WO2015116431A1 - Apparatus and method for establishing secure communication with redundant device after switchover - Google Patents

Apparatus and method for establishing secure communication with redundant device after switchover Download PDF

Info

Publication number
WO2015116431A1
WO2015116431A1 PCT/US2015/011978 US2015011978W WO2015116431A1 WO 2015116431 A1 WO2015116431 A1 WO 2015116431A1 US 2015011978 W US2015011978 W US 2015011978W WO 2015116431 A1 WO2015116431 A1 WO 2015116431A1
Authority
WO
WIPO (PCT)
Prior art keywords
network node
security
switchover
message
network
Prior art date
Application number
PCT/US2015/011978
Other languages
French (fr)
Inventor
Christopher Buonacuore
James Schreder
Gary Drayton
Original Assignee
Honeywell International Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell International Inc. filed Critical Honeywell International Inc.
Priority to CN201580006411.4A priority Critical patent/CN106063221B/en
Priority to AU2015211329A priority patent/AU2015211329A1/en
Priority to EP15743520.7A priority patent/EP3100434A4/en
Priority to JP2016549315A priority patent/JP2017505072A/en
Publication of WO2015116431A1 publication Critical patent/WO2015116431A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0668Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Definitions

  • This disclosure relates generally to industrial process control and automation systems. More specifically, this disclosure relates to an apparatus and method for establishing secure communication with a redundant device after a switchover.
  • Industrial process control and automation systems are often used to automate large and complex industrial processes. These types of systems routinely include sensors, actuators, and controllers.
  • the controllers typically receive measurements from the sensors and generate control signals for the actuators.
  • Controllers and other devices in an industrial process control and automation system are typically connected to and communicate over one or more networks.
  • Some devices in an industrial process control and automation system (such as more critical controllers) are arranged as redundant pairs, where one device in each pair operates in a primary role and another device in each pair operates in a secondary or redundant role.
  • a secondary device is designed to switch into the primary role during a switchover, such as when the primary device suffers a power failure, hardware failure, or other problem.
  • This disclosure provides an apparatus and method for establishing secure communication with a redundant device after a switchover
  • a method includes transitioning a. device in an industrial process control and automation system from a secondary role to a primary role during a switchover and, in response to the switchover, clearing one or more security values stored by the device.
  • the method also includes receiving a message at the device from a network node and, in response to determining that no security association is associated with the received message or the network node, exchanging security credentials and establishing a trust relationship with the network node. Transitioning the device includes assuming a network address of another device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
  • a device in a second embodiment, includes at least one memory configured to store one or more security values.
  • the device also includes at least one processing device configured to transition the device from a secondary role to a primary role in an industrial process control and automation system during a switchover and clear the one or more security values in response to the switchover.
  • the at least one processing device is also configured to receive a message at the device from a network node and, in response to determining that no security association is associated with the received message or the network node, exchange security credentials and establish a trust relationship with the network node.
  • the at least one processing device is configured to transition the device by assuming a network address of another device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
  • a non-transitory computer readable medium embodies a computer program.
  • the computer program includes computer readable program code for transitioning a device in an industrial process control and automation system from a. secondary role to a. primary role during a switchover and, in response to the switchover, for clearing one or more security values stored by the device.
  • the computer program also includes computer readable prograiri code for receiving a message at the device from a network node and, in response to determining that no security association is associated with the received message, for exchanging security credentials and establishing a trust relationship with the network node. Transitioning the device includes assuming a network address of anoth er device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
  • FIGURES 1 and 2 illustrate an example industrial process control and automation system and related details according to this disclosure
  • FIGURE 3 illustrates an example switchover from a primary device to a secondary device in an industrial process control and automation system according to this disclosure
  • FIGURE 4 illustrates an example method for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system according to this disclosure.
  • FIGURES 1 through 4 discussed below, and the various embodiments used to describe the principles of the present invention in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the invention. Those skilled in the art will understand that the principles of the invention may be implemented in any type of suitably arranged device or system.
  • FIGURES 1 and 2 illustrate an example industrial process control and automation system 100 and related details according to this disclosure.
  • the system 100 includes various components that facilitate production or processing of at least one product or other material.
  • the system 100 is used here to facilitate control over components in one or multiple plants 10 la- 10 In.
  • Each plant lOla-l Oln represents one or more processing taciliiies (or one or more portions thereof), such as one or more manufacturing facilities for producing at least one product or other material.
