WO2014035992A1 - Network access management via a secondary communication channel - Google Patents

Network access management via a secondary communication channel Download PDF

Info

Publication number
WO2014035992A1
WO2014035992A1 PCT/US2013/056842 US2013056842W WO2014035992A1 WO 2014035992 A1 WO2014035992 A1 WO 2014035992A1 US 2013056842 W US2013056842 W US 2013056842W WO 2014035992 A1 WO2014035992 A1 WO 2014035992A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication channel
communication
network
ied
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2013/056842
Other languages
English (en)
French (fr)
Inventor
Edmund O. Schweitzer
David E. Whitehead
Mark Weber
Rhett SMITH
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Schweitzer Engineering Laboratories Inc
Original Assignee
Schweitzer Engineering Laboratories Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Schweitzer Engineering Laboratories Inc filed Critical Schweitzer Engineering Laboratories Inc
Priority to AU2013309013A priority Critical patent/AU2013309013B2/en
Priority to CA2868859A priority patent/CA2868859C/en
Priority to ES201490087A priority patent/ES2536026R1/es
Priority to BR112014020214A priority patent/BR112014020214A8/pt
Priority to MX2014010490A priority patent/MX336304B/es
Publication of WO2014035992A1 publication Critical patent/WO2014035992A1/en
Priority to ZA2014/05428A priority patent/ZA201405428B/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/61Time-dependent
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • This disclosure relates to network security and
  • this disclosure relates to selectively enabling communication over a first communication channel after receiving an enablement instruction via a second communication channel.
  • FIG. 1 illustrates an embodiment of a system including an intelligent electronic device (IED) performing the functions of a network operations center (NOC), including a primary communication channel and a secondary communication channel.
  • IED intelligent electronic device
  • NOC network operations center
  • FIG. 2 illustrates an embodiment of a system including a network access controller configured to selectively enable access via a primary communication channel upon receiving an enablement instruction from a secondary communication channel.
  • FIG. 3 illustrates an embodiment of a system where a local operator may provide an enabling signal to a network access controller in order to enable access by a remote operator via a primary
  • FIG. 4A illustrates an embodiment of a system in which a remote operator may provide an enablement instruction via a physically secure secondary communication channel in order to enable access via a primary communication channel.
  • FIG. 4B illustrates an embodiment of a system in which a local operator may provide an enablement instruction via a physically secure secondary communication channel to enable access to a remote operator via a primary communication channel.
  • FIG. 5 illustrates a flow chart of an embodiment of a method for selectively enabling communication over a first communication channel in response to receiving an enablement instruction via a second
  • FIG. 6 illustrates a flow chart of an embodiment of an lED's response to communications received via first and second
  • Intelligent electronic devices may be used for monitoring, protecting, and/or controlling industrial and utility equipment, such as in an electric power delivery system.
  • an IED such as a programmable logic controller (PLC), protective relay, real-time automation controller (RTAC), or the like may monitor, protect, and/or control various components within an industrial or utility system, such as a power delivery system (which may include, for example, electric power generation, transmission, distribution, and/or consumption).
  • PLC programmable logic controller
  • RTAC real-time automation controller
  • lEDs may be monitored, controlled, and/or managed using any of a wide variety of communication methods.
  • lEDs may include
  • communication channels utilizing Ethernet or serial connections may implement any of a wide variety of communication protocols and security measures.
  • the systems and methods disclosed herein may be implemented in gateways, firewalls, and other network devices configured to implement modern access control paradigms across a wide variety of networked devices.
  • a first IED may be connected to a second I ED via a primary communication channel that is relatively less secure. Disabling the primary communication channel may reduce unauthorized access to the second IED. Of course, this prevents communication from the first IED to the second IED via the primary communication channel.
  • the primary communication channel may be selectively and/or temporarily enabled by transmitting an enablement instruction via a secondary communication channel.
  • the secondary communication channel may be relatively secure.
  • the secondary communication channel may also connect the first and second lEDs. Accordingly, the first IED may transmit an enablement instruction to the second IED in order to temporarily enable communication via the primary communication channel between the first and second lEDs.
  • the secondary communication channel may connect the second IED to a third IED.
  • the third IED transmits an enablement instruction to the second IED via the secondary communication channel
