Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
  • H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
  • H04L63/102—Entity profiles
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/2866—Architectures; Arrangements
  • H04L67/30—Profiles
  • H04L67/306—User profiles
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
  • H04L63/105—Multiple levels of security
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
  • H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time

Definitions

• the present invention relates to a method for Operator Op ⁇ ben an industrial network and an industrial network.
• an object of the present invention is to provide an improved method of operating a network.
• the industrial network comprises at least one network device that can be controlled by a central control device.
• the industrial network further comprises a local interface for a local to ⁇ resorted to the network device. Local access to the network device can reali via the local interface ⁇ Siert be.
• the method comprises the following steps:
• the industrial network particularly relates to any kind indust ⁇ terial communication networks, for example, a production system with production cells, a wind farm or a part thereof.
• the industrial network is a factory contradictnetz- a power supply network, and the Netztechnikeinrich ⁇ obligations are individual generators, such as wind turbines, in this network.
• the industrial network may further include a transport network and / or a supply network of resources such as electricity, oil, water, natural gas, food or heat.
• the industrial network has several network devices.
• the network facilities of the industrial network individual modules, eg production modules, control ⁇ units or field devices, road safety and / or relate in egg nem supply network.
• the network devices can at least partially automated ar ⁇ BEITEN means that they require no or only a reduced human intervention to operate.
• the network devices are at least partially coupled with each other, so that a transport of data, material,
• Products and / or resources e.g., power or energy
• the industrial network has at least one central control facility that can centrally control the network facilities of the industrial network.
• the central controller is arranged to communicate and / or interact with the network devices, e.g. Retrieve data from the network devices and / or enter data or commands into the network devices.
• the industrial network may extend over such a dimensioned area that geographical Distances between the individual network facilities amount to several tens of thousands of kilometers.
• the industrial network may have a backbone line from which multiple branch connections to the individual network devices originate and couple them to the industrial network.
• other network topologies such as bus, ring or star topologies.
• the network may be coupled to a Wide Area Network (WAN) and / or the Internet.
• WAN Wide Area Network
• a service person For maintenance on one or more network devices, a service person (eg, technician, operator, administrator, or mechanic) may be allowed access to the appropriate network device. It is advantageous to protect the industrial network from unauthorized access.
• the industrial network is a closed private communications network.
• the industrial network may at least partially be designed as a Corpo ⁇ rate Network, which is spatially remote input zelnetze a company linked and play binds at ⁇ via a common firewall to the Internet to ⁇ . Access to the industrial network may be encrypted and / or require authentication.
• the central controller may be further configured to monitor accesses to the network devices. For example, the service personnel may request local access to the network device from the central controller.
• the local access is made to the Netzwerkein ⁇ direction on the and / or with the aid of the local interface that is associated with one or more network devices and connected thereto.
• the local interface may be connected to the associated network device via a local area network (LAN), wireless LAN, cellular, and / or cable connections.
• the local interface can be a physical and / or virtual interface, such as a Maschi ⁇ nenschnittstelle, a hardware interface, a network cut parts, a data interface, a software interface ⁇ or a combination thereof, include.
• the physical interface provides a physical connection is available, to which an access device, such as a computer, a laptop or other computing enabled device, can be closed at ⁇ to access the network setup. It is conceivable that the local interface provides an access device or that the access device is integrated into the local interface.
• the physical interface may include a network port through which components of the industrial network may be connected to the network device.
• the physical interface may be further adapted to convergence ⁇ animals between different communication protocols to enable communication between the network device and different network components
• a virtual interface can be an interface between programs, applications and / or operating systems in order to enable interaction between the programs, applications and / or operating systems of the network device, the access device and / or network components.
• the local interface allows data ⁇ query from the associated network device and / or input of data or commands in the associated network device.
• the local interface may be provided with a re ⁇ computing power to process data for example, and to operate the associated network device.
• the local interface may have a storage capacity to store eg access configurations, applications or user specifications.
