EP3456026A1 - Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system - Google Patents
Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-systemInfo
- Publication number
- EP3456026A1 EP3456026A1 EP17734702.8A EP17734702A EP3456026A1 EP 3456026 A1 EP3456026 A1 EP 3456026A1 EP 17734702 A EP17734702 A EP 17734702A EP 3456026 A1 EP3456026 A1 EP 3456026A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- communication
- communication device
- requesting user
- connection
- firewall system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/4185—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25205—Encrypt communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Definitions
- Industrial automation systems are used to monitor, control and regulate technical processes, in particular in the area of production, process and building automation, and enable the operation of control devices, sensors, machines and industrial installations, which should be as independent as possible and independent of human intervention , Of particular importance is the provision of monitoring, control and regulation functions in real time. Disturbances of communication links between automation devices or computer units of an industrial automation system can lead to an adverse repetition of a transmission of a service request. In particular, messages that are not transmitted or that are not completely transmitted can prevent a transition or retention of an industrial automation system into a safe operating state and lead to a failure of an industrial plant. A particular problem arises in industrial automation systems from a message traffic with relatively many, but relatively short messages to be transmitted in real time.
- US8555373B2 discloses a firewall provided between a source device and a destination device, which comprises a hardware security component for checking data extracted from a data packet against a permissible list.
- the hardware security component performs a stateful audit for a protocol.
- the firewall can be configured as a security proxy and enable secured sessions between two participants by means of a software security component.
- the software security component uses the hardware security component to authenticate or decrypt packets that are to be checked and to encrypt certified packets.
- US7958549B2 describes a firewall with an encryption processor and a virtualized server.
- the encryption processor is upstream of the virtualized server and decrypts encrypted data packets, which are then forwarded to the virtualized server for processing.
- the encryption processor receives data packets processed by the virtualized server to encrypt this forwarding.
- VPN Virtual Private Network
- Rendezvous servers are provided for managing a plurality of VP connections of a remote maintenance system in which a plurality of remote maintenance computers outside an industrial communication network can be used to access various systems or plant components to be controlled within an industrial communication network.
- users of remote monitoring computers for example, log on to the rendezvous server with their respective user ID and request access to one of them Plant, plant component or a field device. If the login and request are successful, the rendezvous server initiates statically or dynamically the establishment of VPN communication connections between communication participants of a remote maintenance process and switches them together. As a result, an encrypted end-to-end communication connection is established between a remote maintenance computer on the one hand and a system, system component or a field device on the other.
- Such a tamper-proof end-to-end communication connection basically prevents control over data or information exchanged between the communication participants of a remote maintenance operation.
- it can not be readily checked whether, on the basis of a remote maintenance computer, unauthorized accesses are made to a plant, plant component or a field device, or whether approved communication or automation system protocols are used.
- the present invention is therefore based on the object of specifying a method for establishing secure communication links to an industrial communication system, which allows a secure data transmission with simultaneous verifiability of transmitted data on admissibility, as well as to provide a suitable device for carrying out the method.
- connection management device can be a rendezvous server.
- second communication devices can be integrated, for example, in automation devices or assigned to them.
- the connection management device performs an authorization check for the requesting user on the basis of an access control list.
- the access-to-contact list preferably includes user-specific information of permissible communication connections between at least one first communication device and at least one second communication device.
- the connection management device provides access control information for establishing an encrypted communication connection between the first communication device of the requesting user and the selected second communication device for these communication devices.
- the connection manager is formed by a server instance running on a firewall system.
- data packets transmitted via the encrypted communication connection between the first communication device of the requesting user and the selected second communication device are decrypted by the firewall system for a check based on defined security rules.
- the defined security rules can in particular govern firewall rules or rules via an sity of control commands specified in data packets or control parameters for automation devices.
- Data packets that have been successfully checked based on the defined security rules are forwarded by the firewall system to the first communication device of the requesting user or the selected second communication device. In this way, data traffic between the first communication device of the requesting user and the selected second communication device can be checked bidirectionally.
- the firewall system is preferably arranged in a secure communication network of the industrial automation system and advantageously discards data packets that do not correspond to the defined security rules.
- a security alarm could, for example, also be generated.
- the communication connections established via the connection management device between first communication devices and second communication devices are virtual private network connections.
- the authorization check comprises an authentication of the requesting user to the connection management Facility .