  • the second IED may enable the primary communication channel, allowing the first IED to communicate with the second IED.
  • the primary communication channel may utilize a publicly accessible wide area network connection, such as via Ethernet, while the secondary communication channel may utilize a private, more secure, serial connection, such as in a supervisory control and data acquisition (SCADA) network.
  • SCADA supervisory control and data acquisition
  • the primary communication channel and the secondary communication channel may utilize the same physical connections or physical connection types, but implement different communication protocols, security measures, error detection, error correction, transmission algorithms, and/or other communication variations.
  • an IED may perform a monitoring, controlling, and/or protective function via a first, private network.
  • the IED may be ⁇ a part of a synchronous optical networking (SONET) network or a synchronous digital hierarchy (SDH) network.
  • SONET synchronous optical networking
  • SDH synchronous digital hierarchy
  • the IED may be managed and/or controlled via the SONET or SDH network, or alternatively, the IED may be managed and/or controlled via a separate network connection.
  • an access controller in communication with the IED may enable a local or remote operator to configure settings within the IED via a serial or parallel network connection, such as an Ethernet connection.
  • An IED may include a primary network connection and a secondary network connection.
  • the primary network connection may be selectively enabled and disabled via enablement instructions provided via the secondary network connection.
  • the primary network connection may provide a relatively high bandwidth connection, but be relatively less secure.
  • the secondary network connection may be relatively secure (physically or virtually), but have a relatively limited bandwidth.
  • the overall security of the system is improved while still allowing for high- bandwidth network connections.
  • phrases “connected to” and “in communication with” refer to any form of interaction between two or more components, including mechanical, electrical, magnetic, and electromagnetic interaction. Two components may be connected to or in communication with each other, even though they may not be in direct contact with each other, and even though there may be intermediary devices between the two components.
  • the term lED may refer to any microprocessor- based device that monitors, controls, automates, and/or protects monitored equipment within a system.
  • Such devices may include, for example, remote terminal units, differential relays, distance relays, directional relays, feeder relays, overcurrent relays, voltage regulator controls, voltage relays, breaker failure relays, generator relays, motor relays, automation controllers, bay controllers, meters, recloser controls, communications processors, computing platforms, programmable logic controllers (PLCs), programmable automation controllers, input and output modules, motor drives, and the like.
  • networking and communication devices may be incorporated in an lED or be in communication with an lED.
  • the term lED may be used interchangeably to describe an individual lED or a system comprising multiple lEDs.
  • a computer may include a processor, such as a microprocessor, microcontroller, logic circuitry, or the like.
  • the processor may include a special purpose processing device, such as an ASIC, PAL, PLA, PLD, Field Programmable Gate Array, or other customized or programmable device.
  • the computer may also include a computer-readable storage device, such as non-volatile memory, static RAM, dynamic RAM, ROM, CD-ROM, disk, tape, magnetic, optical, flash memory, or other computer-readable storage medium.
  • a software module or component may include any type of computer instruction or computer executable code located within or on a computer- readable storage medium.
  • a software module may, for instance, comprise one or more physical or logical blocks of computer instructions, which may be organized as a routine, program, object, component, data structure, etc., that performs one or more tasks or implements particular abstract data types.
  • FIG. 1 illustrates an embodiment of a system 100 including an intelligent electronic device (lED) 120 performing the functions of a network operations center (NOC).
  • the NOC lED 120 is in
  • the lEDs 1 1 1 1 , 1 12, 1 13 and 1 14 may be configured to perform various control, automation, monitoring, and/or protection functions in an electric power distribution system. However, the systems and methods described herein are applicable to any of a wide variety of communication networks.
  • the NOC lED 120 may provide limited access to the lED 1 14 (and/or the lEDs 1 1 1 , 1 12, and/or 1 13) by external devices, such as the operation manager 150 and threats 160.
  • the NOC IED 120 may be in communication with an operation manager 150 via a wide area network (WAN) 145.
  • the WAN 145 may be publicly accessible, such that threats 160 may need to be detected and/or prevented from accessing the secure ICON 1 10.
  • the primary communication channel 140 connecting the NOC IED 120 to the WAN 145 may be disabled.
  • the primary communication channel 140 may be selectively enabled on a temporary basis and/or with limited accessibility upon receiving enablement instructions 125 via a secure secondary channel 130.
