EP4147096A1 - Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire - Google Patents

Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire

Info

Publication number
EP4147096A1
EP4147096A1 EP20724081.3A EP20724081A EP4147096A1 EP 4147096 A1 EP4147096 A1 EP 4147096A1 EP 20724081 A EP20724081 A EP 20724081A EP 4147096 A1 EP4147096 A1 EP 4147096A1
Authority
EP
European Patent Office
Prior art keywords
module
field device
retrofit
security
retrofit module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP20724081.3A
Other languages
German (de)
English (en)
Inventor
Roland Welle
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Vega Grieshaber KG
Original Assignee
Vega Grieshaber KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vega Grieshaber KG filed Critical Vega Grieshaber KG
Publication of EP4147096A1 publication Critical patent/EP4147096A1/fr
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0428Safety, monitoring
    • HELECTRICITY
    • H05ELECTRIC TECHNIQUES NOT OTHERWISE PROVIDED FOR
    • H05KPRINTED CIRCUITS; CASINGS OR CONSTRUCTIONAL DETAILS OF ELECTRIC APPARATUS; MANUFACTURE OF ASSEMBLAGES OF ELECTRICAL COMPONENTS
    • H05K5/00Casings, cabinets or drawers for electric apparatus
    • H05K5/02Details
    • H05K5/0217Mechanical details of casings
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • HELECTRICITY
    • H05ELECTRIC TECHNIQUES NOT OTHERWISE PROVIDED FOR
    • H05KPRINTED CIRCUITS; CASINGS OR CONSTRUCTIONAL DETAILS OF ELECTRIC APPARATUS; MANUFACTURE OF ASSEMBLAGES OF ELECTRICAL COMPONENTS
    • H05K5/00Casings, cabinets or drawers for electric apparatus
    • H05K5/02Details
    • H05K5/0208Interlock mechanisms; Means for avoiding unauthorised use or function, e.g. tamperproof