  • each plant lOla-lOln may implement one or more processes and can individually or collectively be referred to as a process system
  • a process system generally represents any system or portion thereof configured to process one or more products or other materials in some manner.
  • Level 0 may include one or more sensors 102a and one or more actuators 102b.
  • the sensors 102a and actuators 102b represent components in a process system that may perform any of a wide variety of functions.
  • the sensors I02a could measure a wide variety of characteristics in the process sy stem, such as temperature, pressure, or flow rate.
  • the actuators 102b could alter a wide variety of characteristics in the process system.
  • the sensors 102a and actuators 102b could represent any other or additional components in any suitable process system.
  • Each of the sensors 102a includes any suitable structure for measuring one or more characteristics in a process system.
  • Each of the actuators 102b includes any suitable structure for operating on or affecting one or more conditions in a process system.
  • At least one network 104 is coupled to the sensors 102a and actuators 102b.
  • the network 104 facilitates interaction with the sensors 102a and actuators 102b.
  • the network 104 could transport measurement data from the sensors 102a and provide control signals to the actuators 102b.
  • the network 104 could represent any suitable network or combination of networks.
  • the network 104 could represent an Ethernet network, an electrical signal network (such as a HART or FOUNDATION FIELDBUS network), a pneumatic control signal network, or any other or additional type(s) of network(s).
  • Level 1 may include one or more controllers 106, which are coupled to the network 104. Among other things, each controller 106 may use the measurements from one or more sensors 102a to control the operation of one or more actuators 102b.
  • a controller 106 could receive measurement data, from one or more sensors 102a and use the measurement data to generate control signals for one or more actuators 102b, Each controller 106 includes any suitable structure for interacting with one or more sensors 102a and controlling one or more actuators 102b, Each controller 106 could, for example, represent a muliivariable controller, such as a Robust Multivariable Predictive Control Technology (RMPCT) controller, or other type of controller implementing model predictive control (MFC) or other advanced predictive control (AFC). As a particular example, each controller 106 could represent a computing device running a real-time operating system.
  • RPCT Robust Multivariable Predictive Control Technology
  • MFC model predictive control
  • AFC advanced predictive control
  • each controller 106 could represent a computing device running a real-time operating system.
  • Two networks 108 are coupled to the controllers 106.
  • the networks 108 facilitate interaction with the controllers 106, such as by transporting data to and from the controllers 106.
  • the networks 108 could represent any suitable networks or combination of networks.
  • the networks 108 could represent a pair of Ethernet networks or a redundant pair of Ethernet networks, such as a FAULT TOLERANT ETHERNET (FTE) network from HONEYWELL INTERNATIONAL INC.
  • FTE FAULT TOLERANT ETHERNET
  • At least one switch/firewall 110 couples the networks 108 to two networks 1 12,
  • the switch/firewall 1 10 may transport traffic from one network to another.
  • the switch/firewall 1 10 may also block traffic on one network from reaching another network.
  • the switch/firewall 110 includes any suitable structure for providing communication between networks, such as a HONEYWELL CONTROL FIREWALL (CF9) device.
  • the networks 112 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network.
  • Level 2 may include one or more machine-level controllers 1 14 coupled to the networks 1 12.
  • the machine-level controllers 114 perform various functions to support the operation and control of the controllers 106, sensors 102a, and actuators 102b, which could be associated with a particular piece of industrial equipment (such as a boiler or other machine).
  • the machine-level controllers 1 14 could log information collected or generated by the controllers 106, such as measurement data from the sensors 102a or control signals for the actuators 102b.
  • the machine-level controllers 1 14 could also execute applications that control the operation of the controllers 106, thereby controlling the operation of the actuators 102b.
  • the machine-level controllers 1 14 could provide secure access to the controllers 106.
  • Each of the machine-level controllers 1 14 includes any suitable structure for providing access to, control of, or operations related to a machine or other individual piece of equipment.
  • Each of the machine-level controllers 1 14 could, for example, represent a server computing device miming a MICROSOFT WINDOWS operating system.
  • different machine-level controllers 1 14 could be used to control different pieces of equipment in a process system (where each piece of equipment is associated with one or more controllers 106, sensors 102a, and actuators 102b).
  • One or more operator stations 116 are coupled to the networks 112.
  • the operator stations 1 16 represent computing or communication devices providing user access to the machine-level controllers 1 14, which could then provide user access to the controllers 106 (and possibly the sensors 102a and actuators 102b).