  • the primary communication channel 140 may be disabled until an enablement instruction 125 is provided via the secondary communication channel 130.
  • the secondary communication channel 130 may be physically and/or virtually more secure than the primary communication channel 1 0.
  • the secondary communication channel 140 may be accessible to the operation manager 150.
  • the secondary communication channel 140 may be inaccessible to the operation manger 150, requiring a third party to effectively authorize the communication temporarily between the operation manager 150 and the NOC IED 120 via the primary communication channel 140.
  • the primary communication channel 140 may be disabled after a predetermined time period, following a predetermined number of connections, and/or after a disablement instruction is received via the secondary communication channel 130.
  • the secondary communication channel 130 may comprise a contact input that, when toggled, selectively enables and disables communication via the primary communication channel 140.
  • the contact input may be accessible to the operation manager 150, or only accessible to a third party access controller.
  • FIG. 2 illustrates an embodiment of a system 200 including a network access controller 270 configured to selectively enable access via a primary communication channel 240 upon receiving an enablement instruction 235 from a secondary communication channel 230.
  • the network access controller connects a control and data acquisition (SCADA) network (via the secure secondary channel 230) to a NOC IED 220.
  • the NOC IED 220 may control access and/or communication from a private network 210, including IEDS 211 , 212, 213, 214, and 215.
  • the NOC IED 220 may communicate with the IED 214 using simple network management protocol (SNMP).
  • the secure secondary channel 230 may be able to communicate freely (i.e. the communication channel may be enabled) with the network access controller 270. Any of a wide variety of authentication, encryption, and/or other security measures may be implemented between the network access controller 270 and the SCADA network.
  • the network access controller 270 may also be configured to selectively allow access via the primary communication line 240 over a WAN 245.
  • the WAN 245 may not be as inherently secure as the secondary communication channel 230.
  • unauthorized threats 260 may attempt to access the network access controller 270.
  • one method of minimizing the threats 260 is to selectively disable the primary communication channel 240.
  • the network access controller 270 may selectively enable the primary communication channel 240 when an enablement instruction 235 is received from the secure secondary communication channel 230. In the illustrated embodiment, the .
  • the enablement instruction may comprise a SCADA tag transited by a device on the SCADA network connected to the network access controller via the secure secondary communication channel 230.
  • the primary communication channel 240 may comprise a relatively high bandwidth Ethernet connection to the WAN 245. Accordingly, a relatively low bandwidth enablement instruction 235 may be used to grant temporary and/or selective access to a network access controller 270 (or an associated network 210) via a high bandwidth, potentially less secure, communication channel.
  • the operation manager 250 may be connected to the network access controller 270 only through the WAN 245 and the primary communication channel 240. In other embodiments, the operation manager 250 may also have access to the network access controller 270 via the secure secondary communication channel 230 using a SCADA connection.
  • the enablement instruction 235 may include an instruction to initiate a single communication session via the primary communication channel 240.
  • the enablement instruction 235 may include a time period until the primary communication channel 240 should be disabled.
  • the enablement instruction 235 may include an Internet Protocol (IP) address, media access control (MAC) address, and/or other identifying characteristic of the operation manager 250 in order to provide additional security.
  • IP Internet Protocol
  • MAC media access control
  • the network access controller 270 may receive a disablement instruction via the secure secondary communication channel 230, the NOC IED 220, and/or the operation manager 250 and disable the primary communication channel 240 in response. Additionally, the network access controller may be configured to disable the primary communication channel 240 in response to a detected threat.
  • FIG. 3 illustrates an embodiment of a system 300 where a local operator 330 may be connected to a network access controller 370 via a secondary communication channel 335.
  • the local operator may be connected to a local network 310, including multiple lEDs 311 , 312, 313, 314, and 315, via the network access controller 370 and/or a NOC IED 320.
  • the NOC IED 320 may be configured to manage communication between the lEDs 31 1-315 on a SONET network.
  • the local operator 330 may communicate via the access controller 370 via the secondary communication channel using any of a wide variety of communication ports, links, protocols, and/or communication types.
  • the local operator 330 may be connected to the network access controller 370 via an Ethernet connection, a serial connection, as part of a SCADA network, as part of a SONET network, using a deterministic network, using a physically secure communication line, using a wireless