• the local interface can be used as an access point (AP) considered the ⁇ .
• the access request for the local access to the network device indicates, for example, the network device to be accessed and / or an identity of the service personnel requesting local access to the network device.
• the access request can be transmitted, for example, via the line of the industrial network, via a VPN connection or via mobile radio to the central control device.
• the central controller receives the access request and evaluates it.
• the authentication of the access request may depend on the results of the evaluation of the access request by the central controller. If the access request is authenticated, the central controller
• Control means set up the local interface so as to allow local access to the network device according to the access request.
• a trust level of the access request in particular of a service personnel creating the access request, is determined. Accordingly, the establishment of the local interface can take place in accordance with the confidence level of the access request determined by the central control device.
• Setting up the local local access interface enables the local interface and provides local access to the network device by service personnel.
• the corresponding access rights are taken into account.
• Establishing the local interface may include activating physical ports, starting an access device, or establishing a connection between the local
• Interface and / or network device include.
• Setting up the local interface may further include configuring a virtual interface at the local interface.
• one of the central control device-created access configuration eg an operating system or a set of applications, are instantiated at the local interface.
• virtual sensors for example for data evaluation or data aggregation, can be instantiated at the network device. It should be appreciated that instantiating operating systems, applications, or virtual sensors may include implementing, installing, starting, rolling out, and / or activating the same.
• the device of local interface Stel ⁇ le is isolated and encapsulated so that the interface can be resolved without residue.
• the instantiation comprises, for example, the respectively required configurations, applications, and communication connections, which are realized by virtual components.
• access is self-contained. If several different accesses are active at the same time, they do not influence each other.
• the applications may e.g. used for data query and input or for controlling the network device. Furthermore, the applications may comprise a terminal or a maintenance program for interacting with the network device.
• a virtual network When setting up the local interface, a virtual network can be created and / or virtual network functions can be instantiated for that virtual network.
• Different network configuration technologies eg VPN, formation of "tunnels" between network components or software defined networking (SDN) can be used.
• the virtual network is preferably adapted to the request for access.
• the virtual network is, for example, a virtual overlay network that builds on an existing network, eg industrial network, a WAN or the Internet, ie uses parts of structures of this existing network to transport data.
• the virtual network functions may include control of the data traffic (traffic shaping), a firewall, a ⁇ Ver averaging (switching), a data traffic management (routing) or a monitoring of the terminals (ports monitoring).
• a virtual firewall at the lo ⁇ kalen interface can be instantiated to limit the local supply handle and / or filter.
• the virtual firewall is an industrial firewall specifically designed to protect industrial networks.
• the local interface can in particular be set up in such a way that the local access to the network device satisfies specific connection requirements, eg regulations according to Quality of Service (QoS) for the industrial network.
• QoS Quality of Service
• the QoS may specify minimum requirements for a quality and / or a quality of the connection as well as data transmission in an industrial network.
• the QoS can make a frequency disturbances, transmission errors ⁇ , connection errors and / or connection problems loading.
• local access to the network device is limited in time.
• the access request may include an expected duration of local access to the network device.
• the access time may be set by the central controller, requested with the access request, or generally established. be laid. Further, a predefined To be ⁇ handle permanently stored at the central control device or to the local interface, and the access time can be set automatically.
• An indication of the duration of access may include the network device a start time, an end time and / or a time interval ⁇ local access.
• the temporal restriction of local access can preclude unwanted access to the industrial network after expiration of access time. This can increase the security of the industrial network.
• the method further comprises disabling the local interface after local access to the network device is completed.
• disabling the local interface may include disabling components instantiated or generated at the local interface.
• the components relate to e.g. the virtual network, virtual network features, applications and / or operating systems.
• Disabling may include closing, deleting, uninstalling, stopping, canceling, unwinding, removing, or removing the corresponding component.
• the local access to the network device takes place by means of an access device which is coupled to the local interface.
• an access record is provided for disconnecting the local access to the network device via the local interface, if the access request is thent by the central control device au ⁇ on the access device.