- the connection management device provides access control information for using a virtual private network connection between the first communication device of the requesting user and the selected second communication device to the requesting user only after authentication of the requesting user.
- the access control information may comprise, for example, cryptographic keys or passwords for VPN sessions or temporarily valid passwords.
- the checking by the firewall system based on the established security rules comprises checking passwords for VPN sessions or temporary passwords for correctness, and the firewall system discards data packets for the transmission of which incorrect passwords have been specified are.
- the connection management device establishes in each case an encrypted communication connection to the first communication device of the requesting user and to the selected second communication device in the case of a positive authorization checking result and links these communication links to one another.
- the data packets transmitted via the encrypted communication connection between the first communication device of the requesting user and the selected second communication device are preferably decrypted by the firewall system and checked on the basis of the defined security rules; Data packets that have been successfully checked based on the defined security rules are also encrypted by the firewall system.
- a decryption or encryption of data packets by the firewall system is hardware-based.
- the firewall system is provided for carrying out a method according to the preceding statements and designed and set up for a check of data packets based on defined security rules, in particular by configuration.
- the firewall system is designed and set up for an expiry of at least one server instance.
- a connection management device is formed, which is designed and set up for a communication connection setup of first communication devices outside an industrial automation system to the second communication devices assigned to the industrial automation system.
- the connection management device is additionally designed and set up to carry out an authorization check for the requesting user on request of a connection setup to a selected second communication device by a requesting user of a first communication device on the basis of an access control list.
- connection management device is additionally designed and set up to provide access control information for setting up an encrypted communication connection between the first communication device of the requesting user and the selected second communication device for these communication devices in the case of a positive authorization check result.
- the firewall system is additionally designed and set up for this purpose, via an encrypted communication connection between the first communication device of the requesting user or the selected second communication device transmitted data packets for based on the specified security rules review decrypt.
- the firewall system is additionally configured and configured to forward data packets encrypted successfully to the first communication device of the requesting user or to the selected second communication device based on the defined security rules.
- Figure an arrangement with several remote maintenance computers outside an industrial automation system and a firewall system and several automation somatization devices within the industrial
- the arrangement shown in the figure comprises a plurality of remote maintenance computers 101-103, which are connected via a wide area network 400 to a communication network of an industrial automation system 200.
- the remote maintenance computer 101 - 103 may be configured, for example, as a PC, laptop or tablet PC.
- the industrial automation system 200 includes a firewall system 300 for protection against unauthorized message traffic, which checks in particular in the industrial automation system 200 incoming data packets based on defined security rules.
- these security rules include standard firewall rules and rules for permitting control commands or control parameters for automation devices 201-202 of the industrial automation system 200 given in data packets.
- the long-distance network 400 can be, for example, a mobile radio network or an IP-based communications network.
- the automation devices 201-202 each comprise integrated or associated communication modules or devices and may be programmable logic controllers or PC-based controls of a machine or a technical installation, for example a robot or a conveyor.
- the automation devices 201-202 each comprise at least one central unit and an input / output unit.
- the input / output units are used to exchange control and measured variables between the respective automation device 201-202 and a machine or device controlled by the automation device 201-202.
- the central units of the programmable controllers 201-202 are provided in particular for determining suitable control variables from detected measured variables.
- the firewall system 300 is computer-based and in the present embodiment includes a hypervisor 301 as a hardware abstraction element between actual hardware of the firewall system and firewall system 300 installable, executable operating systems.
- a hypervisor 301 allows deployment of a virtual environment that includes partitioned hardware resources such as processor, memory, or peripherals.
- other known virtualization concepts can in principle also be used as hardware abstraction means for providing server instances 311, 321 running on the firewall system 300.
- the hypervisor 301 is a component of the firewall system 300. This also applies to a hardware-implemented cryptology component 302, which is shown remote from the firewall system 300 in the figure, but encompassed by the firewall system 300.
- Such a server instance running on the firewall system 300 forms a rendezvous server 311 as connection management device.
- the rendezvous server 311 is provided and configured to set up, manage, and control communication links from first communication devices outside the industrial automation system 200 to the second communication devices associated with the industrial automation system 200.
- the first communication devices include the remote maintenance computers 101-103, while second communication devices are the communication devices or modules assigned to or covered by the automation devices 201-202.
