and can compare the physical source addresses with known physical receivers. The switches 146A and 146B can cause a port violation warning if the monitor determines that a physical source address is unknown.

If the second switch is not lockable (for example, a generic or off-the-shelf switch), the switches can 146A-D lock an uplink port in the same way as in relation to 2A described. For example, the switch 146B the uplink port 203 (using an unmanaged switch or a switchable switch 109 connected), as in relation to 2A described, lock. In some cases, when an uplink port is locked, the switches terminate 146A-D Messages with unknown physical source addresses. In other cases, when an uplink port is blocked, the switches will redirect 146A-D continue to send messages with unknown physical addresses while generating a port violation warning or warning.

2C is a block diagram of the switch 146 which can be a DeltaV Smart Switch for use in a DeltaV ™ Process Control Network (of which there are several families to handle different use cases). The switch 146 is a Layer 2 switch, ie the switch 146 works on layer 2 the OSI model - the data link layer. During operation, the switch selects 146 a forwarding port for a message by (i) identifying a physical destination address contained in the message and (ii) referencing a switching table to identify the forwarding port associated with the physical destination address. The switch 146 does not track intermediate nodes. Receives the switch 146 For example, a message for a terminal that has four intermediate nodes with the switch 146 connected, the switch has 146 no entry via the "next node" or one of the other intermediate nodes. Rather, it references the switch table to determine which port the message should be forwarded through. Also, the switch keeps track 146 no network addresses for forwarding messages and does not use IP routing tables.

In contrast, a Layer 3 network device, such as a router, works on layers 3 the OSI model - the network layer - and typically uses a routing table. When the router receives a message, it identifies a destination network address contained in the message. The router then references the routing table to identify an optimal route to the destination network address; it identifies a next-hop network address listed for the optimal route and forwards the message to a device with the next-hop network address. Layer 3 switches typically have similar network routing intelligence to routers. In some cases, the switch can 146 be a Layer 3 switch. That is, the switch 146 may, in certain embodiments, use network addresses for routing and / or forwarding.

As previously mentioned, the switch is 146 an "intelligent process control switch", ie the switch 146 is specifically configured for the process control environment and for communication with equipment specific to process control systems such as process controllers, field devices, I / O boards, process control workstations, process control historians, and so on. The switch 146 Firmware may contain specific configurations that meet the requirements of DeltaV communication, such as: B. Storm control (limiting data transmission for certain communications) and / or loop avoidance. The switch 146 can be configured for process control by the dedicated for the process control system 100 developed firmware on the switch 146 is downloaded. The specialized firmware deals with use cases for the process control system 100 are specific and generally inaccessible to changes by the user. In general, the firmware used is designed to prevent network loops, prevent network storms, and block unused switch ports.

The switch 146 includes one or more communication ports 202 , a console access port 204 and status lights 206 , The communication ports 202 are used to connect various other network devices and process control system components for communication over the network 150 while the status lights 206 View the current operation of the network device and use it for diagnostic purposes. Generally, the ports 202 configured to receive a hardwired, physical connection, such as An Ethernet connection (eg via a CAT5 ScTP cable or a CAT6 cable) or a fiber optic connection.

The switch 146 also contains a circuit 230 , an application-specific integrated circuit (ASIC) designed specifically for the implementation of the switch 146 executed operations and functions is configured. The circuit controls at a high level 230 the ports 202 , The circuit 230 in particular activates and deactivates the ports 220 , locks and unlocks the ports 220 and edit those at the ports 220 received messages. While 2 B the circuit 230 represents as a single circuit, the switch 146 in some implementations, include a plurality of circuits that are related to the circuit 230 perform the functions described.

Furthermore, the switch 146 a memory 208 (the one volatile memory 210 and / or a nonvolatile memory 212 include: (i) one or more standard and private management information bases (MIBs) 214 ; (ii) a switching table 216 (sometimes referred to as the "Forwarding Database Table" or "FDB Table"); (iii) a dynamic address table 218 ; (iii) a static address table 220 ; and (iv) an address matching table 222 , In some cases, the memory can 208 a content addressable memory (CAM), and one or more of the tables 214 - 222 can be stored in the CAM.

In general, each of the MIBs 214 a database of objects or variables that can be manipulated to a device (such as the switch 146 ) in correspondence with the respective MIB 214 to manage. The MIBs 214 can contain a collection of objects that can be accessed through a command line interface (CLI) to the switch 146 to manage and specific functions of the process control network 150 to implement. One or more private MIBs 214 can contain objects that are from the circuit 230 can be managed to control the lock and unlock functions described herein. Furthermore, the circuit 230 the private MIBs 214 use to have a runtime API connected to the switch 146 communicates to provide an interface for the network security features of DeltaV ™. The process control network 150 can be configured to include a mix of network devices, each including a private MIB to control lock and unlock ("lock-in") features, and commercial, off-the-shelf network devices with no lock or unlock capabilities.

The switching table 216 contains one or more physical addresses (eg MAC addresses) and for each physical address a corresponding port of the switch 146 , During operation, the switch receives 146 a message on one of the ports 202 , The circuit 230 parses the message to identify a physical destination address contained in the message and references the switch table 216 to the port 202 identify the physical destination address. If the switch table 216 the physical destination address does not contain the circuit 230 perform a flooding routine where they switch 146 causes the message across all ports 202 to send. For example, suppose a device with the physical destination address is directly or indirectly with one of the ports 202 connected, the device responds to the received message. After the switch 146 The answer is received, the circuit carries 230 the physical destination address and the port 202 in the switching table 216 one on which the circuit 230 received the response of the target device.