• the access record contains information about the trust level of the local access and / or vice-Ser ⁇ personnel, which is associated with the access record.
• the access record may be personalized, ie adapted to a service personnel creating the access request and / or valid only for that service personnel.
• the lo ⁇ cal access to the network device may in particular by creating an account (Access account), with which the service staff can dial into the industrial network, be provided. Accordingly, the cost rate stoodsda ⁇ account information, such as a user ID and a key included to dial into the network device and / or the industrial network.
• the access record can be created by the central controller depending on results of the evaluation of the access request.
• the access data set can be pre-stored at the central control device and output after an authentication of the access request.
• the access record may include a period of time within which access to the network device is granted.
• the transmission of the access ⁇ data record is encrypted.
• Interface for the local access to the network device then takes place when the service personnel input to ⁇ handle record in the local interface or in an access device, which is connected to the local interface.
• the method further comprises generating a virtual network.
• the virtual network the industrial network is then part of the industry ⁇ network contains at least the network device to which the access request is directed.
• the central control device is separated from the virtual network, thus preferably not part of the virtual network used by the access device for the local access to the at least one network device.
• overlay networks come into question.
• Conceivable are protocol-based networks, such as VLANS, VPN, VPLS or the like and software-defined networks (SDN).
• the method further comprises transmitting access specifications of the access request to the central control device.
• umfas ⁇ sen the access specifications, an identifier of an access device, an identity of an operator, a connection type, local access, connection requests local access, an access time and / or intended for local access resources.
• the method further includes establishing the interface for local access to the network device according to the access specifications.
• the access specifications may specify bandwidth and / or computing power for local access to the network device.
• the access specifications may specify bandwidth and / or computing power for local access to the network device.
• connection requests to particular men by Norway for example, be quality of service or quality of service of a communica ⁇ tion service determined.
• the connection requirements may conform to given standards, eg IEEE 802.1p.
• setting up the local interface comprises instantiating applications at the local interface.
• the applications include, for example, applications used in the local access to the network device. Further, the applications may include virtual sensors that are instantiated at the network device. Furthermore, the applications can be instantiated at the access device which is connected to the local interface.
• the setting up of the local interface takes place with the aid of templates which are stored in the central control device.
• the templates may include components or components of data or information relevant to the establishment of the local interface for accessing the network device.
• the templates include Informa ⁇ functions on the trust level, access type, access time, connection requests, access device and / or resource allocation.
• the templates may at least partially include access specifications for accessing the network device.
• the transmission of the access request to the central control device is encrypted . Additionally or alternatively, the setup is done the local interface encrypted by the central controller.
• the security of the industrial network can be further increased.
• an attack from the outside can be better warded off.
• the local access to the network device takes place for the purpose of waiting, checking, monitoring, modifying, operating, repairing, switching on, switching off, activating the network device and / or for locally retrieving data from the network device.
• the service personnel can perform local access for any of the above purposes.
• technical work is performed on the associated network device.
• the local access to the network device takes place via a Local Area Network (LAN) and / or with the aid of wireless LAN, Bluetooth, mobile radio technologies, LTE-based connections and / or wired.
• LAN Local Area Network
• the industrial network comprises several network devices.
• the access request comprises a local access to a subnetwork of several network devices of the industrial network, wherein the local access takes place via the local interface.
• the above-described features of the method can also be applied to local access to a sub-network of the industrial network.
• the subnetwork of network may be an association of geographically proximate network devices.
• the subnet may correspond to a location of several sites of the industrial network.
• a subnetwork may, in particular by the functionality of the network devices, such as controllers for field devices in Automatmaschinesnet ⁇ zen, be fixed.
• the subnetwork may comprise a defined subset of network equipment of the industrial network. Furthermore, the subnetwork may be in the form of a virtual network. A local interface of a subnet may be connected to each of the network devices of the subnet and provide local access to each of the network devices.
• the local access to the network device a lower data transmission ⁇ stretch on as a data transmission path for driving the network device by the central control device.
