WO2005034420A1 - Systeme d'automatisation a fonctions de chiffrement - Google Patents

Systeme d'automatisation a fonctions de chiffrement Download PDF

Info

Publication number
WO2005034420A1
WO2005034420A1 PCT/EP2004/010934 EP2004010934W WO2005034420A1 WO 2005034420 A1 WO2005034420 A1 WO 2005034420A1 EP 2004010934 W EP2004010934 W EP 2004010934W WO 2005034420 A1 WO2005034420 A1 WO 2005034420A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
automation system
data
processor
subsystems
Prior art date
Application number
PCT/EP2004/010934
Other languages
German (de)
English (en)
Inventor
Rainer Heller
Thomas Jachmann
Original Assignee
Siemens Aktiengesellschaft
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from DE2003145889 external-priority patent/DE10345889A1/de
Priority claimed from DE2003158695 external-priority patent/DE10358695A1/de
Application filed by Siemens Aktiengesellschaft filed Critical Siemens Aktiengesellschaft
Publication of WO2005034420A1 publication Critical patent/WO2005034420A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24167Encryption, password, user access privileges
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/25Pc structure of the system
    • G05B2219/25205Encrypt communication

Definitions

  • the present invention relates to an automation system with encryption functions according to claim 1.
  • Automation systems are still largely connected to one another via local, closed networks.
  • Various subsystems and assemblies within the automation system are increasingly being connected to each other by means of Ethernet or Profibus, for example via the Internet or intranet.
  • Suitable communication means such as so-called web services, can then also be used to communicate with widely distributed assemblies of the automation systems and to exchange data.
  • Due to the increasing openness of the automation system it is becoming increasingly important to take certain security aspects into account when transferring data and to introduce appropriate security measures to ensure authenticity, integrity and confidentiality when accessing and transferring data. This can be, for example, the introduction of passwords for access authorization or the use of encryption algorithms for the data to be communicated.
  • the object of the present invention is to provide an automation system which takes into account the security aspects described above.
  • the automation system in addition to a control processor, which can also be designed as a communication processor, provides an encryption processor which contains encryption algorithms for encrypting and decrypting data and üloer a data bus with at least one control If the automation processor of the automation system exchanges data for encryption and / or decryption, security aspects can be taken into account in particular in increasingly open automation systems.
  • encrypted data can also be stored and managed by the encryption processor.
  • the passwords required for access authorization and encryption information required for secure transmission so-called encryption keys, can thus be securely stored and also managed in a simple manner.
  • the encryption processor can take over all security-related tasks, such as the execution of the security algorithms, the storage of protected data such as passwords or other data to be protected. Since all encryption services in the automation system are thus taken over by the encryption processor, the control processor connected to the encryption processor is not burdened with such tasks for the fulfillment of security aspects. This means that the performance of the control processor can continue to be fully and unrestrictedly available for controlling the automation system even after the introduction of safety aspects.
  • the implementation of such an encryption processor which is already available as a hardware component, will be easy to implement, with which the necessary security aspects can then also be taken into account very quickly and inexpensively in the automation system.
  • Security and access protection can be implemented in the simplest way by integrating an encryption processor in the automation system.
  • subsystems from a number of subsystems of the automation system each have their own encryption selection processor, and if these subsystems and thus the encryption processors are connected to each other in such a way that with the encryption algorithms and / or stored encrypted data contained in the encryption processors, secure communication between the subsystems in the automation system is available, the data communication between these communication modules of the automation system can be protected
  • subsystems on the most diverse subsystem levels such as actuators and sensors, or controls and peripheral devices, or different ones, can also be used.
  • Automation systems and diagnostic systems, or automation systems and higher-level systems, such as planning systems communicate with one another in a protected manner and exchange data. This reduces the likelihood, particularly in the increasingly open, decentralized automation systems, that the data communicated between the individual subsystems can be spied on and manipulated.
  • An advantage of this configuration is that no additional components and excellent security subsystems are required to protect an automation system.