- the rendezvous server 311 performs an authorization check for the requesting user with respect to the selected automation device 201 on the basis of an access control list 312 managed by the rendezvous server 311.
- the access control list 312 comprises user-specific data of permissible communication connections between at least one first communication device and at least one second communication device.
- the rendezvous server 311 sets access control informational 112, 211 for establishing an encrypted communication connection 500 between the remote maintenance computer 101 of the requesting user and the selected automation device 201 for these communication participants ready.
- encrypted communication links established between remote maintenance computers 101-103 and automation devices 201-202 are VPN connections (Virtual Private Network). Therefore, the access control information 112, 211 preferably includes cryptographic keys for VPN sessions or temporary passwords.
- the authorization check comprises an authentication of the requesting user to the rendezvous server 311, which only after an authentication of the requesting user access control information 112 to use a VPN connection between the
- Remote maintenance computer 101 of the requesting user and the selected automation device 201 to the requesting user provides.
- Data packets 113, 212 transmitted via the VPN connection 500 between the remote maintenance computer 101 of the requesting user and the selected automation device 201 are decrypted by the firewall system 300 and checked on the basis of the defined security rules.
- Data packets that have been successfully checked on the basis of the defined security rules are re-encrypted by the firewall system 300 and forwarded to the remote maintenance computer 101 of the requesting user or to the selected automation device 201.
- Decryption or encryption of data packets to be checked or checked is performed by the firewall system 300 in a hardware-based manner.
- the hardware-implemented cryptology component 302 comprised by the firewall system 300 is provided for this purpose. Not in accordance with the established safety rules pending data packets are discarded by the firewall system 300.
- the checking by the firewall system 300 which is based on the defined security rules, also includes a checking of passwords for VPN sessions or temporarily valid passwords for correctness.
- the firewall system discards 300 data packets discarded for the transmission of incorrect passwords have been specified.
- the VPN connection 500 established between the remote maintenance computer 101 of the requesting user and the selected automation device 201 may comprise two VPN sub-connections, which terminate at the rendezvous server 311.
- the rendezvous server 311 builds in each case an encrypted communication connection to the remote maintenance computer 101 of the requesting user and to the selected automation device 201 in the case of a positive authorization checking result, and links these communication connections to one another.
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Manufacturing & Machinery (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP16179006.8A EP3270560B1 (de) | 2016-07-12 | 2016-07-12 | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system |
PCT/EP2017/065844 WO2018010949A1 (de) | 2016-07-12 | 2017-06-27 | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3456026A1 true EP3456026A1 (de) | 2019-03-20 |
Family
ID=56571133
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16179006.8A Active EP3270560B1 (de) | 2016-07-12 | 2016-07-12 | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system |
EP17734702.8A Withdrawn EP3456026A1 (de) | 2016-07-12 | 2017-06-27 | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP16179006.8A Active EP3270560B1 (de) | 2016-07-12 | 2016-07-12 | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system |
Country Status (4)
Country | Link |
---|---|
US (1) | US11209803B2 (de) |
EP (2) | EP3270560B1 (de) |
CN (1) | CN109479056B (de) |