• a geographical distance between the network device and the central controller is greater than a geographical distance between the network device and the local interface.
• the quality of connection can be improved.
• the method allows in particular that the erfor for a particular application ⁇ sary safeguards may be implemented to link quality.
• a local interface is scheduled to be allocated, and appropriate resources, such as an underlying network infrastructure, are provided. This allows certain qualities of connection over the Period of existence of the local interface also be guaranteed.
• an industrial network comprises at least one network device that can be controlled by a central control device. Further, the industrial network includes a local interface for Loka ⁇ len access to the network device. The industrial network is suitable for carrying out the method described above.
• the industrial network includes multiple network devices ⁇ . All of the features which are proposed above for the method for operating an industrial network may be applied entspre ⁇ accordingly also to the proposed industrial network.
• the industrial network is at least partially provided in the form of a virtual personal network (VPN) in a network.
• VPN virtual personal network
• a data transport in the Industrienetz- is factory at least partly via a Wide Area Network (WAN) or the Internet, the dustrienetzwerk be used as a transmission path for the In ⁇ .
• the industrial network may have a main line (backbone line) or radio link for transmitting data.
• the proposed method and the proposed Indust ⁇ rienetzwerk particular allow local access to the network device with the support of indus- trial quality of service requirements. Furthermore, a complex routing of connections over long geographical distances is not required. The local access can be provided temporarily. By disabling local access If necessary, defective or security-related connections and / or functions can be eliminated. As a result, increased security for the industrial network can be achieved.
• Network resources such as bandwidth or Rechenkapa ⁇ capacities can be demand-driven and organized requested. Likewise, a monitoring effort of accesses to the network facilities of the industrial network can be reduced.
• the respective unit for example the access device, the local interface or the central control device, can be implemented in terms of hardware and / or software.
• the respective technical unit can be configured as a device or as part ei ⁇ ner device such as a computer or a microprocessor, or as a control computer of a vehicle.
• the respective unit as a computer program product, as may be formed as part of a program code or executable object a radio ⁇ tion, as a routine.
• a computer program product is proposed, which on a program-controlled device, such as elements of the network, causes the execution of the method as explained above.
• a respective per ⁇ program-controlled device can be both software as well as hardware-based. It is conceivable, for example, an implementation of the access device as a downloadable or short-term installable or activatable access application on a smartphone.
• a computer program product such as a computer program means may, for example, be used as a storage medium, e.g.
• Memory card USB stick, CD-ROM, DVD, or even in the form of a downloadable file provided by a server in a network or delivered.
• This can be, for example in a wireless communication network by the transmission of a corresponding file with the Computerprogrammpro ⁇ product or the computer program means done.
• the embodiments and features described for the proposed method apply mutatis mutandis to the proposed In ⁇ dustrienetzwerk.
• Fig. 1 shows a schematic view of a first form from ⁇ management of an industrial network with a feed grip device
• Fig. 2 shows a schematic view of a second form from ⁇ management of an industrial network with the handle means to ⁇ ;
• Fig. 3 shows a sequence diagram of a method for operating an industrial network
• Fig. 4 shows a schematic view of a third exemplary form of an industrial network with the handle means to ⁇
• Fig. 5 shows a schematic view of a fourth form of an industrial off ⁇ management network with the handle means to ⁇ ;
• Fig. 6 shows a schematic view of a fifth off ⁇ management form of an industrial network with the handle means to ⁇ .
• Fig. 1 shows a schematic view of a first exporting ⁇ approximate shape of an industrial network 100 with an access unit direction 104.
• the industrial network 100 comprises a network 101 and a local interface 102.
• the local interface ⁇ point 102 is connected via a line 105 to the network device one hundred and first
• the network device 101 and the local interface 102 are connected via a respective line 106, 107 to a central control device 103.
• the local interface 102 allows a service person U, who is a technician, an operator, a mechanic or a system administrator, a local access A to the network device 101.