Definitions

  • field device subsumes various technical facilities that are directly related to a production process. Field devices can thus in particular be actuators, sensors and measuring transducers and / or evaluation devices.
  • a further area of application results from the recently available autarkic field devices, in particular autarkic sensors.
  • Sensors i.e. field devices from this product family, are particularly easy to assemble without attaching a communication or supply line.
  • the measured values determined by these field devices are typically transferred to a cloud using narrowband radio technology (LoRa, Sigfox, NB-IOT). H. transferred to a server on the World Wide Web.
  • Typical application scenarios for such field devices include areas such as flood forecasting, inventory management or other decentralized measurement tasks. Due to the direct connection to the World Wide Web, such field devices are inherently exposed to a permanent threat from hacker attacks from the network.
  • the legislators are also formulating new requirements for the operators and manufacturers of devices, which pursue the goal of critical infrastructure facilities (KRITIS) such as energy (electricity, gas, oil), transport (air, rail, water, road) To make drinking water supplies and digital infrastructure resistant to negligent or willful hacker attacks.
  • KRITIS critical infrastructure facilities
  • An example of this is Directive 2016/1148 (NIS Directive) passed by the European Parliament, which has since been implemented into national law by the member states of the European Union.
  • NIS Directive 2016/1148 passed by the European Parliament, which has since been implemented into national law by the member states of the European Union.
  • the cyber security standards that have existed for a long time (e.g. IEC 62443, ISO 27001) require that the devices used there meet a standardized IT security level, also known as the Security Level (SL).
  • SL Security Level
  • IEC 62443 (as of 08/2013) has defined the following security levels, which are classified according to the means available to the attacker, the material and financial resources available, the technical skills and the underlying motivation.
  • the security level SLO is a purely theoretical construct with no risk of impairment or manipulation and therefore no measures are necessary.
  • the security level SL1 describes the ability of a system to avoid accidental and unintended impairment or manipulation.
  • the security level SL2 describes the ability of a system to defend against intentional manipulations by interested individuals and companies with generic security knowledge.
  • the security level SL3 describes the ability of a system to fend off intentional manipulations by experts and companies who develop and use effective, but cost-oriented attack scenarios with clear goals.
  • the security level SL4 describes the ability of a system to defend against intentional manipulations by organizations with experts, who focus on achieving the specifically selected target at almost any price.
  • a retrofit module according to the invention for a field device of the process automation technology is characterized in that the retrofit module has a security module, the security module cooperating with the field device electronics in such a way that it reaches a specified IT security level will.
  • both new devices and existing devices can be equipped. Both new devices and existing devices can be provided with an adapted IT security module that implements a desired IT security level as required.
  • the basic idea of the present invention is to provide a retrofit module and thus to design new devices or existing devices in such a way that they are able to implement specified IT security levels.
  • a corresponding retrofit module can be used particularly well with modular field devices.
  • Field devices with a modular structure are put together from a modular field device concept.
  • a number of combinable sensors, housings, electronic units and operating and / or display units can be selected and a corresponding field device can be constructed.
  • Such a modular field device concept is offered by the company Vega Grieshaber KG, for example.
  • a sensor, a corresponding electronics module that provides measured value processing and an interface to a controller and, if applicable, a fieldbus used, as well as various display and / or operating units can be combined.
  • the sensors, electronic modules and display and / or control units are adapted both to one another and to different housings available.
  • the retrofit module can have a plurality of functional units for implementing the specified IT security level. In this way, several different retrofit modules with different functional units can be made available, which implement different IT security levels in cooperation with a field device.
  • a retrofit module can be designed in such a way that it can implement several different IT security levels in conjunction with a field device. In this context, this means that at least two different IT security levels can be implemented using at least two functional units.
  • individual functional units that are not required or not permitted for implementing a certain IT security level can be deactivated or required or prescribed functional units activated so that several different IT security levels can be implemented with one retrofit module.
  • functional units are understood to mean function blocks implemented in hardware or software, which are decisive for compliance with the specified IT security levels.