Generally, the switch uses 146 the dynamic address table 218 not to make decisions about forwarding or terminating messages. Rather, the dynamic address table provides 218 an entry of devices connected to ports that can be constantly updated over time. The dynamic address table 218 lists physical addresses currently on each port 202 of the switch 146 connected terminals. For example, the switch 146 an illustration of a physical address on a particular port 202 learn dynamically by giving a frame 175 (please refer 1C) that was received from a device to the MAC source address 180 identify the device. The switch 146 adds to the dynamic address table 218 the MAC source address 180 as a physical address added to the respective port 202 is shown. Furthermore, the switch 146 dynamically learn a mapping (mapping) of a physical address on a second port by specifying (i) the frame 175 parses to the MAC destination address 182 of the target device, (ii) the ones related to the switch table 216 described flooding routine and (iii) the port 202 identifies where a response message of the target device is received. In some cases, the dynamic address table 218 be updated periodically by adding information from the routing table 216 be copied. Furthermore, the switch uses 146 in some implementations, only one of the tables 216 and 218 both for forwarding decisions and for tracking the physical addresses of connected devices.

The circuit 230 can be the dynamic address table 218 update if node with the switch 146 connected or disconnected by adding new physical addresses on the port 202 and physical addresses that are not currently being used are aged (eg, tracking a time or number of messages that have occurred without successfully passing a message to or from a message) a specific physical address was sent). After an aging period, the circuit can 230 For example, the physical address from the dynamic address table 218 remove.

Similar to the dynamic address table 218 lists the static address table 220 physical addresses for terminals on each port 202 assigned. The physical addresses in the table 220 however, they are not learned dynamically and do not age. Rather, they are explicitly made by copying the dynamic table 218 entered when the switch 146 Is blocked. The in the firmware of the switch 146 implemented functions can be the switching table 216 with the tables 218 and 220 Compare to process incoming messages. The static address table 220 can from the circuit 230 used when an authentication process is implemented to authenticate the physical source addresses that are in the ports 202 received messages are included. In particular, if a physical source address for a received message is not identified as a known physical address on the receiving port in the static address table 220 pictured, the circuit can 230 finish the message.

In general, the switching table 216 to be extended to physical addresses while the switch 146 is in a normal or "unlocked" state. If the switch 146 in an "unlocked" state, for example, an Ethernet frame 175 receives, checks the circuit 130 the MAC destination address 180 and references the switch table 216 to the appropriate port 202 to identify to the the frame 175 should be forwarded. Contains the switching table 216 no information about the received MAC destination address 180 , the switch sends 146 the Ethernet frame 175 to all ports in the network 150 , After detecting the transmitted MAC on another network device, another frame may be sent to the sender switch 146 be sent, the found MAC address to the dynamic address table 218 and to the switching table 216 adds. In a "lock" state (as discussed below), the switch table 216 however, be frozen in their current configuration to prevent further changes or additions. Already learned physical addresses and other information at the time of blocking in the dynamic address table 218 contained in the static address table 220 moved and learning can for the switch 146 be deactivated. In the locked state, the switching table 216 not be changed, so the switch 146 a frame 175 from an unknown or previously unlearned MAC address 182 received, can not accept and forward.

The address match table 222 lists a network address for each known physical address that exists in one or more of the tables 216 . 218 and 220 is stored. The switch 146 can discover the network addresses for known physical addresses by sending ARP requests for the network addresses. Alternatively, a database may, in some cases, provide a list of network addresses for nodes in the process control network 150 save, and the switch 146 can download network addresses for known physical addresses from the database. While the switch 146 the address match table 222 not used to select a forwarding port for a received message, the switch 146 the table 222 to prevent spoofing of the Address Resolution Protocol (ARP). Especially if the switch 146 is locked, it can check an identification of a source device that sends a message to the switch 146 by checking that the source device has a network address that matches a known network address in the address matching table 222 matches. This check can be helpful if an enemy device has spoofed a physical address of a known device (spoofing). The address match table 222 is below with reference to 5 described in more detail.

If the switch 146 has an uplink port (ie, a port connected to a second switch), the switch can 146 implement a handshake with the second switch to determine if the second switch is a managed switch or an unmanaged switch. In general, a managed switch is able to lock its ports and an unmanaged switch is unable to lock its ports. During the handshake, the switch can 146 The second switch receives an indication of its "lockability" or status as a managed switch or unmanaged switch. In some cases, the switch can 146 send a query to the second switch, and the second switch can respond by saying that the second switch is a managed switch. The second switch may also respond with an indication that the second switch is an unmanaged switch, or simply not responding. Failure to respond within a certain amount of time (eg, 1 second, 5 seconds, 30 seconds, etc.) may cause the switch 146 as an indication that the second switch is an unmanaged switch.

If the switch 146 receives an indication that the second switch is a managed switch, the switch 146 bypassing the second switch on the assumption that the second switch will handle the blocking of the ports of the second switch. This can be the switch 146 Monitor the physical source address of devices communicating through the second switch and compare these monitored physical source addresses with an entry of known physical addresses. If the switch 146 detects a monitored physical source address associated with the second switch that is not a known physical address, the switch can 146 trigger a warning (for example, a port violation warning sent to one of the workstations 120 or 122 can be transmitted for display via a user interface).

3A shows an example method 300 to lock and unlock ports 202 for one or more switches 146 , Generally it allows the method 300 a user of the process control system 100 , a switch 146 to lock, so the switch 146 all messages received from "unknown" devices stopped. For example, if a user selects a device from a port 202 of the switch 146 disconnects and in its place another device inserted, denied the switch 146 all messages from the other device and notifies a user interface, a monitoring service and / or another application running on a workstation 120 . 122 of the system 100 is performed. In the locked state, all ports can 202 in the networks 150 and or 155 be locked, so no new device with an "unknown" physical address through the ports 202 communicate can. The following methods usually refer to those in the 4A-D illustrated user interface 400 It should be understood, however, that any suitable user interface may be used to perform the functions described.

