DE102015012064A1 - Method and device for monitoring control systems - Google Patents

Abstract

The present invention relates to a method for monitoring control systems, a device for monitoring control systems and a corresponding computer program product, wherein the control system has at least one communication network and at least two communication end points connected to the communication network which exchange data (20) via the communication network, characterized in that the data (20) exchanged between the communication end points are detected and a message is generated after comparing the currently acquired data (20) with previously acquired data (20) when new data (20) are acquired. As a result, monitoring is provided which, in control systems, in particular in industrial control systems, detects errors in the context of communication particularly quickly and reliably. These errors may subsequently be coupled with quality management to determine if quality losses correlate with such detected errors.

Description

The present invention relates to a method for monitoring control systems according to the preamble of claim 1 and an apparatus for monitoring control systems according to the preamble of claim 9.

Such control systems are mainly used in industrial manufacturing and logistics and here is also the main field of application of the present invention.

With the help of such control systems, the production processes and storage and transport processes are controlled and monitored. So far, it has been monitored, for example, whether a particular, integrated into the control system device performs its operation properly or whether errors occur, with parameters of the device were queried and monitored.

In modern times, modern control systems, for example, based on Ethernet and the communication in the control system, for example, via IP (Internet Protocol). Although this is very easy to handle, there is also a clear vulnerability not only to external attacks, but also to internal data loss during communication. Such errors in the control system have so far not been satisfactorily recognized.

The object of the present invention is therefore to enable monitoring of control systems, in particular industrial control systems, which detects errors in the context of communication, in particular reliably detects the abovementioned errors.

This object is achieved by the method according to the invention as claimed in claim 1, the device according to the invention as claimed in claim 9 and the computer program product according to the invention as claimed in claim 13. Advantageous further developments are specified in the following description and the dependent subclaims.

The inventors have recognized that the object of the present invention can be achieved in a surprisingly simple way by the fact that the communication is learned by machine and then new communication occurring is potentially evaluated as an error and this is done by a corresponding message. This solution is based on the assumption that, in control systems, communication always proceeds in a deterministic manner and that this determination is interrupted only in the event of errors or malfunctions. In fact, for example, in an industrial control system of a production line, the internal communication takes place in constantly recurring paths, possibly individual parameters, for example in terms of quantities, etc. may change, for example, communicating device and the nature of their communication is not changed, so that new communication once potentially faulty. For example, industrial control systems are based on standard Ethernet. However, this can sometimes lead to data congestion or data loss, which would be recognized by the present invention.

The inventive method for monitoring control systems, in particular industrial control systems, wherein the control system comprises at least one communication network and at least two communicating endpoints connected to the communication network, which exchange data via the communication network, is therefore characterized in that the data exchanged between the communication endpoints detected data and after comparing the currently acquired data with previously acquired data, a message is generated when new data is acquired.

"Communication networks" in the sense of the present invention can be both wired and non-wired networks, over which data is communicated. For example, it may be an Ethernet based communication network.

"Communication end point" in the sense of the present invention are points in the communication network at which data is generated, processed, received and forwarded. These may be, for example, devices. Such communication endpoints usually have a device number (hardware address, MAC address) and an application protocol address (IP address). Simple lines are therefore not communication end points, however, devices such as manufacturing machines, network interfaces, servers and the like.

"Application protocols" do not relate to basic protocols of communication, such as Ethernet, Internet Protocol (IP) or Transmission Control Protocol (TCP), but are so-called Layer 7 protocols according to the OSI model of data communication. Examples of application protocols are "Profinet" from Siemens, "Modbus" or "Ethercat".

At least two "communication endpoints" are involved in a "communication", but more than two "communication endpoints" can also be involved in a communication. If two communication endpoints are involved, then it is a one-to-one communication ("unicast"), if a communication endpoint communicates with a selection of communication endpoints, then it is a 1-n (m) communication ("multicast"). ) and a communication endpoint communicates with all other communication endpoints, then it is a 1 - n (n) communication ("broadcast").

"Data" in the sense of the present invention are all types of data connections or packets of data connections in the context of communication in the control system.

"Messages" within the meaning of the present invention are not only character-based messages, but also optical and / or acoustic signals and control signals for activating certain mechanical processes.