  • the IT security levels of different levels usually differ in at least one functional unit, i.e. H. that to implement the one IT security level at least one functional unit is activated or deactivated, which is accordingly not activated or deactivated for the implementation of another IT security level.
  • the IT security levels on which this application is based can relate to various aspects of IT security and can be implemented using various measures that are summarized in the functional units in the present application.
  • aspects of IT security as they can be implemented in the IT security levels subject to the registration, include various levels of identification and authentication of users, devices and software, usage control, securing the communication of the field device with regard to authentication and integrity as well as e.g. . of required reaction times.
  • the retrofit module can have a first electrical interface for connecting the field device electronics of the fill level measuring device and a communication module for connecting to a higher-level unit.
  • the retrofit module can be connected to the field device electronics, preferably a communication interface, more preferably a wired communication interface of the field device electronics.
  • the retrofit module can use the communication module to establish external communication. Outwardly means in this sense to a unit outside the field device, in particular a higher-level unit, a control device or other field devices.
  • higher-level units can be in addition to evaluation devices and computers, for example in a control room, as well as servers in a LAN (Local Area Network) or WAN (Wide Area Network) environment. This also applies to devices in virtual private networks (VPN).
  • VPN virtual private networks
  • the first interface of the retrofit module is preferably designed for connection to the communication interface of the field device. In this way, a simple connection of the retrofit module with the field device electronics is made possible. If necessary, existing plug-in contacts or connection terminals can be used for this purpose and thus a direct connection of the retrofit module to the field device electronics can be implemented.
  • the communication interface of the field device is a wired interface and this is connected to the retrofit module in this way, a suitable configuration of the connection can also ensure that other, possibly unsecured communication connections to the outside are established from the communication interface of the field device.
  • one slot of the communication interface is occupied by the retrofit module connected to it, so there is no further connection option.
  • a connection between the first interface and the communication interface can be designed to be mechanically ir reversible. This means that once the connection has been established, it cannot be broken. For example, the connection cannot be released without destroying the connection, or at least with a detectable break in the security level. This can be achieved, for example, in that a connection between the first interface and the communication interface irreversibly interrupts a connection between the field device electronics and the superordinate unit. If the connection to the retrofit module is released again, a direct connection between the field device electronics and the superordinate unit is also interrupted, which can be detected by the latter, for example.
  • the retrofit module can have a mechanical interface for irreversible connection with the level measuring device.
  • a mechanically irreversible connection ensures that the connection between the level measuring device and the retrofit module can no longer be released and thus the retrofit module can no longer be removed.
  • the mechanically irreversible connection between the retrofit module and the field device can irreversibly anchor the retrofit module, for example, in a housing chamber in which it is arranged. This means that once the retrofit module has been properly installed, it can no longer be removed.
  • the mechanically irreversible connection can, for example, be designed as an irreversible snap-in connection and / or an irreversible screw connection and / or an irreversible adhesive connection and / or comprise an irreversible barrier.
  • An irreversible barrier can e.g. B. be a housing cover that closes a housing chamber in which the retrofit module is arranged, irreversibly.
  • an original housing cover can be exchanged and the cover can be replaced with a self-locking one.
  • a self-locking cover can, for example, have latching hooks or the like which prevent the cover from opening after it has been completely closed for the first time. Additionally or alternatively, the self-locking cover can have an adhesive bond that fixes the cover in a screwed position.
  • the retrofit module has a crypto module for signing and / or encrypting data.
  • a recipient can use a signature to ensure that data originate from a specific originator, in this case the retrofit module and indirectly from the field device equipped with it. Furthermore, the data integrity can be ensured, i.e. a recipient of the data can verify that the data has not been changed since it was signed by the sender, i.e. the retrofit module. Overall, the data transmission from the field device, which is equipped with the retrofit module, to higher-level units can thus be configured more securely through such a crypto module.
  • the crypto module does not necessarily cause encryption, but rather simply providing the sent data with a signature can be a task of a crypto module according to the present application.