  • the operator stations 1 16 could allow users to review the operational history of the sensors 102a and actuators 102b using information collected by the controllers 106 and/or the machine-level controllers 1 14.
  • the operator stations 1 16 could also allow the users to adjust the operation of the sensors 102a, actuators 102b, controllers 106, or machine- level controllers 114.
  • Each of the operator stations 1 16 could receive and display warnings, alerts, or other messages or displays generated by the controllers 106 or the machine-level controllers 1 14.
  • Each of the operator stations 116 includes any suitable structure for supporting user access and control of one or more components in the system 100,
  • Each of the operator stations 116 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
  • At least one router/firewall 118 couples the networks 112 to two networks 120.
  • the router/firewall 1 18 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall.
  • the networks 120 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network,
  • Level 3 may include one or more unit-level controllers 122 coupled to the networks 120.
  • Each unit-level controller 122 is typically associated with a unit in a process system, which represents a collection of different machines operating together to implement at least part of a process.
  • the unit-level controllers 122 perform various functions to support the operation and control of components in the lower levels.
  • the unit-level controllers 122 could log information collected or generated by the components in the lower levels, execute applications that control the components in the lower levels, and provide secure access to the components in the lower levels.
  • Each of the unit-level controllers 122 includes any suitable structure for providing access to, control of, or operations related to one or more machines or other pieces of equipment in a process unit.
  • Each of the unit-level controllers 122 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating system. Although not shown, different unit-level controllers 122 could be used to control different units in a. process system (where each unit is associated with one or more machine-level controllers 114, controllers 106, sensors 102a, and actuators 102 b).
  • Access to the unit-level controllers 122 may be provided by one or more operator stations 124.
  • Each of the operator stations 124 includes any suitable structure for supporting user access and control of one or more components in the system 100.
  • Each of the operator stations 124 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
  • At least one router/firewall 126 couples the networks 120 to two networks 128,
  • the router/firewall 126 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall.
  • the networks 128 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network,
  • Level 4" may include one or more plant-level controllers 130 coupled to the networks 128.
  • Each plant-level controller 130 is typically associated with one of the plants lOla-lOln, which may include one or more process units that implement the same, similar, or different processes.
  • the pla t-level controllers 130 perform various functions to support the operation and control of components in the lower levels.
  • the plant-level controller 130 could execute one or more manufacturing execution system (MES) applications, scheduling applications, or other or additional plant or process control applications.
  • MES manufacturing execution system
  • Each of the plant-level controllers 130 includes any suitable structure for providing access to, control of, or operations related to one or more process units in a process plant.
  • Each of the plant-level controllers 130 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating system.
  • Access to the plant-level controllers 130 may be provided by one or more operator stations 132.
  • Each of the operator stations 132 includes any suitable structure for supporting user access and control of one or more components in the system 100.
  • Each of the operator stations 132 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
  • At least one ro ter/firewall 134 couples the networks 128 to one or more networks 136.
  • the router/firewall 134 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall.
  • the network 136 could represent any suitable network, such as an enterprise-wide Ethernet or other network or all or a portion of a larger network (such as the Internet).
  • Level 5" may include one or more enterprise-level controllers 138 coupled to the network 136.
  • Each enterprise-level controller 138 is typically able to perform planning operations for multiple plants .10 la- 10 I n and to control various aspects of the plants lOla-lOln.
  • the enterprise-level controllers 138 can also perform various functions to support the operation and control of components in the plants lOl a-lOln.
  • the enterprise-level controller 138 could execute one or more order processing applications, enterprise resource planning (ERP) applications, advanced planning and scheduling (APS) applications, or any other or additional enterprise control applications.
  • ERP enterprise resource planning
  • APS advanced planning and scheduling
  • Each of the enterprise-level controllers 138 includes any suitable structure for providing access to, control of, or operations related to the control of one or more plants.
  • Each of the enterprise-level controllers 138 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating sy stem.
  • the term "enterprise” refers to an organization having one or more plants or other processing facilities to be managed. Note that if a single plant 101a is to be managed, the functionality of the enterprise-level controller 138 could be incorporated into the plant-level controller 130,
  • Access to the enterprise-level controllers 138 may be provided by one or more operator stations 140.
  • Each of the operator stations 140 includes any suitable structure for supporting user access and control of one or more components in the system 100.
