ES1263334U - SYSTEM FOR ACCESS TO SECURE DATA NETWORKS (Machine-translation by Google Translate, not legally binding) - Google Patents

Abstract

A system for accessing secure data networks that, being modular and scalable, is connectable with at least one secure network connected to a plurality of physical equipment or plants accessible in the network and a non-secure public network accessible through a UI module ( 2) executable in a web browser and characterized in that it comprises at least one SCRA module (3) configured to control access to a secure network with several sets of physical equipment or plants, all of them accessible on the network; that it can also replace a SCRA module (3) with a CPD module (4) connected to a secure network with access to convergent physical equipment that constitutes a group or plant; and configured to request publication in a CPS module (5) configured to make the publication requests made by the module or by the CPD modules (4) visible from the non-secure public network.

Description

DESCRIPTION

SYSTEM FOR ACCESS TO SECURE DATA NETWORKS

Object of the invention

An object of the invention is a system that allows the implementation of cloud services to manage the data of sensors, actuators or controllers of any type of plant or sensorizable system that can be actuated from electrical signals, in such a way that access is safe because It is done in an encrypted form and with the corresponding user profiles. It is a controlled access because it can be subjected to filters with different exploitation criteria, such as the time zone. It is an orderly access because access can be sequenced by, for example, a reservation manager. Finally, it is a collaborative access because concurrent access to the same resource is allowed.

State of the art

Data networks have emerged and continue to grow as a problem or need arises. Due to this peculiarity, there is no comprehensive design of data networks and, therefore, they are unstructured networks. When the need to access elements connected to secure networks appeared from non-secure networks (usually internal networks of companies and / or institutions), each manufacturer solved it in a different and particular way, adapted to their equipment and systems. In addition, these partial solutions provided by the different manufacturers do not guarantee safe, controlled, orderly and collaborative access because there are networks with reinforced security measures that prevent the proper functioning of the equipment proposed by other manufacturers.

Therefore, in the state of the art there is a need for an access system to elements connected to internal (secure) networks from public (non-secure) networks that is general and valid regardless of the manufacturer of each network and that works in any circumstances. even if the networks involved have specific security measures in place. Today, commercial solutions to the problem of Internet access to devices are still manufacturer-specific. This problem is solved by the method and the device described in the claims accompanying the present specification.

Explanation of the invention

The system that is the object of the present invention, in accordance with the wording of the present descriptive memory, allows to implement cloud services to manage the data of sensors, actuators or controllers of any type of plant or sensorizable and operable system from electrical signals. Access to these devices is secure, controlled, orderly and collaborative (hereinafter SCOC). The present invention, therefore, is constituted as a border element between the Internet (public network) and one or more private LAN networks ( Local Area Networks, Local Area Networks ). This boundary element converts the accesses to the LAN (s) into SCOC accesses. In addition, the elements (databases, physical equipment, or other electronic devices) to which, being connected to the LAN / s, access from the Internet is implemented, will be accessible as a cloud service. Finally, as soon as a device is connected by means of the system or the method of the invention in a LAN, the same system reports all the elements connected to that LAN with the possibility of implementing access.

The cloud service paradigm breaks with the traditional local computing model. Traditionally, it was necessary to have the application associated with a certain data processing installed on the computer. With the cloud service model, the user must not have any specific application installed on their computer, but instead access the required processing through the web browser. The application is installed on a server on the Internet and runs remotely. The transformation of the data can remain on the internet (in the cloud service) or be transferred to the local computer. The applications that allow the management of data through the browser constitute what is called a cloud service. Therefore, the cloud service is made up of a set of applications running on the server side and a set of executable applications on the browser side.

The main one provides a general method for accessing applications and devices in a SCOC manner. Therefore, the invention provides secure and controlled access from the internet to any of its physical systems (production lines, pilot plants, laboratories, or whatever is decided). That company may use a private server or become an IaaS ( Infrastructure-as-a-Service) provider. Furthermore, the accessible systems can be mobile networks.

The equipment has been developed in such a way that its configuration does not require an expert in communications and electronics, but can be configured by anyone with minimal knowledge of these topics.

Finally, it should be noted that the invention can be implemented in a simple card computer ( Single-Board Computer, SBC) such as a Raspberry Pi or similar with the corresponding software. The invention can also be implemented in a set of servers each with the software corresponding to a module. Between these two limit cases, all intermediate cases are possible.