In block 302 For example, a user can start a security application for a process control network that has the UI 400 indicates (see 4A-D ) to start the locking process. One of the workstations 120 or 122 can the user interface 400 deploy the MIBs 214 at the switch 146 can use to initiate lock and unlock operations.

At block 304 For example, the application may initiate a switch discovery that may occur automatically (eg, at startup) or in response to user input. The user interface 400 can give a status hint 402 "Discover switches" or represent another indication that one or more switches 146 of the process control system 150 be identified. In some embodiments, the application may include one or more user interface function keys 400 disable when discovering network devices is initiated. A user can also start searching for network devices manually. In some cases, the application may use any switch (managed or unmanaged) within the process control network 150 discover. In other cases, the application can only identify those network devices that have a lock feature, such as: B. the switch 146 ,

The application can be a switch 146 discover it by the network 150 using one or more parameters. In some cases, the application may additionally or alternatively network 155 search. The switch 146 can first have a physical address of the switch 146 get discovered. The switch 146 can be configured to a network address during a startup procedure. After this startup, communication with the switch 146 about the MIB 214 enabled (for example, the switch 146 by finding the private MIB 214 of the switch 146 be identified), and devices outside the LAN can send messages to the switch 146 send by sending the messages to the network address of the switch 146 address. The application can switch to 146 Search by searching a specific range of physical addresses and / or network addresses. Note: while the switch 146 even a network address can have, is the switch 146 when selecting a forwarding port for received messages, generally does not rely on network addresses of other devices.

In block 306 can have one or more switches 146 ( 4B) in block 304 were discovered by the user interface 400 via an expandable drop-down menu 406 ( 4A) and parameters for one of the discovered switches for a switch 146 that comes from the expandable drop-down menu 406 ( 4C) has been selected. For example, security parameters such as lock status, lock time, and password age may be displayed in a UI window 400 are displayed. The window may also display switch warnings (eg, COMM, FAILED, MAINT, ADVISE) and component status parameters (eg, power status, chassis temperature, etc.). The ports of the switch may be listed along with a number of parameters for each port (eg, whether the port is enabled or disabled, identifying a node name for a connected end node, identifying a port lock address, and / or indicating whether there is a port violation).

If all detectable switches 146 could be discovered, the user interface 400 show that the search is complete. In some embodiments, the switches may 146 at the first commissioning of the method 300 only with its physical address in the list of disused switches of the user interface 400 are displayed. If the detected switches are not otherwise locked, the lock status may indicate that the detected switches 146 in an "unlocked" state. When unlocked, the switches can 146 all normal functions within the network 150 To run. In some embodiments, the ports 202 when unlocked, take over the basic transparent bridging functions of learning, aging and forwarding. A standard aging time can be set to six hundred seconds (ten minutes), but other standard times may vary depending on the configuration of the switch 146 and the network 150 be set. After the search is completed, the one or more function keys are displayed 434 available for selection for a user or for an automatic process.

In block 308 For example, a user or an automated process may have one or more of the user interface 400 in 4A selected "unlocked" switches. The user may make this selection by using an input device (eg, a mouse or a touch screen) of the workstation to select one or more desired switches, which may result in the user interface 400 displays a drop-down menu with a selectable button to lock the switch. As in 4B The user can also display an entire network (eg by right-clicking to the desired network) for locking (so that all switches 146 locked in the selected network). In some cases, one or more switches 146 a hardware actuator (eg, a button) that can be operated to trigger the lock. In addition, an automatic process may select a switch for blocking based on a trigger, e.g. For example, the detection of an enemy device that has connected to the network in any capacity.

In block 310 the workstation releases a locking process (like the one in 3B shown method 325 ) when it is determined that the user presses a lock button, such as the one in 4F Lock key shown. The from the user interface 400 Lock keys provided may include processes for selectively triggering the lock on different parts of the process control network 150 trigger. For example, separate buttons may provide the opportunity for the entire network, the primary network, the secondary network, individual switches 146 or specific ports 202 on one or more selected switches (es) 146 to lock. For added security, the locking process may in some cases only work from a selected workstation 120 . 122 be triggered and not over the Internet, z. Using a remote workstation that is not a physical part of the process control network 150 or only initiated by one or more pre-approved MAC addresses or IP addresses. After the lock process has been triggered by selecting a lock key, an authentication process can be triggered. For example, the workstation may request the user to provide a username and password or other personal identification to confirm the access rights to the locking process. The application 400 can provide administrative access via MIB 214 use to switch 146 to lock and unlock. The communication can be encrypted, and any keys or passwords used can be unknown to the user but the switches 146 and the application 400 be known.

In authentication after a lock key is selected, the workstation can issue a lock command to a selected switch 146 send (for example, by setting one or more variables of the private MIB 214 of the selected switch 146 ). In response to the lock command, the switch can 146 all its ports 202 lock. In general, this involves locking a port 202 the rejection of a message or a frame 175 with a MAC source address 182 at the time of activation of the locked state not in the switching table 216 of the switch 146 is included. In some embodiments, prohibited physical addresses may be in memory 208 of the switch 146 (for example, known malicious MAC addresses, a range of MAC addresses associated with unauthorized devices, etc.), and the switch 146 Ends every received message containing one of the forbidden physical addresses.

In block 311 must after the execution of the lock process 325 for one or more switches (es) 146 one or more of the switches 146 be unlocked, z. Troubleshooting, routine maintenance, diagnostics, network reconfiguration, etc.