  • the secondary communication may be considered more secure than a primary communication channel 340.
  • the primary communication channel 340 may be configured to connect a remote operator 350 to the network access controller 370.
  • the network access controller 370 may selectively enable and disable the primary communication channel 340 in order to prevent threats 360 from obtaining unauthorized access to local operator 330, NOC I ED 320, and/or local network 310.
  • the network access controller 370 may selectively enable the primary communication channel 340 when so instructed by the local operator 330. Accordingly, a local operator 330 may authorize the remote operator 350 to connect to NOC IED 320 and/or local network 310 via the primary communication channel 340 by transmitting enablement instructions to the network access controller 370.
  • the local operator 330 and the remote operator 350 may be the same operator and/or physical machine.
  • a generally less secure communication channel e.g., the primary communication channel 340
  • a more secure communication channel e.g., the secondary communication channel 335. This may be useful, for example, when the primary communication channel provides superior access, control, bandwidth, flexibility, and/or other desirable
  • the primary communication channel 340 and the secondary communication channel 335 may utilize different types of physical connections, cables, physical ports, virtual ports, and/or communication protocols, but may be otherwise similar.
  • the primary communication channel 340 and the secondary communication channel 335 may be a part of the same or different networks, may utilize the same physical connection, may utilize the same type of physical connection, and/or may utilize the same communication protocol.
  • a first communication channel is used to selectively enable a second communication channel (or vice versa).
  • FIG. 4A illustrates an embodiment of a system 400 in which a remote operator 450 may provide an enablement instruction via a physically secure secondary communication channel in order to enable access via a primary communication channel 440.
  • the secure secondary communication channel may comprise a contact input 430, such as a button or a switch, configured to transmit a signal 435 toggled between two or more states.
  • a network access controller 470 may selectively enable the primary communication channel 440.
  • the remote operator 450 may set the contact input 430.
  • a private network(s) 410 including lEDs 41 1 , 412, 413, 414, and 415 may be managed by a NOC IED 420.
  • NOC IED 420 may be in communication with, or alternatively include, the network access controller 470. In some embodiments, the NOC IED 420 may be omitted.
  • Remote access to the private network 410 may be accessible through the primary communication channel 440, but the primary communication channel 440 may remain disabled unless the contact input 430 is toggled to an enabling state. In such an embodiment, the private network 4 0 is protected from threats 460 that may attempt (successfully or
  • the remote operator 450 may temporarily enable the primary communication channel 440 by transmitting an enablement instruction by toggling the contact input 430.
  • the network access controller 470 may be configured to interpret the enablement instruction in any of a wide variety of ways. For example, primary communication channel 440 may be enabled only for the first connection request, enabled for a
  • FIG. 4B illustrates an embodiment of the system 400 in which a local operator 432 may provide an enablement instruction via the physically secure secondary communication channel to enable access to the. remote operator 450 via the primary communication channel 440.
  • the secure secondary communication channel may comprise a contact input 430, such as a button or a switch, configured to transmit a signal 435 toggled between two or more states.
  • the network access controller 470 may selectively enable the primary communication channel 440.
  • the remote operator 450 may provide authentication credentials to the local operator 432.
  • the remote operator 450 may "badge in,” scan a keycard, send an electronic communication to the local operator, call the local operator, and/or otherwise provide authenticating information.
  • the local operator 432 may then set the contact input 430 to allow the remote operator 450 temporary access via the primary communication channel 440.
  • the local operator 432 may be a human operator, such as an operations manager of a substation, or an automated device or computer configured to authenticate the remote operator 450 and then toggle the contact input 430 automatically.
  • the contact input 430 may comprise a separate physical channel configured to undergo a physical state change indicating whether or not the primary communication channel 440 should be enabled or disabled.
  • the contact input 430 may comprises a logical input into a communication system, such as an RTAC, configured to selectively enable and disable the primary communications channel 440.
  • FIG. 5 illustrates a flow chart of an embodiment of a method 500 for selectively enabling communication over a first communication channel in response to receiving an enablement instruction via a second communication channel.