• – Hardware-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – IP-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – Anwendungsprotokoll, mit dem die Daten ausgetauscht werden und
• – Nachricht, die mit den ausgetauschten Daten kommuniziert wird,

umfassen. Dadurch kann eine genauere Spezifizierung der Kommunikation daraufhin erfolgen, ob die kommunizierten neuen Daten eine Fehlerrelevanz aufweisen, oder ob es sich nur um beispielsweise gerätespezifische geänderte Parameter handelt, die die Funktionsweise des gesamten Steuerungssystems nicht betreffen. Dabei ist bevorzugt vorgesehen, dass das Anwendungsprotokoll aus der Gruppe: Profinet, Modbus, Ethercat oder gerätespezifischen Protokollen der Kommunikationsendpunkte gewählt ist. Die IP-Adresse kann natürlich nur dann analysiert werden, wenn es sich tatsächlich um einen IP-Datenverkehr handelt. Es müssen also nicht immer all diese Kommunikationsparameter für jeden Datenverkehr vorliegen, können es aber.In an advantageous development, the exchanged data is analyzed for communication parameters contained therein, wherein the communication parameters at least one parameter from the group:

• Hardware address of the communication endpoint involved in the communication,
• - IP address of the communication end point involved in the communication,
• - Application protocol with which the data is exchanged and
• Message that is communicated with the exchanged data,

include. As a result, a more precise specification of the communication can be made as to whether the communicated new data has an error relevance, or whether it is only an example of device-specific changed parameters that do not affect the functioning of the entire control system. It is preferably provided that the application protocol from the group: Profinet, Modbus, Ethercat or device-specific protocols of communication endpoints is selected. Of course, the IP address can only be analyzed if it is actually an IP traffic. So not all these communication parameters have to be available for every traffic, but they can.

• – Hardware-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – IP-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – Anwendungsprotokoll, mit dem die Daten ausgetauscht werden,
• – Hardware-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes kombiniert mit dem Anwendungsprotokoll, mit dem die Daten ausgetauscht werden,
• – IP-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes kombiniert mit dem Anwendungsprotokoll, mit dem die Daten ausgetauscht werden,
• – Kombination der Hardware-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte,
• – Kombination der IP-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte,
• – Kombination der Hardware-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte und des Anwendungsprotokolls, mit dem die Daten ausgetauscht werden,
• – Kombination der IP-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte und des Anwendungsprotokolls, mit dem die Daten ausgetauscht werden,
• – Kombination der Hardware-Adresse und der IP-Adresse des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – Kombination der Hardware-Adresse und der Nachricht des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – Kombination der IP-Adresse und der Nachricht des an der Kommunikation beteiligten Kommunikationsendpunktes,
• – Kombination der Hardware-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte und der Nachricht und
• – Kombination der IP-Adressen der an der Kommunikation beteiligten Kommunikationsendpunkte und der Nachricht

umfassen. Diese Datentypen zeigen relevante Störungen oder Fehler in dem Steuerungssystem besonders gut an und machen die Art des Fehlers oder der Störung sehr leicht erkennbar.In an advantageous development, it is provided that combinations for the definition of data types are formed from the analyzed communication parameters. The data types are preferably at least one combination of communication parameters from the group:

• Hardware address of the communication endpoint involved in the communication,
• - IP address of the communication end point involved in the communication,
• - application protocol with which the data is exchanged,
• Hardware address of the communications endpoint involved in the communication combined with the application protocol with which the data is exchanged,
• IP address of the communication endpoint involved in the communication combined with the application protocol with which the data is exchanged,
• Combination of the hardware addresses of the communication endpoints involved in the communication,
• Combination of the IP addresses of the communication endpoints involved in the communication,
• Combination of the hardware addresses of the communication endpoints involved in the communication and the application protocol with which the data is exchanged,
• Combination of the IP addresses of the communication endpoints involved in the communication and the application protocol with which the data is exchanged,
• Combination of the hardware address and the IP address of the communication end point involved in the communication,
• Combination of the hardware address and the message of the communication end point involved in the communication,
• Combination of the IP address and the message of the communication end point involved in the communication,
• - Combination of the hardware addresses of the communication endpoints involved in the communication and the message and
• - Combination of the IP addresses of the communication endpoints involved in the communication and the message

include. These data types are particularly indicative of perturbations or faults in the control system and make the nature of the fault or fault very readily apparent.