  • Each of the operator stations 140 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
  • Various l evels of the Purdue model can include other components, such as one or more databases.
  • the database(s) associated with each level could store any suitable information associated with that level or one or more other levels of the system 100,
  • a historian 141 can be coupled to the network 136.
  • the historian 141 could represent a component that stores various information about the system 100.
  • the historian 141 could, for instance, store information used during production scheduling and optimization.
  • the historian 141 represents any suitable structure for storing and facilitating retrieval of information. Although shown as a single centralized component coupled to the network 136, the historian 141 could be located elsewhere in the system 100, or multiple historians could be distributed in different locations in the system 100.
  • each of the controllers could include one or more processing devices 142 and one or more memories 144 for storing instructions and data used, generated, or collected by the processing device(s) 142.
  • Each of the controllers could also include at least one network interface 146, such as one or more Ethernet interfaces or wireless transceivers.
  • each of the operator stations could include one or more processing devices 148 and one or more memories 150 for storing instructions and data used, generated, or collected by the processing device(s) 148.
  • Each of the operator stations could also include at least one network interface 152, such as one or more Ethernet interfaces or wireless transceivers.
  • FIGURE I Various devices shown in FIGURE I can be arranged in redundant pairs or other redundant sets of devices.
  • various critical or other controllers could be arranged in redundant pairs, where each pair includes (i) a primary controller that actively performs control actions in a primary role and (ii) a secondary controller that passively operates in a secondary role.
  • the secondary controller could receive the same data as the primary controller and perform the same calculations as the primary controller, but the secondary controller could refrain from outputting signals to implement control actions. This allows the secondary controller to switch into the primary role when needed or desired, such as when the primary controller fails.
  • Any other redundant set(s) of distributed control system (DCS) devices could be used in the industrial process control and automation system 100.
  • DCS distributed control system
  • IPsec Internet Protocol Security
  • DCS device represents one of multiple components arranged in a redundant pair or other redundant set of components.
  • network node represents a component that interacts with one or more DCS devices. This distinction is made merely for convenience and does not prevent, for example, a component from functioning both as a DCS device and as a network node.
  • the secondary DCS devices When DCS devices in an industrial process control and automation system are arranged in redundant pairs or other redundant sets, the secondary DCS devices often use floating network addresses (such as IP address). In this configuration, when a primary DCS device fails, its secondary DCS device assumes the primary role and often assumes the primary DCS device's network address. If a trust relationship existed with the primary DCS device before the switchover, that trust relationship needs to be reestablished with the secondary DCS device after the switchover. This disclosure provides techniques for reestablishing a trust relationship when a secondary device takes over a primary role during a switchover, such as by using IPsec.
  • IPsec floating network addresses
  • FIGURE 2 Details of this functionality are shown in FIGURE 2, where redundant DCS devices 202 interact with a network node 204.
  • the DCS devices 202 and the network node 204 could represent any suitable components in a control system, such as any of the controllers, servers, or operator stations shown in FIG LIRE 1.
  • the DCS devices 202 could represent a redundant pair of controllers or servers
  • the network node 204 could represent a controller, server, or operator station that interacts with the DCS devices 202.
  • FIGURE 2 Also shown in FIGURE 2 are a security manager 206 and a. certificate authority (CA) 208.
  • CA certificate authority
  • the security manager 206 operates to maintain information about components that have been configured or are in the process of being configured to support secure communications in an industrial process control and automation system.
  • the security manager 206 also provides security credentials (such as digital certificates) and communication policies to the components, allowing the components to communicate securely with one another.
  • a policy provides information on how two components should communicate and can be used to configure IPsec.
  • the certificate authority 208 generates the digital certificates or other security credentials provided by the security manager 206.
  • the security manager 206 includes any suitable structure for providing security credentials to DCS components, such as a computing device having one or more processing devices, one or more memories, and one or more network interfaces. There could be one or multiple security managers 206 in the system, such as a redundant pair of security managers 206.
  • the certificate authority 208 includes any suitable structure for generating security credentials, such as a computing device having one or more processing devices, one or more memories, and one or more network interfaces.
  • the security manager 206 and certificate authority 208 could also be used at any suitable level(s) in the industrial process control and automation system 100.
  • the security manager 206 and certificate authority 208 could represent Level 3, Level 4, or Level 5 components and be used to secure DCS components at Level 1 , Level 2 , or Level 3 of the system 100.