  • the steps of the method 500 need not be performed in the illustrated order, nor do they necessarily need to all be performed or only performed once.
  • a first communication channel may be disabled, at 510.
  • a second communication channel may be enabled and configured to receive communication, at 520.
  • An enablement instruction may be received via the second communication channel, at 530.
  • Communication via the first communication channel may be enabled in response to the enable instruction, at 540.
  • Communication via the first communication channel may be disabled in response to a disabling event, at 550.
  • communication with an IED may be configured to communicate via two communication channels, a first communication channel and a second communication channel.
  • the access controller may disable the first communication channel to prevent unauthorized access or access attempts, at 510.
  • the access controller may, however, receive communication via an enabled, second communication channel, at 520.
  • the second communication channel may be configured to communicate with the IED.
  • the second communication channel may comprise a fully-functioning network utilizing one or more physical network connections, cables, protocols, and/or other networking paradigm.
  • the second communication channel may be a part of a SONET, SCADA, EtherCat, IP over Ethernet, and/or other serial or parallel network.
  • the second communication channel may be dedicated to selectively transmitting an enablement instruction to the access controller.
  • the access controller may receive enablement instructions via the second communication channel instructing the access controller to enable the first communication channel, at 530.
  • the access controller may enable the first communication channel in response to the enablement instructions, at 540.
  • the access controller may be configured to enable the first communication channel permanently, for a selected time period, and/or until a disablement instruction is provided.
  • the access controller may be configured to enable the first communication channel for a specific IP address, MAC address, or other identifying characteristic provided in the enablement instruction.
  • the access controller may be configured to enable the first communication channel for only a predetermined number of access attempts or communication sessions.
  • the access controller may disable the first communication channel in response to a disabling event, at 550.
  • the disabling event may comprise a disablement instruction provided by a remote lED, a local lED, the access controller, a third party, a time limit, an access restriction, inability to verify login credentials, and/or other event.
  • FIG. 6 illustrates a flow chart of an embodiment of an lED's response 600 to communications received via first and second
  • communication channels depending on the state of the second communication channel.
  • communication may be received via a first communication channel, at 610. If the first communication channel is not enabled, at 615, then the communication received via the first communication channel is not received, at 625. Alternatively, if the first communication channel is enabled, at 615, then the communication via the first communication channel is allowed. Although the communication may be allowed, at 620, an access controller may still require a remote lED to provide appropriate login credentials or implement other encryption and/or security measures to ensure authorized access.
  • Communication received via the second communication channel, at 630 may be allowed, at 635. Again, the communication via the second communication channel, at 630, may be allowed only in the sense that the communication will be considered by the access controller. Appropriate login credentials, security measures, encryption protocols, and/or the like may be required in order for a local or remote I ED to communicate via the access controller or with the access controller. If the communication includes an enablement or disablement instruction associated with the first communication channel, at 640, then the first communication channel may be selectively enabled or disabled, at 645. If the communication does not include an enablement or disablement instruction, at 640, then the state (enabled or disabled) of the first communication channel may be maintained, at 650.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
PCT/US2013/056842 2012-08-30 2013-08-27 Network access management via a secondary communication channel Ceased WO2014035992A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
AU2013309013A AU2013309013B2 (en) 2012-08-30 2013-08-27 Network access management via a secondary communication channel
CA2868859A CA2868859C (en) 2012-08-30 2013-08-27 Network access management via a secondary communication channel
ES201490087A ES2536026R1 (es) 2012-08-30 2013-08-27 Gestión de acceso a redes a través de un canal de comunicación secundario
BR112014020214A BR112014020214A8 (pt) 2012-08-30 2013-08-27 Método para habilitar a comunicação em rede com um dispositivo eletrônico inteligente, sistema para gerenciar a comunicação em rede com um dispositivo eletrônico inteligente, controlador de acesso, e, mídia legível
MX2014010490A MX336304B (es) 2012-08-30 2013-08-27 Administracion de acceso a red por medio de un canal de comunicacion secundario.
ZA2014/05428A ZA201405428B (en) 2012-08-30 2014-07-23 Network access management via a secondary communication channel