It is then particularly preferred for the message to be generated upon detection of such a new data type. In other words, a message is not necessarily generated for every type of new communicated data, but only if a new data type is recognized. In this context, "new data type" does not only mean that in the course of the ongoing monitoring, a previously unknown type of data type, ie a hitherto unparalleled combination of communication parameters, is determined, but above all, that the content of the data type is new, that is, although the type of communication parameters contained was known, but the content of the communication parameters is new, so it is a new expression of a known data type.

Since not only a uniform application protocol must be present in a control system but, for example, different standard or proprietary application protocols can exist in different areas of the control system, it is provided according to an advantageous development that for the analysis of the application protocol used, the exchanged data to a known application protocol associated pattern and / or heuristically examined. This allows the application protocol used to communicate the new data to be determined to determine the other communication parameters. This protocol detection uses several features of a data connection or their packets in order to determine which application protocol is used in the communication. Above all, Deep Packet Inspection inspects the user data of the packages in order to determine the underlying application protocol by finding specific patterns or by using heuristics. With the help of this analysis even unknown application protocols can be identified individually.

In an advantageous development it is provided that the data exchanged are decoded by means of the application protocol in order to analyze the communicated message. For decoding the message from the data, a protocol decoder is preferably used, wherein a separate protocol decoder belongs to each application protocol. In this case, the message type of the message which is analyzed from the message is preferably used as the communication parameter instead of the message, the message type in particular being one of the group: error message, command for authentication, command for reading data, command for writing data and command for Time synchronization of two communication endpoints is. This also makes a significant simplification of the monitoring achieved because now no longer the content of the message must be analyzed in detail, but only the nature of the message is used for monitoring. If no suitable protocol decoder is present, then the application protocol can not be determined or, if necessary, a corresponding decoder is entered into the monitoring, whereby this process could be done manually or automatically.

On the other hand, it can also be provided that the application protocol can indeed be recognized, but for reasons of complexity or due to lack of demand by the user of the protocol decoder is not implemented, so that although the application protocol can be recognized, but not the message or message type is read ,

In an advantageous development, it is provided that a hash value is formed from the new data or the new data type by means of a scatter value function. Since such hash values are unique, the monitoring can be considerably accelerated, since it is no longer necessary to compare the data or data types in the context of monitoring, but only their hash values as indexing.

In an advantageous development, it is provided that the new data, the new data types and / or the associated hash values are stored in a memory, preferably with an indexed data structure, the new data, the new data types or the associated hash values preferably being chronological, in particular stored together with a timestamp. As a result, an exact assignment to the real course of the processes in the control system is achieved.

In an advantageous development, it is provided that, in addition, data types or hash values which were not recognized as new, but have already been stored beforehand, are also renewed for the data, because then an exact image of the control system is produced at the time of the message.

In an advantageous embodiment, it is provided that for each data, each data type or each hash value, the time stamps are stored for a predetermined period, then a monitoring can be done for lack of communication so as to detect errors and malfunctions, for example, the failure of a Device based in the control system. This predetermined period of time may be specified but fixed or the storage takes place until an authorized user deletes the storage in order to take account of the changed communication, for example after a conversion and restart of the control system.

In addition, it can be provided that the new data, the new data types or the associated hash values are deleted again from the memory after a first definable time, wherein this first definable time is preferably at most 1 year, preferably at most 4 weeks, in particular 1 to 2 weeks is. This can be used to update the monitoring basics. On the other hand, time can be too not be limited so that no such update occurs.

In an advantageous development, it is provided that the exchanged data is analyzed for lack of communication. For example, there are cyclic communication events in which data is exchanged at periodically recurring intervals due to a particular transmission protocol to ensure protocol compliance. After an analysis of the periodicity of collected data, if necessary, it can be checked whether such data are exchanged properly, if necessary within the framework of a certain temporal blur, or whether this communication fails, which then generates a message as a deviation from the normal case.

Self-contained protection is claimed for the device according to the invention for monitoring control systems, wherein the control system has at least one communication network and at least two communication end points connected to the communication network, which exchange data via the communication network, wherein the device is characterized in that means for detecting the between the Communication data points are provided exchanged data and means are provided for comparing the currently acquired data with previously acquired data, which are designed to generate a message when new data.