Throughout the description and the claims, the word "comprise" and its variants are not intended to exclude other technical characteristics, additives, components or steps. For those skilled in the art, other objects, advantages and characteristics of the invention will be derived in part from the invention and in part from the practice of the invention. The following examples and drawings are provided by way of illustration and are not intended to restrict the present invention. Furthermore, the invention covers all possible combinations of particular and preferred embodiments indicated herein.

Brief description of the drawings

A series of drawings that help to better understand the invention and that expressly relate to an embodiment of said invention, which is illustrated as a non-limiting example thereof, will now be described very briefly.

Figure 1 shows the architecture of the system for secure, controlled, orderly and collaborative access to secure data networks, object of the present invention.

Figure 2 shows the architecture of the CDAS module (1).

Figure 3 shows the architecture of the SCRA module (3).

Explanation of a detailed embodiment of the invention

As shown in figure 1, the system object of the invention is a scalable and modular system that comprises, in this practical embodiment, at least the following modules:

The first module 1 or CDAS ( Convergent Data Acquisition System) module, which is an electronic device configured to make data from sensors and actuators of a physical equipment. Thus, a device or device with a CDAS 1 module would become a converged device (ie accessible from the network). This CDAS 1 module would not be necessary in the case of devices whose manufacturer converges them through specific software (proprietary software).

The second module (2) or UI module ( UserInterface, user interface) is an application that allows the management of data associated with physical devices from the network.

The third module (3) or SCRA module ( Server to Control the Remote Access) is a server that is responsible for controlling access to a network with several sets of physical equipment or plants, all of them convergent.

The fourth module (4) or CPD ( Cloud Publishing Device) module is an electronic device configured to request the publication in the cloud of access to converged physical equipment that constitutes a set or plant.

The fifth module (5) or CPS module ( CloudPublishing Server) is a server configured to make the publication requests made by the CPD 4 modules visible from the internet.

A sixth module (6) or IIMS ( Integration on Information Management System) modules is a module that includes the different applications ( plugins) necessary to integrate access to physical devices or sets of devices in the content manager of the company or institution . In the field of education, for example, the content manager will be a Learning Management System (LMS). There are three applications included in the IIMS module (6): one to integrate the UI module (2), another to order access through the corresponding reservation and another to accept the deferred validation of user profiles.

The seventh module or IRS ( International Registration Server) module is a single server that has registered all the IIMS modules (6) in which the system and / or method object of the present invention operates.

Finally, the eighth module or LSRAC ( Local Service to Remote Access Control) module is a software module that is installed on the user's computer and that is configured to eliminate the communication limitations imposed by browsers.

The system or method that are the object of the present invention will comprise:

- A combination of at least one of each of the modules.

- A combination of SCRA modules (as many as there are different internal networks), CDAS and UI (in variable number with the devices to implement their access), one or more IIMS, LSRAC and IRS modules.

- A combination of CDAS and UI modules, CPD (as many as there are different internal networks), a CPS, IIMS, LSRAC and IRS module.

CDAS modules (1)

The CDAS module (1) is a general module for any type of device, so it does not include its sensorization and actuation, but rather it is assumed to be a "black box" with a set of "n" input variables and "M" standardized output variables, as best seen in figure 2. The CDAS module (1) therefore comprises at least one processor / computer necessary for managing these inputs and outputs. The CDAS module (1) presents two possible architectures that make it fully scalable: a first architecture for simple systems and a second architecture for complex systems, where the terms "simple" or "complex" refer to information processing needs and / or computation. In either of these two possible architectures, the CDAS module (1) comprises a plurality of layers: (a) a first network interface layer (1.1) that can be of the Ethernet or wireless type, through which the CDAS module (1) will connect to the network; (b) a second layer of data processing and computing (1.2) that provides the tower of TCP / IP (Transport Control Protocol / Internet Protocol) protocols, the processing capacity necessary to maintain communications over the network and the needs data processing; (c) a third data acquisition layer (1.3) that provides the necessary interface for the processing and computing layer (1.2) to receive and send information; and (d) a fourth level adaptation layer (1.4) that adjusts the voltage ranges of the electrical signals from the sensors and actuators to optimal input values in the acquisition layer (1.3).

For simple systems, such as activating a device, imposing a certain setpoint level or displaying the value acquired by a sensor through the UI, a single component is proposed as the architecture of the first three layers of the CDAS module: a plate of low-cost development based on microcontrollers. These devices have digital inputs and outputs, analog inputs and outputs, and digital serial communication buses, as well as processing capabilities and network interfaces.