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/599,927 2012-08-30
US13/599,927 US8793767B2 (en) 2012-08-30 2012-08-30 Network access management via a secondary communication channel

Publications (1)

Publication Number Publication Date
WO2014035992A1 true WO2014035992A1 (en) 2014-03-06

Family

ID=50184245

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/056842 Ceased WO2014035992A1 (en) 2012-08-30 2013-08-27 Network access management via a secondary communication channel

Country Status (8)

Country Link
US (1) US8793767B2 (enExample)
AU (1) AU2013309013B2 (enExample)
BR (1) BR112014020214A8 (enExample)
CA (1) CA2868859C (enExample)
ES (1) ES2536026R1 (enExample)
MX (1) MX336304B (enExample)
WO (1) WO2014035992A1 (enExample)
ZA (1) ZA201405428B (enExample)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2977838A1 (en) * 2014-07-25 2016-01-27 Alstom Technology Ltd Process of monitoring intelligent electronic devices installed in an electrical power system
CN106662849A (zh) * 2014-04-16 2017-05-10 Abb瑞士股份有限公司 控制装置的移动人机接口
CN108924955A (zh) * 2018-07-30 2018-11-30 山东大骋医疗科技有限公司 一种基于双链无线通信的ct数据传输与控制方法及装置
US10465530B2 (en) 2013-12-20 2019-11-05 United Technologies Corporation Gas turbine engine component cooling cavity with vortex promoting features