• the local interface 102 is connected to a doctorsseinrich ⁇ tung 104th
• the access device 104 is equipped with a computing power and a storage capacity.
• the access device 104 is a computer, a mobile computer or a terminal in the industrial network 100. With the aid of the access device 104, the network device 101 can be accessed via the local interface 102.
• the access device 104 is connected to the local interface 102 via a physical line, eg an Ethernet cable, or wirelessly, eg via W-LAN, or by mobile radio, eg via an LTE-Advanced connection.
• the service staff U sends an access request Q via the access device 104 to the central controller 103.
• the controller 103 evaluates access request Q., authenticates the access request Q and determines an Ver ⁇ trust level of the service personnel U. Furthermore, the central control device 103 creates an access configuration K, according to which the local interface 102 for the local access A is set up on the network device 101 by the service personnel U.
• the local interface 102 is in particular equipped with a re ⁇ computing power and memory capacity to store the access configuration K and / or execute.
• the access configuration K is transmitted to the local interface 102 and instantiated there.
• a set of applications at the local interface 102, and virtual sensors for acquiring and processing data at the network device 101 are installed and started.
• the local interface is set 102 for the local handle to ⁇ A on the network setup one hundred and first
• the service personnel U can interact with the network device 101 and query data from it.
• the local access A to the network device 101 for waiting, controlling, operating, operating, repairing, modifying the network device 101 or polling data from the network device 101 may take place.
• Fig. 2 shows a schematic view of a second exporting ⁇ approximate shape of an industrial network 200 with the wishessein ⁇ direction 104 in FIG. 1.
• the industrial network 200 includes all the features and elements as well as means 100 in Fig. 1 to the industrial network.
• the central control device 103 is equipped with a database device 201, on the templates for the establishment of the local interface 102 for the local access A is pre-stored on the network device 101.
• the templates include both pre finishesskonfigura ⁇ tions as well as components for an access configuration.
• the templates include in particular access specifications, eg connection requests, an identifier of an access device, an identity or trust level of the service personnel U, a connection type of the local access A, an access duration and / or resources characterizing the local access A to the network device 101.
• access specifications eg connection requests, an identifier of an access device, an identity or trust level of the service personnel U, a connection type of the local access A, an access duration and / or resources characterizing the local access A to the network device 101.
• the service staff U which is a Techni ⁇ ker of the manufacturer of the wind turbine 101, requested by the central control device 103, a central server computer of the operator of the wind turbine 101, access the control unit of the wind turbine 101 for 8 hours to perform a scheduled inspection.
• the investigation concerns mileage, wear, fluctuations in parameters (voltage, frequency and amplitude) and correct controllability.
• the service personnel requests access to the wind turbine 101 from the central server computer to collect statistical data, eg, generated electrical power of the past 2 weeks.
• the central controller 103 creates the access configuration K for the local access A to the network device based on the templates stored at the database device 201. Subsequently, the access configuration K is transmitted to the local interface 102 and instantiated there.
• the central control device 103 After successful authentication of the access request Q, the central control device 103 creates an access data cost rate T in the form of an access token in accordance with the confidence ⁇ stage of the service personnel U.
• the access token T containing a user ID and a password for the dial in the industrial network 200 and an access time, eg 24 hours or 7 days within which the local access A is allowed.
• the access request Q and the access token T are transmitted in an encrypted, preferably private connection, eg via the Internet as a VPN connection.
• FIG. 3 shows a sequence diagram of a method 300 for operating an industrial network.
• the method 300 in FIG. 3 is suitable for operating the industrial networks 100, 200 in FIGS. 1 and 2.
• the method 300 shown in FIG. 3 is suitable for operating industrial networks as shown in FIGS. 4 through 6 are explained in Fol ⁇ constricting.
• Fig. 3 the central controller 103, the feed grip device 104 and the local interface 102 symbo ⁇ lisch shown in a horizontal row adjacent.
• a vertical time axis 310 shows a time sequence of the method 300.
• the access request Q is transmitted by the access device 104 or the service personnel U to the central control device 103.