In the case of complex applications, an alternative architecture is proposed for the implementation of these three layers, which includes an embedded operating system for information storage management and to increase the concurrency of network accesses. Furthermore, this system enables the use of rapid development tools to design the necessary control applications.

UI module (2)

The UI module (2) is the application that allows the management of data associated with physical devices and that runs in an internet browser (by way of non-limiting example, Google Chrome, Mozilla Firefox, Opera, Internet Explorer or others any). A UI module (2) is configured to convert user actions into signals about them and displays the data values associated with relevant physical quantities. The execution framework for this interface is the browser or proprietary software. The integration in the cloud in the first case is trivial, but in the second case the use of the LSRAC module is necessary.

SCRA module (3)

The SCRA module (3) is made up of a server with two network interfaces. One of them connects you to the internet with a valid address and the other creates a controlled network. The mission of this SCRA module (3) is to serve as a border between the traffic coming from the internet to the convergent devices located in the controlled network and to validate the accesses in a SCOC manner. The SCRA module (3) provides the controlled network with basic functionalities (for example, DHCP, DNS, among others) and a set of communication functionalities (3.1) that control access with two different strategies. The accesses with protocols derived from HTTP (HTML, XHR, SSE or WebSocket) are managed by a transparent proxy server for these protocols (3.2). Accesses to converged devices that use proprietary protocols are managed through a tunnel server that allows the use of proprietary software for viewing, configuring and programming the devices (3.3).

The proxy server uses a distributed validation strategy (access control filter 3.4 and 3.5), which allows it, if necessary, to delegate the validations to the content managers. The proxy service establishes communications with protocols derived from HTTP. The corresponding accesses start in the browser and end in the device located in the controlled network. The use of proprietary applications makes the tunnel service necessary to establish communications between them and the devices they control. For security reasons, the tunnels are established from an input socket on the computer of the client and a specific socket in the controlled network. Therefore, it is not necessary to enable traffic control rules in the electronics of the controlled network.

In addition to proxy and tunnel services, the SCRA module (3) includes an automatic configuration service for the computers that connect to the controlled network (3.6). The automatic configuration service (3.6) tries to minimize manual intervention in the configuration of the devices. This automatic configuration service (3.6) is based on: (a) the automatic assignment of IP addresses, which can be performed by the DHCP service, included in the SCRA module (3); host name resolution, included in the DNS service; (c) automatic location of network services, such as printing devices. This service is not included in any of the services listed above.

The automatic configuration service (3.6) uses the mDNS protocol ( multicast Domain Name System), it works by multicast, and allows knowing the services offered by the devices that are connected in the controlled network. In addition, the automatic configuration service (3.6) provides users with management capacity with a REST ( REpresentation State Transfer ) service through which they are informed from any point of the internet of the devices connected to a remote controlled network, which can even be mobile. The automatic configuration service (3.6) interacts with the tunnel service to allow access to connected devices in any controlled network in a totally transparent way.

Finally, the SCRA module (3) offers a service to access usage profiles (called DIGEXLAB). This service has a configuration interface through which the administrator user can perform the following functions, among others: (a) monitor the active accesses to the different devices on the controlled network from the Internet and verify communications; (b) controls the power supply of these devices; (c) stops and starts the tunnel service and the automatic configuration service at will (3.6); (d) it has a database of user profiles that is managed through a communication interface; (e) enables the IIMS modules (6) authorized for the deferred validation of user profiles; (f) manages the communication channels necessary to make remotely accessible from the internet the different sets of devices or plants connected to the controlled network; (g) configures the parameters associated with the server that constitutes the SCRA module (3), such as the public IP, the set of IPs on the controlled network side and the key files for the encryption of communications; (h) configure the parameters associated with DIGEXLAB, such as, at least, the access points to the different devices connected to the controlled network or the identifier of the server of the SCRA module (3); and (i) controls the collaborative access to the devices connected to the controlled network, and in general all the configuration, operation and security parameters of the SCRA module (3).

CPD module (4)

The CPD module (4) consists of a microcomputer with an operating system with the same functions as the SCRA module (3), but which does not have a valid Internet address, but is connected to an internal network that has Internet access. To make the devices connected to that network visible, thus turning it into a controlled network, the CPD module (4) has client software for its communication with the CPS module (5). This client requests the publication in the cloud of the accesses to the proxy service and the tunnel service.