  • the encryption processor can either be fixed, for example soldered to a circuit board of a module or a subsystem, or it can also be designed for mobile operation.
  • encryption processors can be plugged into an appropriate socket or can be read as a so-called chip card in an appropriate card reader.
  • the protected data only has to be available temporarily, for example as a password, when accessing or communicating via a maintenance computer that can be connected to the automation system and to which a secure connection is to be established, an exchangeable mobile encryption processor from Advantage.
  • the encryption processor preferably already contains encrypted data a priori, in particular centrally managed passwords.
  • the passwords can be stored in the encryption processor even before the automation system is put into operation, so that secure access is possible without any major administrative effort when the automation system is started up or when a maintenance computer is accessed for the first time.
  • the encryption processor is used as a coprocessor with the control processor already present in a subsystem and is connected to the latter via a data bus.
  • the data can be exchanged, for example, via a corresponding backplane bus, a serial or parallel data interface, or also via a cordless infrared or radio link, such as Bluetooth.
  • an encryption processor from [Helena Handschuh, "Smart Card Crypto-Coprocessors for Public-Key Cryptography", Smart Card Research and Applications, vol.
  • a large number of encryption algorithms can already be executed by the encryption processor.
  • a multitude of tasks can already be carried out that are necessary to carry out the safety aspects required in the automation system.
  • encryption Processors generally already have a secure memory area for storing encrypted data and / or passwords. This makes it possible for the encryption processor to take over and carry out all the tasks necessary for realizing the security aspects, such as encrypting and decrypting and / or storing and / or managing encrypted data, and thus the control processor in the automation system cannot perform such tasks is charged.
  • the encryption processor communicates with the control processor via a data bus and exchanges with it the corresponding data to be encrypted and decrypted.
  • the control processor itself is in turn connected to further processors, in particular to control processors from further subsystems.
  • the actual user data to be communicated is then exchanged between the individual control processors of the individual subsystems.
  • secure communication, and in particular the exchange of user data, between the control processors and thus between the subsystems is achieved in that each of the subsystems involved in the communication each has its own encryption processor.
  • the individual encryption processors are implicitly connected to one another via the corresponding control processors or communication processors of the individual subsystems in such a way that the encrypted data available in one of the encryption processors, ie generated and / or stored and / or managed, together with the encrypted data of everyone processors involved in the communication are used for secure, protected communication between these communication modules.
  • the communication can be verified with regard to authenticity, integrity and confidentiality.
  • Secure communication can take place not only between automation subsystems, but also between automation subsystems and other systems. A symmetry of systems is not necessary for this. Rather, the symmetry with regard to the encryption and decryption implemented in the automation system suffices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système d'automatisation comprenant un processeur de chiffrement. L'invention concerne notamment un système d'automatisation comprenant au moins un processeur de chiffrement qui est relié par un bus de données à au moins un processeur de commande dans le système d'automatisation et qui échange des données pour le chiffrement et/ou le déchiffrement. Il est ainsi possible de décharger le processeur de commande dans les systèmes d'automatisation et de garantir l'authenticité, l'intégrité et la confidentialité lors de l'accès aux données et lors de leur transmission.
PCT/EP2004/010934 2003-09-30 2004-09-30 Systeme d'automatisation a fonctions de chiffrement WO2005034420A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
DE2003145889 DE10345889A1 (de) 2003-09-30 2003-09-30 Automatisierungssystem mit Verschlüsselungsfunktionen
DE10345889.1 2003-09-30
DE2003158695 DE10358695A1 (de) 2003-12-15 2003-12-15 Automatisierungssystem mit Verschlüsselungsfunktionen
DE10358695.4 2003-12-15

Publications (1)

Publication Number Publication Date
WO2005034420A1 true WO2005034420A1 (fr) 2005-04-14

Family

ID=34424318

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2004/010934 WO2005034420A1 (fr) 2003-09-30 2004-09-30 Systeme d'automatisation a fonctions de chiffrement

Country Status (1)

Country Link
WO (1) WO2005034420A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2320285A1 (fr) * 2009-11-06 2011-05-11 VEGA Grieshaber KG Dispositif de traitement de données pour un appareil de terrain
WO2014206451A1 (fr) * 2013-06-25 2014-12-31 Siemens Aktiengesellschaft Procédé et dispositif permettant la transmission sécurisée de données de signaux dans une installation