  • the crypto module can be designed both as hardware and as a software module, that is, it can be signed and / or signed both by hardware components, in particular a dedicated crypto chip, and by software components, ie as a corresponding computer program code, when it is executed by a processor. or encryption of the data is accomplished, trained.
  • software components are understood to mean parts or modules of software, ie computer program code which, when executed by a processor, causes the processor to execute commands for realizing the desired functionality of the software component.
  • the retrofit module can additionally or alternatively have an authentication module.
  • An authentication module can comprise various components depending on the desired IT security level. For example, it can have user and password management, authorization management, a module for multi-factor authentication, and any hardware interfaces required for this.
  • Corresponding hardware interfaces can, for example, sensors for presence detection, input fields for a pin, sensors for biometric data, for example fingerprint sensors or retina scanners, and / or interfaces for reading out mechanical keys and / or electrically readable tokens, in particular NFC interfaces for reading out NFC -Tokens or the like.
  • the user authentication can not only include an authentication of operating personnel, but can also implement an authentication of authorized operating devices and / or communication partners.
  • the retrofit module can also have an authentication interface for an external, second authentication module.
  • an external, second authentication module can, for example, be an authentication module of an operator control device, so that the user authentication on the operator control device is also taken over for the field device, provided that the operator control device has sufficiently authenticated itself to the retrofit module.
  • Authentication can thus take place not only for operators but also for devices that communicate with the field device.
  • the authentication module can also be designed as a hardware component and, if no hardware is required, also as a software component.
  • the retrofit module can have a firewall, in particular a packet filter.
  • a firewall functionality can be ensured that only authorized users can establish a connection to the retrofit module and thus the field device (connection filter) or that only harmless packets pass the retrofit module and thus advance to the field device for further processing.
  • the retrofit module can be designed as a display and / or operating module, or alternatively have one.
  • a regularly available display and / or operating module can be replaced by the retrofit module, which is designed as a display and / or operating module, or by a display and / or operating module that has the retrofit module will.
  • the security module can have a plurality of functional units for implementing a plurality of predefined IT security levels of different heights, the security module having a selection element for selecting an IT security level, based on the selection necessary for implementing the selected IT security level functional units activated and / or unnecessary functional units deactivated.
  • activation and deactivation relate to an operation, i. H.
  • the switched-on state of the retrofit module or field device refers and in this context means a persistent commissioning or decommissioning of the respective functional units. Deactivation or, in other words, switching off the entire field device has no influence on the status of the functional units after the field device is switched on again.
  • the security module is designed in such a way that the IT security level can be selected once.
  • the IT security level can be selected once and then fixed, i.e. unchangeable.
  • the IT security level can be selected once by the user.
  • the retrofit module does not have any or one can have any IT security level that can be specified by the manufacturer, which can then be changed once by the user.
  • a one-time selection by the user can in particular mean that a subsequent change to the IT security level by the user is not possible.
  • a distinction can be made between a user-side change in the IT security level and an administrator-side change in the IT security level. This means that in one embodiment it can be provided that an administrator can change the IT security level even after the initial setting during commissioning. For this purpose, however, it can be provided, for example, that in addition to authentication as an administrator, this can only be done with a device-specific unlock code and / or with an additional manufacturer-side release.
  • the security module can be designed in such a way that a selection of the IT security level is possible and particularly necessary when the field device provided with the retrofit module is put into operation.
  • the operator of a system can be urged to select the appropriate security level when commissioning a new or retrofitted field device. This is then set and specified during commissioning.
  • the IT security level can be subsequently changed by resetting the field device to the factory settings, ie. H. in the delivery state and thus connected with a renewed commissioning.
  • a one-time selection option can be implemented, for example, in that the selection element is designed to be mechanically irreversible.
  • a mechanically irreversible design of the selection element can, for example, take place by means of a suitable latching of a setting that has been made once. Such a locking can, for. B. be designed in such a way that the selection element can only be changed to a higher IT security level.