In block 312 A user or an automated process can use one or more of the switches 146 which are in a "locked" state and in block 314 For example, the workstation used by the user may initiate an unlock process (e.g. 3C shown method 350 ) when the user selects an unlock key (as in 4D shown). Like the lock keys, the unlock key can also unlock the various parts of the process control network 150 triggering previously using one or more private MIBs 214 were locked. For additional security, the unlock process can be configured with a lock timer that automatically opens one or more of the previously locked ports 220 locks again. The lock timer can be configured with a default setting, and after a period of time has elapsed after the unlock process has ended (block 316 ) One or more of the unlocked switches 146 can be locked again (block 310 ). In one embodiment, the lockout timer is configured with a default setting of sixty minutes (three thousand six hundred seconds). The unlock process can be performed by a selected workstation 120 . 122 and can not be triggered over the internet, eg. Via a remote workstation that is not a physical part of the process control network or can only be triggered by one or more pre-approved MAC addresses.

The unlock process may also include an authentication process. For example, the workstation 120 or 122 and / or the user interface 400 Request a user name and password or other personal identification from the user to confirm the access rights to the locking process. If the user is properly authenticated, he can access the private MIB 214 of the one or more selected locked switches 146 and / or ports 202 access to trigger the unlock.

3B shows an example method 325 for blocking the ports 202 of the switch 146 , The blocks described below can be used with the Switch 146 and / or the workstations 120 or 122 be implemented.

In block 326 the switch generates 146 a static table, e.g. B. the static address table 220 , In general, the static table is an entry of known physical addresses at the time the lock is triggered with each port of the switch 146 were connected. The mapping of the port states and / or the physical addresses can be stored either automatically or explicitly by a user (eg in non-volatile memory 212 ). If desired, the entry of known physical addresses from the switch 146 on power-up or reboot to prevent forced opening of a locked port.

In some embodiments, the static table is made by copying the list of physical addresses from the dynamic address table 218 on every port 202 produced. In some cases, the known physical addresses and other data may be completely out of the dynamic address table 218 away and into the static address table 220 be moved. In some embodiments, the current number of learned addresses is in the dynamic address table 218 greater than a maximum number, only a subset of the addresses may be blocked. The remaining addresses can then be taken from the switching table 216 be removed and lead to connectivity errors. For connectivity issues, an error message can be sent to the user interface indicating an error in the lock process.

In block 328 can the switch 146 analyze each message received at each of the ports to identify a physical source address contained in each message (e.g., the one in 1C shown MAC source address 182 ). The switch 146 can then determine if the physical source address in the static table (block 330 ) is included. If not, the physical source address is an unknown address and the message is terminated (block 332 ).

If the source address from the message is included in the static table, the switch parses 146 the traffic on the port corresponding to the destination address contained in the message (block 334 ). If the traffic on the forwarding port is below a stored traffic threshold (entered by a user or program during the switch configuration), the message is forwarded (Block 306 ). If not, the message is held back until the traffic falls below the threshold; At this time, the message will be forwarded. In some implementations, the message may terminate after a certain time or immediately. In some embodiments, the switch analyzes 146 additionally or alternatively the traffic at the receiving port and analyzes the source address of the message (block 328 ) only if the traffic is below a given traffic threshold.

Note that the switch 146 in some cases, typical functions for the switch 146 while disabling the lock. In one embodiment, the switch disables 146 for the switch 146 or for a specific port 202 learning addresses and aging addresses. For example, the dynamic address table 218 be disabled and no longer accept entries, the switch 146 allowed the network 150 no longer flood to discover new addresses, and the previously received addresses can not be removed from the dynamic address table after the aging time has expired 218 be removed.

After the release of the lock, the user interface 400 a lock status of one or more switches 146 of "UNLOCKED" or a status indicator of "done" on an indication change that the selected device is locked or locked. In relation to 4C can the user interface 400 When the lock is complete, show the lock status for each locked switch as "LOCKED."

3C shows an example method 350 to unlock the switch 146 , The user's workstation can issue an unlock command to the switch 146 send (for example, by changing an object or variable value of one of the private MIBs 214 of the switch 146 ).

In block 354 can use the address data in the static table 220 that map physical addresses to specific ports are deleted. In some embodiments, static address data added by a user or other explicit process may be unlocked in the static address table 220 remain.

In block 356 can the switch 146 an unlocked state for the ports 220 activate. In particular, the switch is listening 146 to finish messages with a source address that does not match the static table 218 matches.

At block 358 can the switch 146 resume the normal port or device functions. For example, in an unlocked state, the typical learning and aging functions that were interrupted during the lockup can be resumed and the switch table resumed 216 and the dynamic table 218 be re-equipped.

In block 360 can the switch 146 save a new switch or port configuration. For example, the port states and / or physical addresses may be stored either automatically or explicitly by a user to pass through the switch 146 to be implemented after switching on or off or restarting.

In some embodiments, the user interface 400 after initiation of the unlock process in block 314 Change the lock state of one or more switches from "LOCKED" to an indication that the selected switches are in a "wait for lock" status. When the lock timer is initialized with the unlock operation, a remaining time status may indicate a remaining time period before the devices return to a locked state. The remaining time can also be configured to never return to the locked state. For example, on an object of the private MIB 214 to configure the timer to Never Return or any other time period.

In some embodiments, the switch 146 when switching on a stored configuration fall back. For example, a device may try to send an unauthorized device to the process control network 150 connect by powering one or more switches 146 turns on and off to open a locked port. After switching on, the switch can 146 be configured to point to the saved configuration in its non-volatile memory 212 accesses ( 2 ). Regardless of whether an off and on switch returns to a locked or unlocked state, any device connected to the network before turning on and off can automatically restore communication with the system while each new device, that was added to the port while the power was off is rejected. If the device is switched to the "DISABLED" state and the inhibit timer is greater than zero, the device can automatically switch to a locked state after this time has elapsed.