  • FIGURES 1 and 2 illustrate one example of an industrial process control and automation system 100 and related details
  • a control and automation system could include any number of sensors, actuators, controllers, operator stations, networks, DCS devices, network nodes, security managers, and certificate authorities.
  • the makeup and arrangement of the system 100 in FIGURES I and 2 are for illustration only. Components could be added, omitted, combined, or placed in any other suitable configuration according to particular needs.
  • the security manager 206 and certificate authority 208 could be combined into a single functional unit. Further, particular functions have been described as being performed by particular components of the system 100. This is for illustration only.
  • FIGURES 1 and 2 illustrate an example environment in which a tmst relationship can be reestablished with a secondary device that assumes a primary role during a switchover. This functionality can be used in any other suitable device or system.
  • FIGURE 3 illustrates an example switchover 300 from a primary device to a secondary device in an industrial process control and automation system according to this disclosure.
  • the switchover 300 shown in FIGU RE 3 is described with respect to the components of FIGURE 2 operating in the system 100 of FIGURE 1.
  • the switchover 300 could be used with any other suitable components in any suitable system.
  • the system includes two DCS devices 202a-202b operating as a redundant pair, where the DCS device 202a operates in the primary role and the DCS device 202b operates in the secondary role.
  • the DCS device 202a has its own network address (X.X.X.1 in this example), and the DCS device 202b has a different network address (X.X.X.2 in this example).
  • the DCS device 202a in the primary role can establish a security association or other trust relationship with the network node 204, which has its own network address (X.X.X.3 in this example).
  • IPsec In order to preven t malicious access to componen ts on a network, IPsec or other security protocol can be enabled on the components.
  • the DCS device 202a. and the network node 204 can interact in a secure manner, while the DCS device 202b remains in the standby or secondary role.
  • IPsec establishes a trusted relationship between a network node and a device that the network node is trying to access, such as between the primary DCS device 202a and the network node 204.
  • the components 202a and 204 form trusted relationships with each other, allowing for secure communications between the components 202a and 204,
  • the trust relationships present a problem when the primary DCS device 202a fails and the secondary DCS device 202b takes over the primary role. Since the trust relationships were established using an IP address of the DCS device 202a, the DCS device 202b will not be trusted by the network node 204.
  • the DCS device 202b would drop ail packets from the network node 204 because a trust relationship had not been established. With both sides unable to tmst one another, the components 202b and 204 would be unable to communicate until a dead band timeout occurs and the components 202b and 204 can renegotiate a trust relationship. Unfortunately, while waiting for the dead band timeout to occur, there is no effective communication between the components 202b and 204 for that period of time. With no communication between the components 202b and 204, a loss of vie to the primar device occurs, which can be detrimental to the control system's operations.
  • a techn ique is provided to reestabli sh a tmst relationship when a secondary device takes over as a primary device. Instead of waiting for a dead band timeout, the new primary device (the DCS device 202b) performs the following operations to reestablish a trust relationship with the network node 204. After the switchover, the new primary DCS device 202b removes security credentials, communication policies, and other information that it had previously configured or used.
  • the new primary DCS device 202b cannot find security credentials or communication policies for the received message, and the new primary DCS device 202b initiates a key exchange with the network node 204. This re-establishes a trust relationship between the DCS device 202b and the network node 204, but it can be accomplished more quickly than waiting for the dead band timeout.
  • ESP Encapsulation Security Payload
  • FIGURE 3 illustrates one example of a switchover 300 from a primary device to a secondary device in an industrial process control and automation system
  • various changes may be made to FIGURE 3.
  • the network addresses shown here are examples only, and the nodes need not have consecutive network addresses.
  • a redundant pair of DCS nodes could communicate with any number of other devices for which secure communication connections can be established.
  • FIGURE 4 illustrates an example method 400 for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system according to this disclosure.
  • the method 400 is described with respect to the components of FIGURE 2 operating in the system 100 of FIGURE I .
  • the method 400 could be used with any other suitable components in any suitable system.
  • First and second redundant devices are operated in an industrial process control and automation system at step 402. This could include, for example, operating the DCS devices 202a-202b as a redundant pair of process controllers or servers.
  • the DCS device 202a could be operating in the primary role, and the DCS device 202b could be operating in the secondary role.
  • a secure connection is established between the first device and a network node in the system at step 404. This could include, for example, the primary DCS device 202a establishing a secure connection with the network node 104 using IPsec.