• the access request ⁇ Q can contain the requested featuressspezifikatio ⁇ nen S.
• the access request Q is authenticated by the central control device 103.
• the access specifications S are evaluated.
• pre-stored templates eg on the database 201 in FIG. 2, are determined which correspond to the access request or the access specifications.
• a trust level of the service personnel U is further Festge ⁇ sets.
• the access request Q, the central controller 103 created in a next step 303 the access configuration K for Einrich- the local interface 102 th for local access A to the network device 101.
• the central ⁇ rale controller 103 further includes the access record T for the service personnel U.
• the central control device 103 optionally creates an access account at the local interface 102 or at the access device 104, with which the service personnel U can dial into the network device 101 or the industrial network 100, 200.
• the access device is a computer or a terminal which is connected to or integrated in the local interface 102.
• Interface 102 is transmitted and instantiated there. In this way, the local interface 102 is set up for local access A to the network device 101.
• the transmission of the access configuration K is encrypted and via a private connection, e.g. over the internet as a VPN connection.
• the access token T is provided to the service personnel U.
• the access token T can be communicated to the service personnel directly, for example via mobile radio or a VPN connection, or provided to the local interface 102 and / or to the access device 104.
• the transmission of the access token T is encrypted.
• the access token contains T ⁇ to handle account information, including a user ID and a password, to dial into the network device 101 or the indus- rienetzwerk 100, 200 using the access account.
• the local access A to the network device 101 is performed by the access device 104 via the local interface 102.
• the local access A in particular enables maintenance, service or services data queries to the network device 101.
• 102 is closed and locked for local access the local interface A ⁇ point.
• the access record T is also deleted and deactivated, so that the access record T is no longer valid.
• FIGS. 4 to 6 have all the features of the industrial network 100 shown in FIG. 1 and the method of operating the industrial network 100 explained with reference to FIG.
• Fig. 4 shows a schematic view of a third exporting ⁇ approximate shape of an industrial network 400 to the access unit direction 104.
• the industrial network 400 includes a wind farm with wind turbines 101a to 101c.
• the wind turbines 101a-101c are connected to a respective local interface 102a-102b which allows local access to the associated wind turbine 101a-101c.
• the central control device 103 is designed as a server computer with a computing power and storage capacity.
• the access device 104 is a mobile computer that can be connected to the local interfaces 102a-102c.
• FIG. 4 shows a local access A to the network device 101c from the mobile computer 104 via the local interface 102c.
• From the mobile computer 104 from an access request Q is transmitted to the server computer 103.
• the server computer 103 evaluates the access request Q. After he ⁇ cessful authentication of the access request Q is a Access record T created and transmitted to the mobile computer 104. Further, the server computer 103 determines the access ⁇ configuration K, which is transmitted to the local interface 102c and instantiated there.
• the service staff U connects the mobile computer 104 to the local interface 102c and selects on the mobile computer 104 in the industrial network 400 with the ⁇ to handle record-T one.
• an operating system and various applications are started, which are specified by the access configuration K and required for local access. Further, a virtual sensor for detecting performance characteristics at the wind turbine 101c is instantiated.
• the access configuration K is in particular designed such that the local access is limited using the access data set T to the local interface 102c and the supplied arrange ⁇ te wind turbine 101c.
• a virtual network 401 is created which comprises only a part of the industrial network 400 and prevents access to further network devices 101a, 101b by the service personnel.
• virtual network functions for the virtual network 401 are instantiated at the local interface.
• Network configuration technologies such as VPN, tunneling between network components and SDN are used to set up the virtual network 401.
• a VPN-based connection is made over a WAN or the Internet without being accessible to unauthorized persons
• the tunnel allows two or more subscribers industrial network, via a connection (eg the Internet) that uses a different communication ⁇ protocol to communicate with each other as the industrial network.
• the SDN technology allows software ⁇ based configuration and structure of the industrial network, in particular of virtual networks within the industrial network, by the central control device.