5 shows an example of the address matching table 222 according to some embodiments. In the 5 illustrated address matching table 222 can be a representation of data on the switch 146 (eg, using a content-addressable memory) and / or stored on another device within a process control system. Alternatively or additionally, a device (eg the switch 146 , the workstations 120 or 122 or another device) cause at least a portion of the in the address match table 146 information contained in a user interface (eg the user interface) 400 ) for access and verification by a user. It should be noted that the address match table 222 is only an example and thus contains exemplary information and may also include alternative and / or additional information.

The address match table 222 can contain a column set, each of which is populated with corresponding data and information. In particular, the address match table 222 a port column 505 , an IP address column 510 , a MAC address column 515 , a lock status column 520 and a security status column 525 contain. The port column 505 can be a set of communication ports 202 of the switch 146 identify (as shown: communication ports 1 to 6 ). Each of the communication ports in the set of communication ports 202 can be connected to a device or other switch. If a communication port with another switch 146 is connected, the communication port can be considered as an uplink port. While 5 It should be noted that a single port could be mapped to multiple devices, each with a physical address (col 510 ), a network address (column 515 ), a lock status (column 520 ) and a security status (column 525 ) would contain.

The IP address column 510 can identify a set of network addresses (eg, IP addresses) of a set of equipment, each with the set of communication ports 222 connected, and the MAC address column 515 may identify a set of physical addresses (e.g., MAC addresses) of the device set that correspond to the set of communication ports. For example, a device with the IP address 10.10.10.10.2 and the MAC address 00: 0C: F5: 09: 56: E9 is connected to the communication port "1". As in 5 Neither the communication port "3" nor the communication port "6" is connected to a device so that the corresponding IP and MAC addresses are zero.

The lock status column 520 can indicate the lock status (for example, "LOCKED" or "UNLOCKED") of each of the set of communication ports 222 identify. As in 5 represented is each of the communication ports 222 with a device connected to it (communication ports "1", "2", "4" and "5") "LOCKED" and each of the communication ports without connected device (communication ports "3" and "6") "UNLOCKED". It should be noted, however, that in a typical example, all ports of the switch 146 are locked when the switch 146 is locked except when The switch ports are either identified as uplink ports or manually configured by the user via CLI configuration as ignorable (always unlocked). In the embodiments discussed herein, the switch 146 (and in particular a set of ASICs of the switch 146 ) receive the IP and MAC addresses of the devices in connection with triggering a lock on the occupied communication ports.

The security status column 525 can identify a security status for each of the set of communication ports. Depending on the embodiment, the switch 146 automatically and continuously monitor the information (eg as data packets) transmitted via the set of communication ports between and among the devices already connected to it and / or other devices that can connect to the switch after the switch is locked, be received and transmitted.

The switch 146 can examine all received data packets to determine if there are any discrepancies between the information contained in the data packets. In particular, the switch 146 Information contained in data packets with the information in the address matching table 222 compare to identify discrepancies. If the switch 146 If there is no discrepancy in the data packet traffic for a specific communication port, the security status of the respective communication port can be "NORMAL". Detects the switch 146 however, a discrepancy in the data packet traffic, so can the security status of the respective communication port 222 from "NORMAL" to "WARNING".

As in 5 For example, the security status for communication ports "2" and "6" is set to "WARNING", while the other communication ports have the security status "NORMAL". In an example run, the security status for communication port "2" may be "WARNING" due to an attempted ARP spoofing attack. In this embodiment, the device originally connected to the communications port "2" may be replaced by an attacking device (or the originally attached device may be compromised) that sends a data packet to the switch 146 can send. The switch 146 can examine the data packet and determine that one or both of the IP and MAC addresses contained in the data packet do not match the corresponding IP address and / or MAC address in the address matching table 222 to match. Accordingly, the switch 146 Update the security status of the corresponding communication port to "WARNING".

Similarly, in an example implementation, the security status for communication port "6" may also be set to "WARNING" due to an attempted ARP spoofing attack. In this embodiment, the communication port "6" can be unlocked since no device was connected at the time of inhibition. After being disabled, a device (which may or may not be an attacking device) may connect to the unlocked communication port "6" and the device may send a data packet to the switch. The switch 146 can examine the data packet and determine that no device is allowed to communicate over the communication port "6" because the communication port "6" is unlocked. Accordingly, the switch can update the security status of the communication port to "WARNING".

The switch 146 can enable the communication and / or display of detected warnings. In some embodiments, the switch 146 be connected to another device of the process control system, which may be equipped with a user interface. The switch 146 may send an indication of one or more detected alerts to the device, and the device may be configured to display or display the one or more detected alerts via the user interface. Accordingly, a user (eg, a person or an administrator) connected to the process control system may access and review the information and perform appropriate corrective or diagnostic actions.

6 shows a block diagram of an example method 600 to implement the address matching table 222 to improve the security of a process control system, such as B. the process control system 100 in a process plant. The method 600 can through the switch 146 be enabled.

The method 600 can start when the switch 146 a blocking of the communication ports of the switch 146 triggers (block 605 ). In different embodiments, the switch 146 a blockage of part or all communication ports 146 trigger.