  • the second device is synchronized with the first device during operation of the first device at step 406. This could include, for example, the secondary DCS device 202b receiving the same data that is received by the primary DCS device 202a and performing the same computations as the primary DCS device 202a.
  • IKE Internet Key Exchange
  • the second device flushes security parameters from its memory at step 410.
  • Receipt of a secure payload is detected at step 412.
  • UDP User Datagram Protocol
  • the second device determines that a security association is not established with the network node at step 414. This could include, for example, the new primary DCS device 202b determining that the network node 104 that sent the ESP message is not associated with an established IPsec connection.
  • a key exchange is initiated between the second device and the network node at step 416.
  • security credentials such as authentication keys
  • the ne primary DCS device 202b and the network node 104 can apply one or more specified communication policies to establish an IPsec connection between the components.
  • the second device and the network node can operate in the industrial process control and automation system at step 420.
  • the security- association here can be established more quickly that simply forcing the new primary DCS device 202b to wait for a dead band timeout to occur.
  • FIGURE 4 illustrates one example of a method 400 for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system
  • various changes may be made to FIGURE 4.
  • steps in FIGURE 4 could overlap, occur in parallel, occur in a different order, or occur multiple times.
  • various functions described in this patent document are implemented or supported by a computer program that is formed from computer readable program code and that is embodied in a computer readable medium.
  • computer readable program code includes any type of computer code, including source code, object code, and executable code.
  • computer readable medium includes any type of medium capable of being accessed by a computer, such as read only memory (ROM), random access memory (RAM), a hard disk drive, a compact disc (CD), a digital video disc (DVD), or any other type of memory,
  • ROM read only memory
  • RAM random access memory
  • CD compact disc
  • DVD digital video disc
  • a "non-transitory” computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals.
  • a non-transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device,
  • application and “program” refer to one or more computer programs, software components, sets of instructions, procedures, functions, objects, classes, instances, related data, or a portion thereof adapted for implementation in a suitable computer code (including source code, object code, or executable code).
  • program refers to one or more computer programs, software components, sets of instructions, procedures, functions, objects, classes, instances, related data, or a portion thereof adapted for implementation in a suitable computer code (including source code, object code, or executable code).
  • communicate as well as derivatives thereof, encompasses both direct and indirect communication.
  • the term “or” is inclusive, meaning and/or.
  • phrases "associated with,” as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, have a relationship to or with, or the like.
  • the phrase "at least one of,” when used with a. list of items, means that different combinations of one or more of the listed items may be used, and only one item in the list may be needed. For example, "at least one of: A, B, and C” includes any of the following combinations: A, B, C, A and B, A and C, B and C, and A and B and C.

Abstract

A method includes transitioning a device (202b) in an industrial process control and automation system (100) from a secondary role to a primary role during a switchover (408) and, in response to the switchover, clearing (410) one or more security values stored by the device. The method also includes receiving (412) a message at the device from a network node (204) and, in response to determining (414) that no security association is associated with the received message or the network node, exchanging (416) security credentials and establishing (418) a trust relationship with the network node. Transitioning the device includes assuming a network address of another device (202a) that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node. Clearing the security value(s) can prevent the device from having the trust relationship associated with the network node when the device receives the message from the network node.

Description

APPARATUS AND METHOD FOR ESTABLISHING SECURE
COMMUNICATION WITH REDUNDANT DEVICE AFTER SWITCHOVER
CROSS-REFERENCE TO RELATED APPLICATION AND PRIORITY CLAIM
[0001] This application claims priority under 35 U.S.C. § 119(e) to U.S. Provisional Patent Application No. 61/933,081 filed on January 29, 2014. This provisional patent application is hereby incorporated by reference in its entirety.
TECHNICAL FIELD
[0002] This disclosure relates generally to industrial process control and automation systems. More specifically, this disclosure relates to an apparatus and method for establishing secure communication with a redundant device after a switchover.
BACKGROUND
[0003] Industrial process control and automation systems are often used to automate large and complex industrial processes. These types of systems routinely include sensors, actuators, and controllers. The controllers typically receive measurements from the sensors and generate control signals for the actuators.