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9772784B2 (en) 2011-08-10 2017-09-26 Nutanix, Inc. Method and system for maintaining consistency for I/O operations on metadata distributed amongst nodes in a ring structure
US20140251478A1 (en) * 2013-03-08 2014-09-11 Schweitzer Engineering Laboratories, Inc. Automation of Water Flow in Networks
US9620955B2 (en) 2013-03-15 2017-04-11 Schweitzer Engineering Laboratories, Inc. Systems and methods for communicating data state change information between devices in an electrical power system
US9270109B2 (en) 2013-03-15 2016-02-23 Schweitzer Engineering Laboratories, Inc. Exchange of messages between devices in an electrical power system
US9065763B2 (en) * 2013-03-15 2015-06-23 Schweitzer Engineering Laboratories, Inc. Transmission of data over a low-bandwidth communication channel
JP6357778B2 (ja) * 2013-06-26 2018-07-18 株式会社リコー 通信装置、通信システム及びプログラム
US9958924B2 (en) * 2013-08-28 2018-05-01 Cisco Technology, Inc. Configuration of energy savings
US9705305B2 (en) * 2014-04-29 2017-07-11 Schweitzer Engineering Laboratories, Inc. Resilient communication for an electric power delivery system
WO2015172107A1 (en) * 2014-05-09 2015-11-12 Nutanix, Inc. Mechanism for providing external access to a secured networked virtualization environment
US10642507B2 (en) 2015-01-30 2020-05-05 Nutanix, Inc. Pulsed leader consensus management
US9811706B2 (en) 2015-04-23 2017-11-07 Vatche PAPAZIAN System for anonymous communication from a user to the publisher of a scannable label
US11218418B2 (en) 2016-05-20 2022-01-04 Nutanix, Inc. Scalable leadership election in a multi-processing computing environment
US10362092B1 (en) 2016-10-14 2019-07-23 Nutanix, Inc. Entity management in distributed systems
US10298343B2 (en) 2017-03-03 2019-05-21 Schweitzer Engineering Laboratories, Inc. Systems and methods for time-synchronized communication
US10826324B2 (en) 2017-05-18 2020-11-03 Schweitzer Engineering Laboratories, Inc. Mitigation of gratuitous conditions on electric power delivery systems
US11194680B2 (en) 2018-07-20 2021-12-07 Nutanix, Inc. Two node clusters recovery on a failure
US10819727B2 (en) 2018-10-15 2020-10-27 Schweitzer Engineering Laboratories, Inc. Detecting and deterring network attacks
US11770447B2 (en) 2018-10-31 2023-09-26 Nutanix, Inc. Managing high-availability file servers
US11805104B2 (en) * 2018-12-14 2023-10-31 Battelle Memorial Institute Computing system operational methods and apparatus
US11178176B2 (en) 2019-03-27 2021-11-16 Board Of Trustees Of The University Of Arkansas Methods and systems for detection of man-in-the-middle attacks for SCADA communication networks and applications of same
US11768809B2 (en) 2020-05-08 2023-09-26 Nutanix, Inc. Managing incremental snapshots for fast leader node bring-up
US11936642B2 (en) 2021-04-15 2024-03-19 Schweitzer Engineering Laboratories, Inc. Device level variable role-based access systems, methods, and apparatuses
US12463959B2 (en) * 2022-06-10 2025-11-04 HashiCorp Cloud-based secrets management credential store
WO2025036552A1 (en) * 2023-08-14 2025-02-20 Assa Abloy Ab Access control system with temporary ip connection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070067625A1 (en) * 2005-08-29 2007-03-22 Schweitzer Engineering Laboratories, Inc. System and method for enabling secure access to a program of a headless server device
US7251570B2 (en) * 2003-07-18 2007-07-31 Power Measurement Ltd. Data integrity in a mesh network
US20090070447A1 (en) * 2007-09-07 2009-03-12 Power Measurement Ltd. Energy monitoring system using network management protocols
US20110088096A1 (en) * 2009-10-14 2011-04-14 Andrew Hilton Systems and methods for license entitlement key distribution

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040257999A1 (en) * 2001-11-16 2004-12-23 Macisaac Gary Method and system for detecting and disabling sources of network packet flooding
US8274401B2 (en) * 2006-12-22 2012-09-25 Acterna Llc Secure data transfer in a communication system including portable meters
US8341083B1 (en) * 2007-09-12 2012-12-25 Devicefidelity, Inc. Wirelessly executing financial transactions
US8639922B2 (en) * 2009-06-01 2014-01-28 Dhananjay S. Phatak System, method, and apparata for secure communications using an electrical grid network
US8140733B2 (en) * 2010-08-12 2012-03-20 Emcon Emanation Control Ltd. Secure external computer hub

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7251570B2 (en) * 2003-07-18 2007-07-31 Power Measurement Ltd. Data integrity in a mesh network
US20070067625A1 (en) * 2005-08-29 2007-03-22 Schweitzer Engineering Laboratories, Inc. System and method for enabling secure access to a program of a headless server device
US20090070447A1 (en) * 2007-09-07 2009-03-12 Power Measurement Ltd. Energy monitoring system using network management protocols
US20110088096A1 (en) * 2009-10-14 2011-04-14 Andrew Hilton Systems and methods for license entitlement key distribution