WO (1) | WO2018010949A1 (de) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3451606A1 (de) * | 2017-08-30 | 2019-03-06 | Siemens Aktiengesellschaft | Verfahren zur überprüfung von innerhalb eines industriellen automatisierungssystems übermittelten datagrammen und automatisierungs- und/oder kommunikationsgerät |
DE102019005601A1 (de) * | 2018-08-13 | 2020-02-13 | Löwenstein Medical Technology S.A. | Verfahren zur sicheren Kommunikation in einem Beatmungssystem |
CN111917689B (zh) * | 2019-05-08 | 2023-02-03 | 创升益世(东莞)智能自控有限公司 | 一种应用于工业互联网的虚拟主机系统 |
EP3767910A1 (de) | 2019-07-19 | 2021-01-20 | Siemens Aktiengesellschaft | Verfahren zur konfiguration von firewall-einrichtungen für ein kommunikationsnetz und kommunikationsnetz-management-system |
EP3798767B1 (de) * | 2019-09-24 | 2022-03-02 | Siemens Aktiengesellschaft | Verfahren und anordnung zur kontrolle des datenaustauschs eines industriellen edge-gerätes |
CN111142480B (zh) * | 2019-12-09 | 2023-04-25 | 南京国电南自维美德自动化有限公司 | 一种过程控制站安全通讯方法、系统及分散控制系统 |
EP3934192A1 (de) | 2020-06-29 | 2022-01-05 | Siemens Aktiengesellschaft | Verfahren zum aufbau einer verbindung zwischen einem kommunikationsgerät und einem server und proxy |
EP3974972A1 (de) | 2020-09-24 | 2022-03-30 | Siemens Aktiengesellschaft | Kommunikationsgerät, kommunikationssystem und verfahren zum betrieb eines kommunikationsgeräts |
US11863560B2 (en) * | 2021-07-15 | 2024-01-02 | Rockwell Automation Technologies, Inc. | Industrial automation secure remote access |
US11652800B1 (en) * | 2022-10-03 | 2023-05-16 | Uab 360 It | Secure connections between servers in a virtual private network |
DE102022125633A1 (de) | 2022-10-05 | 2024-04-11 | Tk Elevator Innovation And Operations Gmbh | Netzwerksystem zur Errichtung einer Mobilfunkverbindung in einem Aufzugschacht |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6226372B1 (en) * | 1998-12-11 | 2001-05-01 | Securelogix Corporation | Tightly integrated cooperative telecommunications firewall and scanner with distributed capabilities |
CN100384191C (zh) * | 1999-06-10 | 2008-04-23 | 阿尔卡塔尔互联网运行公司 | 基于策略的网络体系结构 |
US8719562B2 (en) * | 2002-10-25 | 2014-05-06 | William M. Randle | Secure service network and user gateway |
JP3794491B2 (ja) | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | 攻撃防御システムおよび攻撃防御方法 |
US7346922B2 (en) * | 2003-07-25 | 2008-03-18 | Netclarity, Inc. | Proactive network security system to protect against hackers |
JP4327630B2 (ja) * | 2004-03-22 | 2009-09-09 | 株式会社日立製作所 | インターネット・プロトコルを用いたストレージエリア・ネットワーク・システム、セキュリティ・システム、セキュリティ管理プログラム、ストレージ装置 |
US9202084B2 (en) * | 2006-02-01 | 2015-12-01 | Newsilike Media Group, Inc. | Security facility for maintaining health care data pools |
US20080062167A1 (en) * | 2006-09-13 | 2008-03-13 | International Design And Construction Online, Inc. | Computer-based system and method for providing situational awareness for a structure using three-dimensional modeling |
GB0623101D0 (en) * | 2006-11-20 | 2006-12-27 | British Telecomm | Secure network architecture |
US20080155647A1 (en) * | 2006-11-28 | 2008-06-26 | Toui Miyawaki | Access control system |
US8214635B2 (en) * | 2006-11-28 | 2012-07-03 | Cisco Technology, Inc. | Transparent proxy of encrypted sessions |
US8555373B2 (en) | 2008-02-14 | 2013-10-08 | Rockwell Automation Technologies, Inc. | Network security module for Ethernet-receiving industrial control devices |
US9369299B2 (en) * | 2008-06-10 | 2016-06-14 | Bradford Networks, Inc. | Network access control system and method for devices connecting to network using remote access control methods |
JP5531791B2 (ja) * | 2009-09-08 | 2014-06-25 | 株式会社リコー | 印刷システム、印刷制御装置および印刷制御方法 |
US8756411B2 (en) * | 2010-12-06 | 2014-06-17 | Siemens Aktiengesellschaft | Application layer security proxy for automation and control system networks |
US20120266209A1 (en) * | 2012-06-11 | 2012-10-18 | David Jeffrey Gooding | Method of Secure Electric Power Grid Operations Using Common Cyber Security Services |
US9602498B2 (en) * | 2013-10-17 | 2017-03-21 | Fortinet, Inc. | Inline inspection of security protocols |
US9870476B2 (en) * | 2014-09-23 | 2018-01-16 | Accenture Global Services Limited | Industrial security agent platform |