In an advantageous development it is provided that the device is adapted to carry out the method according to the invention.

In an advantageous development it is provided that at least one sensor is provided, which is connected to the communication network and adapted to detect the exchanged data without changing this exchanged data. Such a sensor can be realized as an objective device but also as software, for example as an application or as a hybrid form. The monitoring can then take place entirely or at least partially in this sensor or even completely or partially centrally, for example on a server.

These "sensors" may be proprietary devices or just points for passively capturing traffic from the communications network. For example, the replication ports of a network tap may embody such "sensors."

In an advantageous development it is provided that the sensor is set up to calculate hash values by means of a scatter value function, wherein the sensor is preferably adapted to store the hash values, the memory in particular having an indexed data structure.

In an advantageous development, it is provided that the sensor is set up to supply quality management to at least the new data, the device being adapted to analyze the new data for communication parameters contained therein, wherein the communication parameters preferably at least one parameter from the group:
Hardware address of a communication endpoint,
IP address of a communication endpoint,
Application protocol with which the data is exchanged and
Message that is communicated with the exchanged data,
include. Then, not only can monitoring for errors and failures be taken over, but deeper insights into the control system for quality management purposes are made possible.

Furthermore, the invention may be embodied in the form of a computer program product accessible from a computer usable or computer readable medium and provided with program code for use by or for use in connection with a computer or any instruction execution system. Therefore, independent protection is also claimed for a computer program product stored on a computer readable medium and comprising computer readable program means for causing the computer to execute the inventive method when the program means are executed on the computer.

For the purposes of this specification, computer usable or computer readable media may be any devices or devices that contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. In this case, mobile communication means, such as mobile phones, tablet computers and the like. Be used.

The medium may be an electronic, magnetic, optical, electromagnetic, infrared or semiconductor system (or device or device) or a propagation medium. Examples of a computer-readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer disk, random access memory (RAM), read-only memory (ROM), a fixed magnetic disk, and an optical disk. Present examples of optical disks include compact disk read-only memory (CD-ROM), compact disk read / write (CD-R / W) and DVD.

A data processing system capable of storing and / or executing the program code includes at least one processor directly or indirectly connected to at least one memory element through a system bus. The storage element may include local memory operating during the current execution of the program code, mass storage and buffer memory providing temporary storage of at least some program code to reduce the number of fetches of code from the mass storage during execution.

Input / output or I / O devices, which may include, but are not limited to, keyboards, displays, pointing devices, etc., may be coupled to the system either directly or through interposed I / O controllers.

Network adapters may also be connected to the system to allow the data processing system to interface with other data processing systems or remote printers or storage devices through private or public network intermediaries. Modems, cable modems, or Ethernet cards are just a few examples of the currently available types of network adapters.

The characteristics and further advantages of the present invention will become apparent hereinafter with reference to the description of a preferred embodiment in conjunction with the figures. Here are purely schematic:

1 the monitoring according to the invention of a control system in a first preferred embodiment,

2 the monitoring according to the invention of a control system in a second preferred embodiment,

3 the monitoring of a control system according to the invention in a third preferred embodiment

4 Block diagram representation of the analysis of the data types from the collected data and

5 Flowchart representation of the message generation.

In 1 is for a control system 10 a first preferred embodiment of the monitoring according to the invention by means of the device 12 for monitoring the control system 10 shown purely schematically.

It can be seen that this is the control system 10 an industrial control system 10 as used for example in a production line (not shown) to control and synchronize the actions of individual devices (not shown) of the production line. This control system 10 based for example on the standard Ethernet. The devices of the production line, for example, as a star-shaped communication network 14 arranged.

At various points, in this case at the nodes of the star-shaped network 14 are so-called switches 16 arranged with mirror ports 18 are equipped. These mirror ports 18 read the aggregated traffic 20 the other ports 22 So in the control system 10 communicated data 20 (see. 4 ), purely passive with no such data 20 to change and feed this data 20 to the ones with the switches 16 connected sensors 24 , in turn, with a central control unit 26 are connected. This central control unit 26 is with a control unit 28 connected, with the one to updates the device 12 and on the other hand their configuration and the evaluation of the obtained results is made.