The operation of the CPD module is the same as that of the SCRA described in the previous section, except for the functions related to the publication of accesses (functions g, h and i). These functions are carried out, for the accesses controlled by a CPD module, the CPS module and its operation is the same as that described for the SCRA module. In other words, the combination of CPD + DPS modules is equivalent to a SCRA module with a lower capacity for the number of devices to implement access.

CPS Module (5)

The CPS module (5) consists of a server connected to the internet with a valid public address, which is responsible for creating the access points to the proxy and tunnel services requested by the CPD module (4). Its structure is the same as that of the previous modules, without some of its functionalities such as the automatic location service (3.6) or the REST service, which already incorporates the CPS module (5).

IRS module

In this module the institutions that use the invention and the administration profiles of each of them are registered. It is therefore responsible for the management of registered licenses of the present invention. It also makes it possible for the resources connected to the networks controlled by several SCRA modules (3) to be shared among them and with other different institutions.

LSRAC module

The LSRAC module is a software module necessary to overcome the execution limitations imposed by browsers, which confine communications to their scope of execution. For the use of proprietary applications, it is necessary to create a communication tunnel between the user's equipment and the device located in a controlled network. The entry point to that tunnel cannot be created from the browser because it would not be accessible from the proprietary application. To solve this problem, the LSRAC module creates a service that starts when the user's computer is turned on, running in the background, and that creates a socket through which it listens for the tunnel establishment commands that come from the UI module (2), run in the browser. This service is in charge of establishing the entry sockets to the tunnels that are necessary to connect the proprietary applications from the user's computer with the device connected to the controlled network. The LSRAC module also starts up a local automatic configuration service (3.6). Therefore, this module provides two functionalities: the communications described above and the local automatic configuration service.

The automatic configuration service

As described above, the automatic configuration service is included within the SCRA module (3), the CPD module (4) and the LSRAC module. This service informs about the devices that are connected to a controlled network and the communication services that each one offers. For all devices to respond to the automatic configuration service, it is necessary to install an LSRAC module in the CDAS module (1) of each device. Convergent equipment with proprietary software, which does not include a CDAS module (1), are registered in the SCRA module (3) responsible for the controlled network to which they are connected. Administrator users can configure the automatic configuration service (Discovery) of a controlled network so that it can be consulted remotely. This is achieved through the local automatic configuration client.

Local auto-configuration client

The goal of the self-configuring local client service is to facilitate the administration and maintenance of a controlled network. This service is installed in the CDAS modules (1) of the different devices connected to the network and in the system administration computers. The automatic configuration client application, when activated, opens a network browser interface. It presents a list of all the devices or sets of devices that have responded to the automatic configuration query in the controlled network of the computer making the query.

The computers that respond directly are those that have installed the automatic configuration service included in the LSRAC module, in the CPD (4) and in the CDAS (1). To register converged equipment with proprietary software in the controlled network, the interface of the SCRA module (3) is used.

The network browser interface also has the possibility to perform an automatic configuration query remotely by requesting the REST service. For this, it is necessary to identify the user and the profile of use that makes the query. From this interface, a remote query can be made to any SCRA (3) or CPD (4) module in which the user has an account. Thus, once a specific SCRA (3) or CPD (4) module has been configured and selected, the request is made to the automatic configuration server.

Thus, by accessing a specific device, the communication services offered by it will be enabled, and by accessing one of them in particular, the network examiner will request the creation of the necessary tunnels to access the device of the controlled network and activate the application associated with the requested service. Thus, for example, if a ModBus device is accessed (which in that case will be enabled), the device is accessed through a ModBus monitor. In the same way, if the selected device is an IP camera, a browser runs through the corresponding tunnel and connects with the network camera controlled from the Internet.

Thanks to the described system, it is possible to provide SCOC access from the internet to data and devices for their monitoring, control and configuration in front of the VPN access to data and in front of the remote control of on and off devices of IP controllers. The devices that are accessed can already be convergent through applications supplied by their manufacturers or through UI modules (2) developed with free software and open platforms. In any case, the invention also converges those that are not by means of its CDAS module (1).

The invention configures access from the internet to individual devices or sets of equipment such as production lines, plants, etc. Furthermore, the invention is scalable because the cloud service that is developed can be joined by an increasing number of devices and can even provide various cloud services. This cloud can be private to the company, an IaaS (Infrastructure As A Service) service such as that offered by companies such as Amazon or other public ones. Even the company can be incorporated as an IaaS provider.