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6289455B1 (en) * 1999-09-02 2001-09-11 Crypotography Research, Inc. Method and apparatus for preventing piracy of digital content
WO2002095506A2 (fr) * 2001-05-21 2002-11-28 Siemens Aktiengesellschaft Systeme d'automatisation de processus et dispositif de mise en oeuvre de processus pour systeme d'automatisation de processus
DE10200681A1 (de) * 2002-01-10 2003-07-31 Siemens Ag Temporäre Zugansberechtigung zum Zugriff auf Automatisierungseinrichtungen

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6289455B1 (en) * 1999-09-02 2001-09-11 Crypotography Research, Inc. Method and apparatus for preventing piracy of digital content
WO2002095506A2 (fr) * 2001-05-21 2002-11-28 Siemens Aktiengesellschaft Systeme d'automatisation de processus et dispositif de mise en oeuvre de processus pour systeme d'automatisation de processus
DE10200681A1 (de) * 2002-01-10 2003-07-31 Siemens Ag Temporäre Zugansberechtigung zum Zugriff auf Automatisierungseinrichtungen

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2320285A1 (fr) * 2009-11-06 2011-05-11 VEGA Grieshaber KG Dispositif de traitement de données pour un appareil de terrain
WO2014206451A1 (fr) * 2013-06-25 2014-12-31 Siemens Aktiengesellschaft Procédé et dispositif permettant la transmission sécurisée de données de signaux dans une installation

Similar Documents

Publication Publication Date Title
DE69731338T2 (de) Verfahren und System zum sicheren Übertragen und Speichern von geschützter Information
DE60109304T2 (de) Verfahren und vorrichtung zur sicheren netzwerkidentifizierung
EP3673623B1 (fr) Procédé et système de contrôle pour le contrôle et/ou la surveillance d'appareils
EP2981926B1 (fr) Dispositif de stockage de données permettant un échange de données protégé entre différentes zones de sécurité
EP0281058A2 (fr) Système pour l'échange de données
DE102005031629A1 (de) System mit mehreren elektronischen Geräten und einem Sicherheitsmodul
EP3763089B1 (fr) Procédé et système de contrôle pour le contrôle et/ou la surveillance d'appareils
EP2235598B1 (fr) Appareil de terrain et son procédé de fonctionnement
EP2272199B1 (fr) Dispositif de stockage de données réparti
EP2407843B1 (fr) Transmission de données sécurisée dans un réseau d'automatisation
DE102004042826A1 (de) Verfahren und Vorrichtung zur Datenverschlüsselung
EP3718263B1 (fr) Procédé et système de contrôle pour le contrôle et/ou la surveillance d'appareils
EP1784756B1 (fr) Procédé et système de securité pour le codage sur et univoque d'un module de securité
WO2005034420A1 (fr) Systeme d'automatisation a fonctions de chiffrement
EP2369805B1 (fr) Procédé de configuration et de répartition de droits d'accès dans un système réparti
DE10358695A1 (de) Automatisierungssystem mit Verschlüsselungsfunktionen
EP3798878B1 (fr) Dispositif et procédé d'exécution sécurisée d'un programme d'automatisation dans un environnement informatique en nuage
DE19533209C2 (de) Vorrichtung zur Zuordnung der Benutzer in einem Computer-Netzwerk
EP3707878B1 (fr) Système informatique de l'ido ainsi qu'agencement avec un tel système informatique de l'ido et avec un système externe
EP3422234B1 (fr) Image de conteneur, produit-programme informatique et procédé
DE102015016637B4 (de) Micro-Controller Unit MCU mit selektiv konfigurierbaren Komponenten
DE19505488C2 (de) Einrichtung zur Informationssicherung
DE102017108128B4 (de) Hardwarebasiertes Sicherheitsmodul
EP1904980A1 (fr) Procede pour faire fonctionner un support de donnees portable
DE60023170T2 (de) Zentralisierte kryptographische Datenverarbeitung mit hohem Durchsatz

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
122 Ep: pct application non-entry in european phase