The sensors 24 can be physically present or as software, for example in the form of applications. They guide the traffic 20 continue on the control unit 26 so that it can be centrally located. In addition, they cause a multiplication of the distribution possibilities of the cut traffic. In addition, they form a buffer for the data 20 so there is no confusion and no data loss. It should be the timing of the mirror port 18 preferably be as high as the sum of the clocks of the mirrored ports 22 , In addition, the sensors take 24 a packaging of the data 20 before, so that no subsequent mediation to the addressees of the data is attempted. This packaging is then used in the analysis of the data 20 removed first.

Between the sensors 24 and the central control unit 26 If necessary, an additional switch level (not shown) can be added. Besides, besides the evaluation of the data traffic 20 and possible quality management in the central control unit 26 also the software for the sensors 24 work.

In contrast to 1 be at the monitoring device 12 ' of the 2 no switches used, but so-called network taps 30 in which each port 32 ' . 32 '' a separate port 34 ' . 34 '' associated with the data 20 of the respective port 32 ' . 32 '' regardless of the rest in the control system 10 ' current traffic 20 passively to the sensor 35 ' . 35 '' passes.

In 3 are in this monitoring device 12 '' in turn are switches 16 ' used with mirror ports 18 , but no dedicated sensors are used, but the traffic 20 in the control system 10 '' gets directly from the switches 16 ' to the central control unit 26 forwarded, for example via throwing cable 36 or by radio. The sensors are here so through the mirror ports 18 and the throwing cable 36 embodies.

In 4 you can see that from the sensors 24 . 35 ' . 35 '' read data 20 first on the in the data 20 contained communication parameters are analyzed, namely on the IP addresses involved 38 and MAC addresses 40 the devices involved in the communication of the production line, the application protocol used in the communication 42 and the messages actually exchanged during the communication. This can be one or more messages.

In the example shown, it is assumed that two devices are involved in the communication, which is why two different IP addresses 38 and MAC addresses 42 to be analyzed. The application log 44 is either a proprietary device-specific protocol or, for example, the application protocol Profinet from Siemens. The exchanged messages concern, for example, the request for synchronization, error messages, the request for or the subsequent performance of an authentication or the like. In the context of the preferred analysis, not the actual messages, ie the exact contents of the messages are processed, but from these messages become the underlying message types 44 determines, ie synchronization commands, error messages, authentication commands and the like. There may be different message types 44 occur as in 4 is shown.

From these communication parameters 38 . 40 . 42 . 44 become now 14 different data types 46 (type 0 to type 13), in which individual of these communication parameters 38 . 40 . 42 . 44 used and / or combined with each other. These data types 46 are then either simple, such as type 3 or because of the two devices communicating with each other twice, such as type 9. Depending on the number of message types 44 lie the types 10 . 11 . 12 and 13 correspondingly multiplied before.

Corresponding 5 then become of each data type 46 as soon as it has been captured, the associated hash values 48 calculated. Then it is stored in a memory (not shown) in the sensor 24 . 35 ' . 35 '' Himself (cf. 1 and 2 ) or in the central control unit 26 can be arranged compared 50 whether this hash value already exists and the timestamp of this hash value is updated 52 if it already exists, or the hash value is saved with the current timestamp 54 if the hash value was not yet in memory.

In case the timestamp was updated because the hash value already existed in the memory 52 , nothing is done 56 , If, on the other hand, a new hash value is stored in the memory 54 , then there was a completely new way of communication and it will be a message 58 which indicates that it is a completely new communication, not yet in the control system 10 occured. For example, two devices now communicate with each other, which have never done so far (type 5), or message types are exchanged between two devices that have never been exchanged between these devices (type 12). Because the communication in a control system 10 is deterministic and no new, unexpected communication can occur during normal operation, this reported new communication could be an error, a disruption, or even an unauthorized attack from outside.

The generated message 58 Then, depending on the design of the monitoring according to the invention, the monitoring personnel then examine whether there is actually a critical state of the control system 10 is present and what may be further to arrange. Or the message is connected with an automatism, which autonomously certain actions to secure the control system 10 What can be counted in an extreme case, its controlled shutdown and shutdown.

The messages 58 can only contain the reference to the determined new hash value or also detailed information about the communication parameters or the data types or the communicated messages. In addition, these messages can 58 passed to a suitable quality management. There, a comparison between the determined quality and communication disruptions can then be made in order, for example, to attribute quality losses to specific disturbances in the communication can or even determine that, although certain communication errors occur, but these have no effect on the quality achieved. In the latter case, the message could 58 then be omitted in the future and the underlying communication state be regarded as the standard case of the control system.