US9998431B2 (en) * | 2015-06-09 | 2018-06-12 | Intel Corporation | System, apparatus and method for secure network bridging using a rendezvous service and multiple key distribution servers |
GB201512022D0 (en) * | 2015-07-09 | 2015-08-19 | Level 3 Comm Uk Ltd | Dynamic packet routing |
US11144911B2 (en) * | 2016-06-20 | 2021-10-12 | Intel Corporation | Technologies for device commissioning |
-
2016
- 2016-07-12 EP EP16179006.8A patent/EP3270560B1/de active Active
-
2017
- 2017-06-27 EP EP17734702.8A patent/EP3456026A1/de not_active Withdrawn
- 2017-06-27 CN CN201780043441.1A patent/CN109479056B/zh active Active
- 2017-06-27 US US16/316,845 patent/US11209803B2/en active Active
- 2017-06-27 WO PCT/EP2017/065844 patent/WO2018010949A1/de active Search and Examination
Also Published As
Publication number | Publication date |
---|---|
CN109479056B (zh) | 2019-11-19 |
US11209803B2 (en) | 2021-12-28 |
EP3270560A1 (de) | 2018-01-17 |
CN109479056A (zh) | 2019-03-15 |
US20190317481A1 (en) | 2019-10-17 |
EP3270560B1 (de) | 2020-03-25 |
WO2018010949A1 (de) | 2018-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3270560B1 (de) | Verfahren zum aufbau gesicherter kommunikationsverbindungen zu einem industriellen automatisierungssystem und firewall-system | |
DE102017124866A1 (de) | Gesicherte Prozesssteuerkommunikationen | |
DE102017124821A1 (de) | Veröffentlichung von daten über eine datendiode für gesicherte prozesssteuerungskommunikationen | |
EP2586178B1 (de) | Verfahren zur manipulationsgesicherten schlüsselverwaltung | |
EP3518492B1 (de) | Verfahren und system zur offenlegung mindestens eines kryptographischen schlüssels | |
EP2572494B1 (de) | Verfahren und system zur sicheren datenübertragung mit einer vpn- box | |
EP3646559B1 (de) | Verfahren zur überprüfung von innerhalb eines industriellen automatisierungssystems übermittelten datagrammen und automatisierungs- und/oder kommunikationsgerät | |
EP3763089B1 (de) | Verfahren und steuersystem zum steuern und/oder überwachen von geräten | |
EP3562115A1 (de) | Geschützte übertragung von daten mit hilfe post-quanten kryptographie | |
DE102017223099A1 (de) | Vorrichtung und Verfahren zum Übertragen von Daten zwischen einem ersten und einem zweiten Netzwerk | |
EP3559854B1 (de) | Sicherheitsgerät und feldbussystem zur unterstützung einer sicheren kommunikation über einen feldbus | |
EP3759958B1 (de) | Verfahren, vorrichtung und computerprogrammprodukt zur überwachung einer verschlüsselten verbindung in einem netzwerk | |
DE102015200279A1 (de) | Einwegübertragungseinrichtung, Vorrichtung undVerfahren zum rückwirkungsfreien Erfassen von Daten | |
EP2407843A1 (de) | Sichere Datenübertragung in einem Automatisierungsnetzwerk | |
EP3556047A1 (de) | Programmierbares hardware-sicherheitsmodul und verfahren auf einem programmierbaren hardware-sicherheitsmodul | |
EP3105898B1 (de) | Verfahren zur kommunikation zwischen abgesicherten computersystemen sowie computernetz-infrastruktur | |
EP3613193A1 (de) | Verfahren, vorrichtungen und computerprogrammprodukt zur überprüfung von verbindungsparametern einer kryptographisch geschützten kommunikationsverbindung während des verbindungsaufbaus | |
EP3171570B1 (de) | Vorrichtung und verfahren zum anpassen von berechtigungsinformationen eines endgeräts | |
EP3525390A1 (de) | Einrichtung und verfahren zum bereitstellen mindestens eines sicheren kryptographischen schlüssels für den durch ein steuergerät initiierten kryptographischen schutz von daten | |
EP3895387B1 (de) | Kommunikationsmodul | |
EP3418832A1 (de) | Sichere echtzeitbasierte datenübertragung | |
EP3767910A1 (de) | Verfahren zur konfiguration von firewall-einrichtungen für ein kommunikationsnetz und kommunikationsnetz-management-system | |
WO2014206451A1 (de) | Verfahren und vorrichtung zum sicheren übertragen von signaldaten in einer anlage | |
EP3840283A1 (de) | Verfahren zum übertragen von nachrichten zwischen zwei kommunikationseinrichtungen | |
WO2014195360A1 (de) | Verfahren zum sicheren betrieb einer verschlüsselten verbindung zwischen einem clientsystem und einem serversystem |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20181211 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20191209 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20200603 |