In connection with the triggering of the blocking of the set of communication ports, the switch 146 get a set of network addresses (eg a set of IP addresses) of a set of equipment (block 610 ) connected to at least a portion of the set of communication ports. It should be noted that the switch may receive the set of network addresses before, during, or after initiation (and / or completion) of the blockage. In one implementation, a set of the ASICs integrated into the switch may be the set of the network addresses using data associated with the connection of the equipment set to at least the portion of the set of communication ports. Additionally or alternatively, the equipment set may include one or more devices within the process plant and / or one or more switches to which one or more additional devices (or additional switches) may be connected. In a particular implementation, the switch may be 146 (i) obtain a first network address of a first device connected to a first communication port (ie, a device connection), and (ii) obtain a plurality of network addresses of a plurality of devices connected to a second communication port through an additional one Switch (ie a switch connection) are connected. The network addresses can be obtained from another device in the process control system.

The switch 146 may optionally receive a set of physical addresses (eg, a set of MAC addresses) of the device set in connection with the release of the lock (block 615 ) connected to at least the part of the set of communication ports. It should be noted that the switch may receive the set of physical addresses before, during, or after the initiation (and / or completion) of the lock. For example, the switch may receive and record the set of physical addresses before it triggers the lock. In one implementation, a set of the ASICs (eg, the circuit 230 ), who is in the switch 146 integrated, obtain the set of physical addresses using data associated with the connection of the equipment set with at least the part of the set of communication ports.

The switch 146 can for the switch 146 an address matching table 222 generate (block 620 ), where the address match table 222 can match the set of physical addresses of the device set with the set of network addresses of the device set. The address match table 222 may also match the set of physical addresses and the set of network addresses with at least the portion of the set of communication ports. That is, for each device that (directly or indirectly) to a specific port of the switch 146 connected is the address mapping table 222 List a network and physical address pair for each port. Accordingly, a port connected to a plurality of devices has a plurality of associated address pairs (one address pair for each attached device). The switch 146 can store locally (e.g., via content addressable memory) the address match table for access and verification.

The switch 146 can receive a data packet from a device via a port from the set of communication ports (block 625 ), wherein the data packet can indicate at least (i) a network address of the device and (ii) a physical address of the device. In various embodiments, the device may be connected to one of the communication ports before or after the switch 146 the lock triggers. Additionally or alternatively, the device may replace another device that was previously connected to one of the communication ports (eg in the case of a cable change). Additionally or alternatively, the device may be connected to an unlocked communication port or to a communication port of the portion of the set of communication ports (ie, a locked communications port).

According to various embodiments, the data packet may represent an ARP spoofing attack by the device, for the determination of which the switch 146 can be configured by determining (block 630 ), whether the network address of the device and the physical address of the device in the address matching table 222 are included. In particular, the network address and the physical address of the device as a pair do not necessarily match the mapped network address and the mapped physical address contained in the address match table for the communication port to which the device is attached. For example, if the device is connected to communication port "3" and one or both of the network address and physical address of the device do not match the corresponding mapped addresses for communication port "3", there is a mismatch.

If the switch 146 determines that the addresses match ("YES"), processing may be terminated, repeated, or continued with other functions. Represents the switch 146 however, if the addresses do not match ("NO"), then an ARP spoofing attempt may be attempted and the switch 146 can trigger a warning (block 35 ). In embodiments, the alert may specify a port from the set of communication ports to which the device is attached and / or other information, including the network address and / or the physical address of the device. In addition, the switch 146 effect (block 40 ) that the warning is displayed on a user interface, where the user interface may be on a different device or component in the process plant. Accordingly, a user (eg, a plant engineer or administrator) may review the contents of the alert and take appropriate action.

The switch 146 may further determine (block 645 ), whether the transmission of the data packet should be allowed or denied. In various embodiments, the determination may be a default selection (eg, always allow or always deny), or the switch 146 can dynamically determine whether the transmission should be allowed or denied based on one or more factors, such as the contents of the data packet itself, the device's physical address, the device's network address, and / or other factors.

If the switch determines to allow the transmission ("PERMIT"), the switch may allow transmission of the data packet (Block 50 ). If the switch 146 however, denying the transmission ("REFUSE"), the switch can reject the transmission of the data packet (terminate the data packet).

7 shows a block diagram of an example method 700 to detect security issues related to the switch 146 , The method 700 can through the switch 146 be implemented.

The method 700 can start when the switch 146 optionally a block of a set of communication ports of the switch 146 triggers (block 705 ) as described here. In different embodiments, the switch 146 trigger a lock on part or all of the communication ports, so that in some cases one or more of the communication ports can remain unlocked upon request.

In connection with the triggering of the block of the set of communication ports, the switch 146 receive a set of network addresses (eg, a set of IP addresses) of the set of devices connected to at least a portion of the set of communication ports. It should be noted that the switch 146 the set of network addresses can be obtained before, during, or after initiating (and / or completing) the lock. In one implementation, a set of ASICs that are in the switch 146 integrated, obtain the set of network addresses using data associated with the connection of the equipment set with at least the part of the set of communication ports. Additionally or alternatively, the equipment set may include one or more devices in the process plant and / or one or more switches to which one or more additional devices (or additional switches) may be connected. In a particular implementation, the switch may be 146 (i) obtain a first network address of a first device connected to a first communication port (a device connection), and (ii) obtain a plurality of network addresses of a plurality of devices connected to a second communication port via an additional switch (a switch connection) are connected.

The switch 146 Optionally, in connection with the release of the lock, may receive a set of physical addresses (eg, an address from the set of MAC addresses) of the set of equipment connected to at least the portion of the set of communication ports. It should be noted that the switch may receive the set of physical addresses before, during, or after the initiation (and / or completion) of the lock. For example, the switch 146 Obtain and record the set of physical addresses before triggering the lock. In one implementation, a set of ASICs that are in the switch 146 integrated, obtain the set of physical addresses using data associated with the connection of the set of equipment with at least the part of the set of communication ports.