When it finally turns out that the new hash value is with an unwanted state of the control system 10 is linked, can be made after the evaluation or performed automatic erasing this hash value from the memory so that this state can be detected by this hash again next time as a deviation from the standard state.

It can be seen that the monitoring according to the invention is carried out by the fact that usually in the control system 10 occurring communication is typed and stored and then a message when a new communication type occurs 58 is generated, which points out. In this context, the content of the communication essentially does not matter, but depends only on whether the communication is typical, that would occur in a normal operation. This will immediately detect communication anomalies.

The monitoring according to the invention can now be used in two different ways. Either a transient is performed, in which all communication is stored and only then the monitoring is "armed" or it is monitored from the beginning. The first variant is zeitunaufwiger, but there is also the danger that abnormal communication with stored and thus treated as normal, so that their occurrence would not be reported later. The second variant is more time-consuming, as each new communication becomes a message 58 which is then to be controlled by the monitoring personnel, however, errors are thereby essentially completely excluded.

In contrast to the previously known monitoring of parameters of individual devices, these parameters are now less or not at all interesting, Instead, there is a monitoring of the overall communication in the control system to ensure its proper functioning. Due to the pure hash value comparisons 36 , the monitoring is very fast and resource-saving. Instead of hash values 50 Of course, other identifiers may be used that allow a unique association.

From the above description, it has become clear that the present invention provides a monitoring system which, in control systems, in particular in industrial control systems, detects errors in the context of communication particularly quickly and reliably. These errors may subsequently be coupled with quality management to determine if quality losses correlate with such detected errors.

Unless otherwise indicated, all features of the present invention may be freely combined with each other. The features described in the description of the figures can, unless stated otherwise, be freely combined with the other features as features of the invention. In this case, subject features of the device can also be used in the context of the method and method features in the context of the device.

LIST OF REFERENCE NUMBERS

10, 10 ', 10' '

control system

12, 12 ', 12' '

Device for monitoring the control system 10

14

star-shaped communication network

16

switchs

18

Mirror ports of the switches 14

20

Traffic, data

22

Ports of the switches 16

24

sensors

26

central control unit

28

Operating unit of the central control unit 26

30

Network taps

32 ', 32' '

Ports of network taps 30

34 ', 34' '

Ports of network taps 30 , Replication ports

36

throw cable

38

IP addresses

40

MAC addresses

42

application protocol

44

message types

46

Data types (type 0 to type 13)

48

Calculation of hash values

50

Compare hash value with memory

52

Update hash value

54

Set hash value with current time stamp and save

56

The End

58

Generation of message

Claims (13)