  • the selection element can also be mechanically fixed, for example glued or otherwise fixed will.
  • a mechanical selection element can also have a predetermined breaking point, that is, the selection element breaks off when the IT security level is set for the first time by the user when it is set at this predetermined breaking point, thus making a subsequent change to the IT security level impossible.
  • the security module can be designed in such a way that a selection of the IT security level is electronically irreversible. This can be achieved, for example, by interrupting the electrical connections required for this after the selection element has been read out for the first time. This can be done, for example, by deliberately interrupting fuses installed there or otherwise destroying the electrical readability of the selection element. Additionally or alternatively, when the IT security level is set, functional elements that are deactivated to implement the selected IT security level can be prevented from reactivating by permanently interrupting the electrical connection to these functional elements.
  • a radio interface is put out of operation.
  • reactivation of the radio interface can be prevented by, for example, permanently interrupting an electrical connection to the radio interface or, for example, making a transmission element deliberately dysfunctional.
  • the security module can be designed in such a way that a selection of the IT security level is irreversible in terms of software. For example, part of a program code that reads out the selection element and sets the IT security level can be deleted or otherwise changed after the IT security level has been set successfully so that the selection element cannot be read out again. In this embodiment, the selection element could then - unless a change is also prevented at this point - be adjusted to the selection of a different IT security level compared to the set IT security level, but this changed selection is no longer read out and the IT security level is therefore not adjusted.
  • the retrofit module has the lowest IT security level upon delivery and the security module is designed in such a way that only an increase in the IT security level is possible.
  • This functionality can be achieved both by a suitable design of the hardware, for example the selection element, and by a suitable software implementation.
  • the retrofit module is delivered in the highest IT security level, and only a lowering of the IT security level is possible.
  • the selection element can be designed as a hardware switch, preferably as a slide switch or rotary switch. With such a hardware switch, the IT security level can be selected intuitively and in a user-friendly manner.
  • a configuration of the selection element implemented in hardware can provide effective protection against network-based attacks and thus contribute to securing the field device.
  • the selection element can be configured as a selection menu in a user interface.
  • the process of commissioning the retrofit module or the field device provided with the retrofit module typically includes various parameterization steps into which a selection of the IT security level can be seamlessly inserted in this way.
  • the selection element can control a multiplexer that is connected to the functional units for implementing the IT security level, at least in the delivery state.
  • the various functional units for implementing the IT security level can be activated or deactivated via a suitable control of the multiplexer.
  • the retrofit module can also include a firmware update for the existing field device.
  • a firmware update for the field device can, for example, ensure that, for example, the field device electronics - depending on the selected security level - only certain communication channels, remote stations or add-on modules are accepted and / or a deinstallation of the retrofit module is refused.
  • a modular field device of process automation technology with field device electronics with at least one communication interface the field device having a retrofit module according to one of the preceding claims, which is connected to the communication interface of the field device electronics.
  • FIG. 2 shows an embodiment according to the present application
  • FIG. 3 shows a third exemplary embodiment of a field device according to the present application with a retrofit module
  • FIG. 4 shows an exemplary embodiment for a method according to the present application.
  • the exemplary embodiments of field devices shown below show exemplary implementations for the implementation of IT security levels SL based on the definitions of the IEC 62443 standard or future standards with comparable concepts for the standardized definition of security levels in accordance with the understanding of the present invention in principle.
  • provision can be made to combine existing IT security levels SL in future standards in order, for example, to redefine IT security levels SL according to the scheme BASIC (corresponding to SLO + SL1), SUBSTANTIAL (corresponding to SL2 + SL3) and HIGH (corresponding to SL4 ).
  • BASIC corresponding to SLO + SL1
  • SUBSTANTIAL corresponding to SL2 + SL3
  • HIGH corresponding to SL4
  • FIG. 1 shows two field devices 101, 102 according to the prior art.
  • Figure la shows a wired operated field device 101, which is designed as a radar level measuring device.
  • the field device 101 draws its energy necessary for operation via a cable connection 104, usually an analog or digital connection 104.
  • the field device 101 is embodied in the present case as a two-wire field device.