The switch 146 may also be the address match table 222 create and access it (block 710 ), where the address match table 222 can match the set of physical addresses of the device set with the set of network addresses of the device set. The address match table 222 may also match the set of physical addresses and the set of network addresses with at least the portion of the set of communication ports. Accordingly, each communication port to which a device is connected may have an associated physical address of the device and a network address of the device. In one implementation, the one in the switch 146 integrated set of ASICs the address matching table 222 produce. The switch 146 can locally store (for example, using the content addressable memory) the address match table for access and validation.

The switch 146 can send a mapping request (block 615 ) indicating a destination network address that matches one of the network addresses contained in the address matching table. In certain embodiments, the mapping request may take the form of an ARP request with an IP address from the address mapping table, where the ARP request is destined to find a MAC address corresponding to the IP address , and the ARP request can be sent to any device connected to the switch.

The switch 146 can receive a response to the mapping request from a responding device via a port from the set of communication ports (block 720 ), the answer being (i) the Destination network address and (ii) can specify a physical address of the responding device. Depending on the embodiment, the response of the responding device may represent an attempted ARP spoofing attack of the responding device for which the switch determines 146 can be configured.

Accordingly, the switch 146 determine (block 725 ), whether the physical address of the responding device matches one of the set of physical addresses of the device set contained in the address match table. In particular, the physical address of the responding device may not match the mapped physical address included in the address match table 222 for the communication port to which the answering device is connected. For example, if the answering device is connected to the communication port "3" and the physical address of the answering device does not match the corresponding mapped physical address for the communication port "3", there is a mismatch. In one implementation, the set of network-integrated ASICs may make the determination.

If the switch 146 determines that the physical addresses match ("YES") (ie, no ARP spoofing attack is attempted), processing may be terminated, repeated, or continued with other functions. Represents the switch 146 however, if the physical addresses do not match ("NO"), then an ARP spoofing attempt may occur and the switch may trigger a warning (Block 730 ). In some embodiments, the alert may indicate a port from the set of communication ports to which the responding device is attached and / or other information including the network address and / or the physical address of the responding device. In addition, the switch 146 effect (block 735 ) that the alert is displayed on a user interface, where the user interface may be on a different device or component in the process plant. Accordingly, a user (eg, a plant engineer or administrator) may review the contents of the alert and take appropriate action.

The lock routines and address mapping routines described herein may be implemented in software, hardware, firmware, or a combination thereof. So can the methods described here 300 . 325 . 350 . 500 . 600 and 700 be implemented in a standard general purpose CPU and / or on specially designed hardware or firmware such as ASICs. When the software is implemented in software, it may be stored in any computer-readable memory such as a magnetic disk, a laser disk, an optical disk or other storage medium, a RAM or ROM of a computer or processor, and so on. Likewise, this software can be delivered via any known or desired delivery to a user or to a process control system, e.g. On a computer readable hard disk or other portable computer storage mechanism, or via a communication channel such as a telephone line, the Internet, etc. (which is considered to be synonymous or interchangeable with the provision of such software via a portable storage medium).

In general, the term "memory" or "storage device" refers to a computer readable media ("CRM") system or device. "CRM" means a medium or media that the particular computer system has access to place, store, and / or retrieve information (eg, data, computer-readable commands, program modules, applications, routines, etc.).

Note: "CRM" refers to media that are not transitory in nature and does not refer to disembodied, transitory signals, such as: B. radio waves.

As in 1A mentioned, is the network 150 a collection of nodes (eg, devices or systems that can send, receive, and / or forward information) and communication links connected to allow telecommunications between the nodes. In general, the term "node" refers to a connection point, a redistribution point, or a communication endpoint. A node can be any device or system (eg, a computer system) that can send, receive, and / or forward information. For example, terminals or end systems that generate and / or ultimately receive a message are nodes. Intermediate devices that receive and forward the message (eg between two terminals) are generally considered "nodes". A "communication link" or a "link" is a path or medium that connects two or more nodes. A link can be a physical and / or logical link. A physical connection is the interface and / or media / media through which information is transmitted, and may be hard-wired or wireless in nature. Examples of physical connections may include a cable having a conductor for transmitting electrical energy, a fiber optic connection for transmitting light, and / or a wireless electromagnetic signal transmitting information about changes in one or more characteristics of an electromagnetic wave (s).

QUOTES INCLUDE IN THE DESCRIPTION

This list of the documents listed by the applicant has been generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Cited patent literature

• US 8590033 [0010]

Claims (19)