Finally, the invention allows the integration of joint access to all the systems and devices of a company or group of companies in its IIMS modules (6). In the same way, the invention makes it possible to register all the institutions that use the system and the administration profiles of each of them. This module makes it possible for the resources connected to the networks controlled by several SCRA modules (3) to be shared among them and with other different institutions.

Claims (14)

1. - A system for accessing secure data networks that, being modular and scalable, is connectable with at least one secure network connected to a plurality of physical equipment or plants accessible in a network and a non-secure public network accessible through a UI module (2) executable in a web browser and characterized by comprising at least one SCRA module (3) configured to control access to a secure network with several sets of physical equipment or plants, all of them accessible on the network ; that it can also replace a SCRA module (3) with a CPD module (4) connected to a secure network with access to converged physical equipment that constitutes a group or plant; and configured to request publication in a CPS module (5) configured to make the publication requests made by the module or by the CPD modules (4) visible from the non-secure public network. 2. - The system according to claim 1 comprising at least one CDAS module (1) configured to make the data of a physical device accessible on the network. 3. - The system according to one of claims 1 or 2 comprising an IIMS module (6) to integrate access to physical devices or sets of devices in an external content manager. 4. - The system according to claim 3 comprising an IRS module that has stored all the IIMS modules (6) licensed for use. 5. - The system according to any one of the preceding claims comprising an LSRAC module that is a programmable module installed in a user computer that eliminates the communication limitations imposed by browsers. 6. - The system according to any one of claims 2 to 5 wherein the CDAS module (1) comprises: (a) a first network interface layer (1.1) that can be of the Ethernet or wireless type, by means of which the CDAS module (1) will connect to the network; (b) a second layer of data processing and computing (1.2) that provides the TCP / IP protocol tower with the necessary processing capacity to maintain communications over the network and data processing needs; (c) a third data acquisition layer (1.3) that provides the necessary interface for the processing and computing layer (1.2) to receive and send information; and (d) a fourth layer of level adaptation (1.4) that adjusts the voltage ranges of the electrical signals of the sensors and actuators to optimal input values in the acquisition layer (1.3). system according to any one of the preceding claims, wherein the SCRA module (3) comprises a set of communication functionalities (3.1) that control access with two different strategies; where the accesses with protocols derived from HTTP are managed by a transparent proxy server for these protocols (3.2); and where the accesses to the physical equipment accessible on the network that use proprietary protocols are managed by means of a tunnel server that allows the use of proprietary software for the visualization, configuration and programming of the devices (3.3). 8.

system according to any one of the preceding claims wherein the SCRA module (3) includes an automatic configuration service for the equipment that is connected to the controlled network (3.6); and where the automatic configuration service (3.6) comprises: (a) the automatic assignment of IP addresses, which can be performed by the DHCP service, included in the SCRA module (3); host name resolution, included in the DNS service; and (c) automatic location of network services. system according to any one of the preceding claims, wherein the CPD module (4) published in a CPS module (5) provides a set of communication functionalities identical to the communication functionalities (3.1) of the SCRA module (3) that control access with two different strategies; where the accesses with protocols derived from HTTP are managed by a transparent proxy server for these protocols; and where the accesses to the physical equipment accessible on the network that use proprietary protocols are managed by means of a tunnel server that allows the use of proprietary software for the visualization, configuration and programming of the devices. 10.

system according to claims 7 and 8 where the automatic location service (3.6) uses the mDNS protocol and works by multicast and provides users with management capacity with a REST service through which they are informed from any point of the unsecured public network of devices connected to a secure network; and where the automatic location service (3.6) interacts with the tunnel service to allow access to connected devices in any secure network in a totally transparent way. 11. - The system according to any one of the preceding claims wherein the automatic location service is included within the SCRA module (3), the CPD module (4) and the LSRAC module. 12.

- The system according to claim 10 where for all devices to respond to the automatic location service, it is necessary to install a module LSRAC in the CDAS module (1) of each device. 13.

system according to claim 10 where network accessible equipment that does not include a CDAS module (1) because they have a proprietary program, are registered in the SCRA module (3) responsible for the controlled network to which they are connected. 14.

system according to any one of the preceding claims comprising a local client for automatic location to facilitate the administration and maintenance of a secure network; and where this service is installed in the CDAS modules (1) of the different devices connected to the network and in the system administration computers, in such a way that the automatic location client application, when activated, opens a network browser interface where a list of all devices or sets of devices that have responded to the automatic location query is displayed on the secure network of the querying computer.