  • a two-wire field device is understood to mean a field device that is connected to a higher-level unit via two lines, both of which are used for energy supply and for transmission of measured values.
  • the energy and / or signal transmission between the two-wire field device and the higher-level units takes place according to the known 4 mA to 20 mA standard, in which a 4 mA to 20 mA current loop, i.e. H. a two-wire line is formed between the field device and the higher-level unit.
  • a 4 mA to 20 mA current loop i.e. H. a two-wire line is formed between the field device and the higher-level unit.
  • the measuring devices it is possible for the measuring devices to transmit further information to the higher-level unit or to receive it from it in accordance with various other protocols, in particular digital protocols. Examples are the HART protocol or the Profibus-PA protocol.
  • the interface can also be an IO-Link interface, for example.
  • These field devices are also supplied with power via the 4 mA to 20 mA current signal, so that no additional supply line is necessary in addition to the two-wire line.
  • the wired operated field device 101 thus uses the interface 104 to transmit its measured value to the outside.
  • the field device 101 has a display and operating module 103 to enable interaction with a user.
  • the display and adjustment module 103 draws its energy required for operation via the interface 102.
  • the retrofit module 103 uses the interface 102 for communication with field device electronics of the field device 101.
  • FIG. 1b shows an autonomously operating field device 105, which draws the energy required for operating the field device 105 from an integrated battery 106 and provides a determined measured value to the outside via a wireless interface 107.
  • Autonomously operating field devices 105 are autarkic measuring arrangements, in particular autarkic filling level or limit level sensors.
  • the self-sufficient level or limit level sensors are preferably designed as radar sensors and have - in order to ensure the self-sufficiency of the sensors - in addition to a sensor for recording measurement data, a transmission device for, preferably wireless, transmission of recorded measurement data or measured values and their own power supply .
  • the transmission device can preferably be a radio module for narrowband radio technology (LoRa, Sigfox, LTE-M, NB-IOT), which transfers the measurement data or measurement values to a cloud, i.e. H. to a server on the World Wide Web.
  • the energy supply is preferably designed as a battery or accumulator and can also include an energy harvesting module.
  • the autonomous field device 105 shown here has a completely hermetically sealed housing 108.
  • the autonomous field device 105 has a wireless display and operating module 109 to enable display and / or operation. Both the energy required by the display and operating module 109 and the required data are exchanged wirelessly between the self-sufficient field device 105 and the display and operating module 109, for example using RFID technology.
  • FIG. 2 shows a first retrofit module 201 according to the invention which, after being built into a known field device 101, interacts with it to produce a technical device to implement the requirements for achieving a defined IT security level (SL).
  • the retrofit module 201 has specialized functional units 202 which are implemented in hardware and which are necessary to achieve the IT security level.
  • functional units 203 implemented in software and hardware and software units 110 of the field device electronics 112 of the field device 101, the specifications are implemented that are necessary to achieve one of the IT security levels SL1, SL2, SL3 or SL4 defined above.
  • an existing field device 101 is to be enabled, for example, to meet the requirements for achieving security level SL2, a mechanism for managing a prescribable list of users with associated passwords and individual access rights must be stored in the field device. In this way, unauthorized access to the settings of the field device 101 is to be prevented.
  • the original field device 101 does not have any hardware and software units 110 for implementing user administration, it is provided with a retrofit module 201, which in the present case is designed as a display and operating module.
  • the retrofit module is designed in such a way that a user login initiated via the keyboard 204 by processing a login routine implemented in software and stored in the functional unit 203 using a previously stored list of authorized users who are in the functional unit 202 implemented in the hardware are stored persistently. Logging on by the user is only accepted if the user is known, ie is contained in the list stored in the hardware, and has entered the valid password assigned to the user. If both have taken place, an authorized operation of the field device 101 is enabled in the interaction of the keyboard 204 and the display 205, for which the display and operating module 103, 109 communicates in a known manner with the field device 101 via the interface 102.
  • retrofit modules 201 are provided by the manufacturer, with which the requirements of other IT security levels are met.
  • an alternative retrofit module 201 to achieve security level SL3 can have functional units already implemented in hardware and software for realizing multi-factor authentication.
  • this can be, for example, an NFC interface (not shown graphically here) with which the presence of an NFC token can also be verified.
  • the assembly of the retrofit module 201 according to the exemplary embodiment shown here is designed to be persistent, ie. H. that subsequent removal of the retrofit module 201 is permanently prevented.