Process control switch, comprising: a plurality of ports; and a circuit set communicatively coupled to the plurality of ports, the circuit set configured to disable the plurality of ports, the circuit set comprising: generates a static address table which (i) maps known physical addresses for devices in a process control environment to one or more of the plurality of ports to which the devices are connected and which (ii) will not be updated with new known physical addresses while the A plurality of ports are locked, the static address table mapping a plurality of known physical addresses on a single port connected to a bootable switch or daisy chain of devices; and limits the traffic at each of the plurality of ports, wherein the circuit set: (i) controls the number of messages forwarded at each port for whether a traffic threshold is met, and (ii) authenticates the physical source addresses that reside in each of the messages received by each port, including: (a) parsing the message to identify a physical source address contained in the message; (b) forwarding the message over a port of the plurality of ports if the static address table lists the physical source address as a known physical address ported on the single port; and (c) terminate the message if the static address table does not list the physical source address as a known physical address mapped to the single port. Process control switch to Claim 1 wherein the circuit set is configured to forward messages received at the plurality of ports without the use of network addresses based on a switching table mapping physical addresses on the plurality of ports and / or messages, which are received at the plurality of ports, based on an analysis of the network addresses. Process control switch to Claim 1 or 2 wherein the circuit set is application specific integrated circuits (ASICs) specifically configured to perform the steps, and / or wherein the static address table is stored in a content addressable memory (CAM). Process control switch according to one of Claims 1 - 3 wherein the static table is generated by copying a dynamic address table populated by the circuit set when the process control switch is in an unlocked state, in particular wherein the dynamic address table is a switching table used by the circuit set to forward Ports for received messages based on (i) physical destination addresses contained in the messages, and (ii) corresponding ports ported on the physical destination addresses, and / or wherein the dynamic address table is different from said switching table , Process control switch according to one of Claims 1 - 4 wherein the circuit set is configured to implement the locking operation in response to receipt of a locking command sent to the process control switch in response to user interaction with a user interface for manually triggering the locking command, and / or implemented on a device that detects a security threat in a network to which the process-routing switch is attached. Method, comprising: Disabling a process control switch by generating a static address table that (i) maps known physical addresses for devices in a process control environment to one or more ports of a plurality of the ports of the process control switch to which the devices are connected, and (ii) the can not be updated with a new known physical address if the process control switch is disabled, the static address table mapping a plurality of known physical addresses on a single port; Limiting traffic at each of the plurality of ports by: (i) controlling the number of messages forwarded at each port to meet a traffic threshold, and (ii) authenticating the physical source addresses included in each of the messages received at each port include, where the authentication includes: (a) parsing a message to identify a physical source address contained in the message; (b) forwarding the message over one of the plurality of ports if the static address table lists the physical source address as a known physical address mapped to the single port; and (c) terminate the message if the static address table does not list the physical source address as a known physical address mapped to the single port. Method according to Claim 6 wherein forwarding the message over one of the plurality of ports comprises: forwarding the message without using network addresses based on a Switching table mapping physical addresses on the plurality of ports, and / or, forwarding the message based on an analysis of network addresses. Method according to Claim 6 or 7 and further comprising receiving a lock command that is sent to the process control switch in response to a device detecting a security threat in a network to which the process control switch is connected, wherein the blocking of the process control switch is in response upon receiving the lock command, and / or further comprising unblocking the process control switch by stopping authentication so that messages are forwarded without authenticating physical source addresses contained in the messages. Process control switch, comprising: a plurality of ports; and a circuit set communicatively coupled to the plurality of ports, the circuit set being configured to implement a lock operation, the circuit set comprising: (a) recognizes that one of the plurality of ports is connected to a second switch; (b) analyze a handshake with the second switch to determine if the second switch is lockable or not; (c) forwards messages received from the second switch without authenticating the source physical addresses for the messages. if the circuit set determines that the second switch is lockable; and (d) authenticating physical source addresses contained in the messages received on the port if the circuit set determines that the second switch is not lockable so that a message received on the port is analyzed to determine if the received message identifies a physical source address or not, which is included in a list of known physical addresses. Process control switch to Claim 9 wherein the circuit set is further configured to terminate the message received at the port if the circuit set determines that the second switch is not lockable, and if the message identifies a physical source address that is not included in the list of known physical addresses and, and wherein the circuit set is further configured to generate a port violation warning if the circuit set determines that the second switch is not lockable and if the message identifies a physical source address that is not included in the list of known physical addresses , Process control switch to Claim 9 or 10 wherein the handshake with the second switch comprises the circuit set sending an inquiry regarding the blocking capability of the second switch via the plurality of ports; and wherein the handshake with the second switch means sending an indication of the blocking capability by the second switch includes without having received a query from the process control switch. Process control switch according to one of Claims 9 to 11 wherein the circuit set is configured to forward messages received at the plurality of ports without the use of network addresses based on a switching table mapping physical addresses on the plurality of ports. A method for implementing a lockout process for process control switches, comprising: (a) detecting that a port of a plurality of the ports of a process-routing switch is connected to a second switch; (b) analyzing a handshake between the process control switch and the second switch to determine if the second switch is lockable or not; and (c) Actuate the process-control switch in the locked state, including: (1) forwarding the messages received at the process-routing switch from the second switch if the results of the analysis indicate that the second switch is lockable without authenticating the source physical addresses for the messages; and (2) authenticating the physical source addresses contained in the messages received at the port if the results of the analysis indicate that the second switch is not lockable so that a message received at the port is analyzed to determine if the received message is a physical source address identified or not, which is included in a list of known physical addresses. Method according to Claim 13 and further comprising: terminating the message received at the port if the results of the analysis indicate that the second switch is not lockable and if the message identifies a physical source address that is not in the list of known physical addresses. Method according to Claim 13 or 14 wherein the handshake with the second switch comprises sending a query by the process control switch to the second switch regarding the lockability of the second switch, wherein, in particular, analyzing the handshake with the second switch comprises: identifying an error by the second switch Switch to respond to the query within a specified period of time. Method according to one of Claims 13 to 15 in which the handshake with the second switch includes the sending of an indication of lockability by the second switch without having received a query from the process control switch. Method according to one of Claims 13 to 16 wherein forwarding the messages received at the process switch from the second switch without authenticating the source physical addresses for the messages comprises: forwarding the messages without the use of network addresses based on a switch table containing physical addresses on the plurality of Porting, and / or - forwarding the messages based on an analysis of the network addresses. Method according to one of Claims 13 to 17 further comprising receiving a lock command sent to the process control switch in response to a user interacting with a user interface to manually initiate the lock command, wherein the receiving is in the locked state prior to operating the process control switch, and / or in response to a device that detects a security threat in a network to which the process control switch is connected, wherein the receiving occurs prior to operating the process control switch in the locked state. A computer-readable storage medium containing instructions which, when executed by at least one processor, cause said at least one processor to perform a method according to one of Claims 6 to 8th or 13 to 18 to implement.

Images