• the virtual network functions include targeted control of the traffic between the mobile computer 104 and the wind turbine 101a, a restriction of the data traffic between the mobile computer 104 and other wind turbines 101b, 101c of the industrial network 400 and a blocking of the other ports to prevent unauthorized access to the network devices 101a - 101c or the industrial network 400.
• a virtual in- dustrial firewall between the Internet and the industrial ⁇ network 400 and the virtual network 401 is instantiated to prevent unauthorized access from the Internet.
• Fig. 5 shows a schematic view of a fourth exemplary form of an industrial network 500 with the mobile computing ⁇ ner 104 as an access device.
• FIG. 5 shows wind turbines 101 at two locations 501, 502.
• the wind turbines ⁇ 101 at a first location 501 are combined into a first sub-network 503rd
• the first subnetwork 503 is connected to a first interface 504, which allows access to the first subnetwork 503 as well as to the network devices 101 of the first subnetwork 503.
• Ana ⁇ log the wind turbines 101 are summarized at a second location 502 to a second sub-network 505, wherein the second sub-network 505 ver ⁇ connected with a second interface 506, via which access to the wind turbines 101 of the subnet 506 is possible.
• Fig. 6 shows a schematic view of a fifth embodiment ⁇ approximate shape of an industrial network 600 with the mobile computing ⁇ ner 104 as an access device.
• the network 600 the wind turbines 101 of the first subnetwork 503 in FIG. 5.
• Figure 6 shows a local access A to the second subnet 503 of network devices 101 via the local interface 504.
• a geographic distance DA between the first subnet 503 and the mobile computer 104 is several centimeters to several hundred meters.
• a geographical ⁇ phical distance DC between the first sub-network 503 and the server machine is 103 several kilometers to several thousand kilometers.
• the access A to the first subnetwork 503 takes place without routing via the server computer 103, so that latency in data transmission is shortened and a packet loss (packet loss) and fluctuations (jitter) are reduced. Overall, therefore, the quality of connection is verbes ⁇ sert.
• the server computer is connected via a connection 601 to the mobile computer 104 and via a connection 602 to the first subnet 503.
• the connections 601, 602 are partially made via the Internet.
• link 601 represents a link formed by authentication
• link 602 may be a secure link, for example, a leased line type.
• the connections 601, 602 may at least partially comprise an electrical, optical or electro ⁇ magnetic line.
• the connection via the interface 504 can also be used as a VPN connection.
• the central server computer 103 is integrated into the network so that a device of the interface 504 is possible.
• the industrial networks 100, 200, 400, 500, 600 described above are preferably arranged so that connection and data transmission within the industrial network have predefined requirements, e.g. a quality of service or
• connection dung quality can be improved compared to a routing via the central STEU ⁇ er overlooked the industrial network.
• the encapsulation of local access by the service personnel U increases the security of the respective industrial network.
• the local access can be limited in time to exclude unnecessary access to the industrial network.
• the present invention was based on wind farms be ⁇ wrote, it is versatile in use, for example, on a pro ⁇ production facilities, other installations (eg electricity, heat, water, oil or gas supply networks), transport networks or communication networks.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computing Systems (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• General Engineering & Computer Science (AREA)
• Health & Medical Sciences (AREA)
• General Health & Medical Sciences (AREA)
• Medical Informatics (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Small-Scale Networks (AREA)

Applications Claiming Priority (1)

Publications (1)

Family

ID=54147151

Family Applications (1)

Country Status (4)

Families Citing this family (4)

Family Cites Families (7)

• 2015
  • 2015-09-08 EP EP15766084.6A patent/EP3348032A1/de not_active Withdrawn
  • 2015-09-08 WO PCT/EP2015/070506 patent/WO2017041831A1/de active Application Filing
  • 2015-09-08 US US15/758,578 patent/US20180262502A1/en not_active Abandoned
  • 2015-09-08 CN CN201580082986.4A patent/CN107925651A/zh active Pending

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events