  • the retrofit module 201 is connected to the field device electronics 112 of the field device 101 by a circumferential adhesive bond 206.
  • the desired persistence is ensured electronically.
  • the retrofit module 201 modifies the first connection to the field device electronics 112 of the field device 101 a firmware 111 of the field device 101 such that from now on it only exchanges data with this retrofit module 201, and if the retrofit module 201 does not exist or is exchanged for an unauthenticated retrofit module 201 stops operating in order to signal an error to the outside world, for example by outputting a status signal for an invalid measured value.
  • FIG. 3 shows a further exemplary embodiment of a retrofit module 301 for obtaining a defined IT security level (SL).
  • SL defined IT security level
  • an autarkic field device 105 is enabled here by a retrofit module 301 to meet extended requirements with regard to achieving an IT security level (SL).
  • a defined IT security level (SL) can be set by the user via a selector 308. For example, in a first position of the selector 308, a selection unit 309, for example a multiplexer, activates the security function of the hardware module 302 in interaction with the software units 303. At the same time, the units 304, 305, 306, 307 can be deactivated.
  • the retrofit module 301 is thus enabled, in interaction with the field device 105, to implement the requirements according to a first IT security level (SL).
  • the selection unit 309 is activated in a second position, the units 302, 303, 306, 307 can be deactivated and the units 304, 305 activated to meet the requirements of a second IT security level (SL).
  • SL IT security level
  • FIG. 4 shows a further variant of a retrofit module 401.
  • a large number of field devices in the process industry are supplied with so-called two-chamber housings 402, which offer the possibility of accommodating components for lightning protection or explosion protection in a second housing chamber 403. Inside the housing, these components are connected to the actual field device electronics 405 via at least one wire connection 404.
  • the retrofit module 401 shown in FIG. 4 like the retrofit modules 201, 301, hardware and software units 202, 203, which are suitable in conjunction with the field device electronics 405, meet the requirements for achieving a defined IT security level SL to implement.
  • the retrofit module 401 has at least two wired interfaces, and in this way can be installed in the supply line between the communication line 406 and the field device electronics 405.
  • the retrofit module 401 has a wired output line 404 with a predefined length, which is designed in such a way that the original contacting interface 407 of an existing device is connected.
  • the retrofit module 401 is attached to the field device 402 in a non-removable manner (mechanically persistent).
  • the retrofit module 401 is fastened by security screw connectors fi xable with adhesive in the housing 402 of the field device.
  • the retrofit module 401 takes on a variety of security functions for the field device 301 depending on the required IT security level SL, for example user management, authentication, encryption or other functions that may be required by the respective standard according to the desired IT security level SL. In particular, provision can also be made for the retrofit module 401 to act as a firewall and to continuously monitor and, if necessary, reject the incoming data packets.
  • a security module can be designed in such a way that it can be set in accordance with the above exemplary embodiments, and thus different IT security levels SL are implemented.
  • a sensor retrofitted in this way can then only be reached from the outside via the communication line 406 via the retrofit module 401 and the functional modules 203 contained therein, which are designed as additional software in the present case. Unauthorized access and manipulation at the installation site can be reliably prevented by gluing the housing cover 408.
  • SL IT security levels
  • multi-factor authentication it may be necessary to combine two or more security features from the groups knowledge, possession or presence in order to ensure particularly reliable authentication. For example, it may be necessary to transfer a security feature "knowledge" in the form of a secret password wired to a first retrofit module 401 via an interface, and also to have a user-specific token (e.g. RFID chip, password safe, U2F module) on the sensor by attaching a second security module 409, which contains the token or at least an interface for reading a token.
  • a security feature "knowledge” in the form of a secret password wired to a first retrofit module 401 via an interface
  • a user-specific token e.g. RFID chip, password safe, U2F module
  • a higher IT security level SL can be achieved by combining a first retrofit module 401 and a second security module 409 according to the invention
  • the field device electronics 405 can also be modified by imported software in such a way that it enables direct communication between the first retrofit module 401 and the second security module 409 in order to implement specific requirements of a security level.
  • the security modules 201, 301, 401 and 409 according to the invention can contain a large number of hardware and software units for implementing specific security functions. Hardware and software units for implementing requirements are explicitly mentioned at this point - the logging and monitoring of sensor events and login attempts