Method for monitoring control systems ( 10 . 10 ' . 10 '' ), the control system ( 10 . 10 ' . 10 '' ) at least one communication network ( 14 ) and at least two with the communication network ( 14 ) has communication endpoints connected via the communication network ( 14 ) Dates ( 20 ), characterized in that the data exchanged between the communication endpoints ( 20 ) and after comparing the currently collected data ( 20 ) with previously collected data ( 20 ) when collecting new data ( 20 ) a report ( 58 ) is produced. Method according to claim 1, characterized in that the exchanged data ( 20 ) on communication parameters contained therein ( 38 . 40 . 42 . 44 ), the communication parameters ( 38 . 40 . 42 . 44 ) at least one parameter from the group: - hardware address ( 38 ) of the communication endpoint involved in the communication, - IP address ( 40 ) of the communication end point involved in the communication, application protocol ( 42 ), with which the data ( 20 ) and - message containing the exchanged data ( 20 ), it is preferably provided that the application protocol ( 42 ) is a layer 7 protocol according to the OSI model, which is selected in particular from the group: Profinet, Modbus, Ethercat or device-specific protocols of communication endpoints. Method according to claim 2, characterized in that from the analyzed communication parameters ( 38 . 40 . 42 . 44 ) Combinations for defining data types ( 46 ), the data types ( 46 ) preferably at least one combination of communication parameters ( 38 . 40 . 42 . 44 ) from the group: - hardware address of the communication end point involved in the communication, - IP address of the communication end point involved in the communication, - application protocol with which the data is exchanged, - hardware address of the communication end point involved in the communication combined with the Application protocol with which the data are exchanged, - IP address of the communication end point involved in the communication combined with the application protocol with which the data is exchanged, - combination of the hardware addresses of the communication end points involved in the communication, - combination of the IP addresses the communication endpoints involved in the communication, combination of the hardware addresses of the communication endpoints involved in the communication and the application protocol with which the data is exchanged, combination of the IP addresses of the communi cations involved in the communication cation end points and the application protocol with which the data is exchanged, - combination of the hardware address and the IP address of the communication end point involved in the communication, - combination of the hardware address and the message of the communication end point involved in the communication, - combination of the IP Address and the message of the communication endpoint involved in the communication, combination of the hardware addresses of the communication endpoints involved in the communication and the message and combination of the IP addresses of the communication endpoints involved in the communication and the message, wherein in particular it is provided that the message is generated upon detection of a new data type. Method according to one of claims 2 or 3, characterized in that for analyzing the application protocol used ( 42 ) the exchanged data ( 20 ) to a known application protocol ( 42 ) and / or heuristically examined. Method according to one of claims 2 to 4, characterized in that for the analysis of the communicated message, the exchanged data ( 20 ) using the application log ( 42 ) are decoded, with the message parameter preferably being the message type ( 44 ) of the message being analyzed from the message, with the message type ( 44 ) is in particular one of the group: error message, command for authentication, command for reading data, command for writing data and command for time synchronization of two communication endpoints. Method according to one of the preceding claims, characterized in that from the new data ( 20 ) or the new data type ( 46 ) a hash value by means of a scatter value function ( 48 ) is formed. Method according to one of the preceding claims, characterized in that the new data ( 20 ), the new data types ( 46 ) and / or the associated hash values ( 48 ) are stored in a memory, preferably with an indexed data structure, the new data, the new data types or the associated hash values preferably being stored chronologically, in particular together with a time stamp. A method according to claim 7, characterized in that the time stamps when the data ( 20 ), the data types ( 46 ) or hash values ( 48 ), collecting the timestamps for each data, data type or hash value. Contraption ( 12 . 12 ' . 12 '' ) for monitoring control systems ( 10 . 10 ' . 10 '' ), the control system ( 10 . 10 ' . 10 '' ) at least one communication network ( 14 ) and at least two with the communication network ( 14 ) has communication endpoints connected to it via the communication network ( 20 ), characterized in that means ( 24 . 30 . 35 ' . 35 '' ) for detecting the data exchanged between the communication endpoints ( 20 ) and means ( 26 ) to compare the currently collected data ( 20 ) with previously collected data ( 20 ), which are designed to be used when acquiring new data ( 20 ) a report ( 58 ) to create. Contraption ( 12 . 12 ' . 12 '' ) according to claim 9, characterized in that the device ( 12 . 12 ' . 12 '' ) is adapted to perform the method according to one of claims 1 to 8 and / or that at least one sensor ( 24 . 35 ' . 35 '' ) provided with the communications network ( 14 ) and is adapted to the exchanged data ( 20 ) without changing these exchanged data ( 20 ) capture. Contraption ( 12 . 12 ' . 12 '' ) according to claim 10, characterized in that the sensor ( 24 . 35 ' . 35 '' ) is set up, by means of a scatter value function hash values ( 48 ), where the sensor ( 24 . 35 ' . 35 '' ) is preferably adapted, the hash values ( 48 ), wherein the memory in particular has an indexed data structure. Contraption ( 12 . 12 ' . 12 '' ) According to claim 10 or 11, characterized in that the sensor ( 24 . 35 ' . 35 '' ), at least the new data ( 20 ) to a quality management system, the device ( 12 ), the new data ( 20 ) on communication parameters contained therein ( 38 . 40 . 42 . 44 ), the communication parameters ( 38 . 40 . 42 . 44 ) preferably at least one parameter from the group: hardware address of a communication endpoint, IP address of a communication endpoint, application protocol with which the data is exchanged and message that is communicated with the exchanged data include. A computer program product stored on a computer readable medium comprising computer readable program means for causing the computer to carry out a method as claimed in any one of claims 1 to 8 when the program means are executed on the computer.

Images