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10465530B2 (en) 2013-12-20 2019-11-05 United Technologies Corporation Gas turbine engine component cooling cavity with vortex promoting features
CN106662849A (zh) * 2014-04-16 2017-05-10 Abb瑞士股份有限公司 控制装置的移动人机接口
EP2977838A1 (en) * 2014-07-25 2016-01-27 Alstom Technology Ltd Process of monitoring intelligent electronic devices installed in an electrical power system
WO2016012629A1 (en) * 2014-07-25 2016-01-28 Alstom Technology Ltd Process of monitoring and/or configuring intelligent electronic devices installed in an electrical power system
CN108924955A (zh) * 2018-07-30 2018-11-30 山东大骋医疗科技有限公司 一种基于双链无线通信的ct数据传输与控制方法及装置
CN108924955B (zh) * 2018-07-30 2021-12-14 山东大骋医疗科技有限公司 一种基于双链无线通信的ct数据传输与控制方法及装置

Also Published As

Publication number Publication date
BR112014020214A8 (pt) 2017-07-11
CA2868859A1 (en) 2014-03-06
US8793767B2 (en) 2014-07-29
BR112014020214A2 (enExample) 2017-06-20
MX2014010490A (es) 2014-11-14
ZA201405428B (en) 2015-12-23
AU2013309013B2 (en) 2014-09-18
AU2013309013A1 (en) 2014-08-14
CA2868859C (en) 2015-04-28
ES2536026A2 (es) 2015-05-19
ES2536026R1 (es) 2015-11-06
US20140068711A1 (en) 2014-03-06
MX336304B (es) 2016-01-14

Similar Documents

Publication Publication Date Title
CA2868859C (en) Network access management via a secondary communication channel
US8756411B2 (en) Application layer security proxy for automation and control system networks
US7721321B2 (en) Method and apparatus for reducing communication system downtime when configuring a cryptographic system of the communication system
CA2779145C (en) Systems and methods for remote device management
KR101206095B1 (ko) 보호계전기, 상기 보호계전기를 구비하는 네트워크 시스템 및 네트워크 보안방법
US10863558B2 (en) Communication device for implementing trusted relationships in a software defined network
US20190104107A1 (en) Poisoning Protection for Process Control Switches
US20060269066A1 (en) System and method for converting serial data into secure data packets configured for wireless transmission in a power system
WO2009031453A1 (ja) ネットワークセキュリティ監視装置ならびにネットワークセキュリティ監視システム
JP6968175B2 (ja) フィールドバスを介した安全な通信をサポートするためのセキュリティデバイスおよびフィールドバスシステム
CN103168458A (zh) 用于防操纵的密钥管理的方法
Antonini et al. Security challenges in building automation and SCADA
US11601278B2 (en) Authentication of intelligent electronic devices (IEDs) using secure association keys (SAKs)
KR101287220B1 (ko) 발전소 통합 제어 시스템의 네트워크 보안 시스템
CA2915664A1 (en) Point-to-multipoint polling in a monitoring system for an electric power distribution system
Rosborough et al. All about eve: comparing DNP3 secure authentication with standard security technologies for SCADA communications
CN115412402B (zh) 通信网关
EP4622177A1 (en) Security protocol proxy for an operational technology system
Humayed Securing CAN-based cyber-physical systems
Czechowski Cyber-physical security for Low-Voltage Smart Grids HAN Security within Smart Grids
Parker Guarding The Grid: Exploring Iot And Iiot Security Vulnerabilities In Smart Power Systems
Fuloria et al. Towards a security architecture for substations
Valentin et al. ATMEGA256-based data network management software architecture
Thanos et al. P&C engineering concepts applied to cyber security of the power grid
Saed et al. Smart grid security concepts and issues

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13833431

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: P201490087

Country of ref document: ES

ENP Entry into the national phase

Ref document number: 2013309013

Country of ref document: AU

Date of ref document: 20130827

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: MX/A/2014/010490

Country of ref document: MX

ENP Entry into the national phase

Ref document number: 2868859

Country of ref document: CA

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112014020214

Country of ref document: BR

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13833431

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 112014020214

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20140814