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Arrangements For Transmission Of Measured Signals (AREA)
  • Small-Scale Networks (AREA)
  • Programmable Controllers (AREA)

Abstract

L'invention concerne un module de rattrapage pour un dispositif de terrain d'automatisation de processus, comprenant une électronique de dispositif de terrain avec au moins une interface de communication. L'invention est caractérisée en ce que le module de rattrapage comprend un module de sécurité, le module de sécurité coopérant avec l'électronique de dispositif de terrain de sorte qu'une étape de sécurité IT prédéfinie est réalisée.
EP20724081.3A 2020-05-05 2020-05-05 Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire Pending EP4147096A1 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/062429 WO2021223854A1 (fr) 2020-05-05 2020-05-05 Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire

Publications (1)

Publication Number Publication Date
EP4147096A1 true EP4147096A1 (fr) 2023-03-15

Family

ID=70554073

Family Applications (1)

Application Number Title Priority Date Filing Date
EP20724081.3A Pending EP4147096A1 (fr) 2020-05-05 2020-05-05 Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire

Country Status (4)

Country Link
US (1) US20230189459A1 (fr)
EP (1) EP4147096A1 (fr)
CN (1) CN115485631A (fr)
WO (1) WO2021223854A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4279881A1 (fr) * 2022-05-20 2023-11-22 VEGA Grieshaber KG Mise en service et fonctionnement sécurisé d'un appareil de mesure de niveau de remplissage par l'intermédiaire du module de service et de mise à niveau

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2611909B (en) * 2018-10-01 2023-10-18 Fisher Rosemount Systems Inc Wireless protocol converter for field devices

Also Published As

Publication number Publication date
US20230189459A1 (en) 2023-06-15
CN115485631A (zh) 2022-12-16
WO2021223854A1 (fr) 2021-11-11

Similar Documents

Publication Publication Date Title
EP3582033B1 (fr) Procédé de fonctionnement securisé d'un appareil de terrain
EP3907569A1 (fr) Appareil de terrain doté d'un module de sécurité, module de mise à niveau pour un dispositif de terrain, procédé de réglage d'un niveau de sécurité informatique et code de programme informatique
WO2007036178A1 (fr) Procede de realisation d'une fonction protegee d'un appareil de champ electrique
DE10124800A1 (de) Prozessautomatisierungssystem und Prozessgerät für ein Prozessautomatisierungssystem
EP1883867A1 (fr) Procede pour regler un appareil de terrain electrique
WO2020212051A1 (fr) Appareil d'automatisation industrielle comportant une unité de surveillance pour vérifier et surveiller un état d'intégrité de l'appareil d'automatisation industrielle
EP2893599A2 (fr) Bloc embrochable servant à réaliser une connexion
DE102017102677A1 (de) Verfahren zur Authentifizierung eines Feldgeräts der Automatisierungstechnik
EP2548358B1 (fr) Méthode d'autorisation dynamique d'un dispositif de communication mobile
EP4147096A1 (fr) Module de rattrapage pour un dispositif de terrain, et dispositif de terrain à conception modulaire
EP3821582A1 (fr) Procédé d'établissement d'un justificatif pour un premier appareil
EP2656580A1 (fr) Procédé et dispositif de communication pour la protection cryptographique d'une communication de données d'un appareil de terrain
EP3707878A1 (fr) Système informatique de l'ido ainsi qu'agencement avec un tel système informatique de l'ido et avec un système externe
EP2707782B1 (fr) Procédé et système pour fournir des données sur les propriétés spécifiques d'un appareil d'automatisation d'une installation d'automatisation
WO2006067121A1 (fr) Procede pour concevoir un systeme de maniere sure, composant systeme et logiciel utilises a cet effet
DE202020005937U1 (de) Nachrüstmodul für ein Feldgerät und modular aufgebautes Feldgerät
WO2013189998A1 (fr) Commande de porte de secours, procédé et système correspondants
EP3642812A1 (fr) Procédé de test de l'intégrité d'un environnement physique dédié à la protection de données
EP4147097A1 (fr) Module d'expansion inviolable
EP3298464B1 (fr) Système de maintenance à distance comprenant une unité de maintenance à distance mobile et un procédé de configuration
EP2721803B1 (fr) Méthode et système pour configurer un dispositif de réseau d'une façon sécure
EP4138052B1 (fr) Procédé de préparation d'une mise en service d'un appareil de commande pour dispositifs d'accès, système d'accès et produit-programme informatique
WO2009100733A1 (fr) Transmission sûre de données à un appareil de champ
EP3478541B1 (fr) Dispositif de sécurité et procédé pour faire fonctionner un système
WO2023194051A1 (fr) Former une connexion cryptographiquement protégée

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: UNKNOWN

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220921

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20240419