[00Θ4] Controllers and other devices in an industrial process control and automation system are typically connected to and communicate over one or more networks. Some devices in an industrial process control and automation system (such as more critical controllers) are arranged as redundant pairs, where one device in each pair operates in a primary role and another device in each pair operates in a secondary or redundant role. A secondary device is designed to switch into the primary role during a switchover, such as when the primary device suffers a power failure, hardware failure, or other problem. SUMMARY
00Θ5] This disclosure provides an apparatus and method for establishing secure communication with a redundant device after a switchover,
[000 1 In a first embodiment, a method includes transitioning a. device in an industrial process control and automation system from a secondary role to a primary role during a switchover and, in response to the switchover, clearing one or more security values stored by the device. The method also includes receiving a message at the device from a network node and, in response to determining that no security association is associated with the received message or the network node, exchanging security credentials and establishing a trust relationship with the network node. Transitioning the device includes assuming a network address of another device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
[0007] In a second embodiment, a device includes at least one memory configured to store one or more security values. The device also includes at least one processing device configured to transition the device from a secondary role to a primary role in an industrial process control and automation system during a switchover and clear the one or more security values in response to the switchover. The at least one processing device is also configured to receive a message at the device from a network node and, in response to determining that no security association is associated with the received message or the network node, exchange security credentials and establish a trust relationship with the network node. The at least one processing device is configured to transition the device by assuming a network address of another device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
[0008] In a third embodiment, a non-transitory computer readable medium embodies a computer program. The computer program includes computer readable program code for transitioning a device in an industrial process control and automation system from a. secondary role to a. primary role during a switchover and, in response to the switchover, for clearing one or more security values stored by the device. The computer program also includes computer readable prograiri code for receiving a message at the device from a network node and, in response to determining that no security association is associated with the received message, for exchanging security credentials and establishing a trust relationship with the network node. Transitioning the device includes assuming a network address of anoth er device that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
[0009] Other technical features may be readily apparent to one skilled in the art from the following figures, descriptions, and claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[001 Θ] For a more complete understanding of this disclosure, reference is now made to the following description, taken in conj unction with the accompanying drawings, in which:
[0011] FIGURES 1 and 2 illustrate an example industrial process control and automation system and related details according to this disclosure;
[0012] FIGURE 3 illustrates an example switchover from a primary device to a secondary device in an industrial process control and automation system according to this disclosure; and
[0013] FIGURE 4 illustrates an example method for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system according to this disclosure.
DETAILED DESCRIPTION
[0014] FIGURES 1 through 4, discussed below, and the various embodiments used to describe the principles of the present invention in this patent document are by way of illustration only and should not be construed in any way to limit the scope of the invention. Those skilled in the art will understand that the principles of the invention may be implemented in any type of suitably arranged device or system.
[0015] FIGURES 1 and 2 illustrate an example industrial process control and automation system 100 and related details according to this disclosure. As shown in FIGUR 1 , the system 100 includes various components that facilitate production or processing of at least one product or other material. For instance, the system 100 is used here to facilitate control over components in one or multiple plants 10 la- 10 In. Each plant lOla-l Oln represents one or more processing taciliiies (or one or more portions thereof), such as one or more manufacturing facilities for producing at least one product or other material. In general, each plant lOla-lOln may implement one or more processes and can individually or collectively be referred to as a process system, A process system generally represents any system or portion thereof configured to process one or more products or other materials in some manner.
[0016] In FIGURE 1 , the system 100 is implemented using the Purdue model of process control, in the Purdue model, "Level 0" may include one or more sensors 102a and one or more actuators 102b. The sensors 102a and actuators 102b represent components in a process system that may perform any of a wide variety of functions. For example, the sensors I02a could measure a wide variety of characteristics in the process sy stem, such as temperature, pressure, or flow rate. Also, the actuators 102b could alter a wide variety of characteristics in the process system. The sensors 102a and actuators 102b could represent any other or additional components in any suitable process system. Each of the sensors 102a includes any suitable structure for measuring one or more characteristics in a process system. Each of the actuators 102b includes any suitable structure for operating on or affecting one or more conditions in a process system.
[0017] At least one network 104 is coupled to the sensors 102a and actuators 102b. The network 104 facilitates interaction with the sensors 102a and actuators 102b. For example, the network 104 could transport measurement data from the sensors 102a and provide control signals to the actuators 102b. The network 104 could represent any suitable network or combination of networks. As particular examples, the network 104 could represent an Ethernet network, an electrical signal network (such as a HART or FOUNDATION FIELDBUS network), a pneumatic control signal network, or any other or additional type(s) of network(s).
10018] In the Purdue model, "Level 1 " may include one or more controllers 106, which are coupled to the network 104. Among other things, each controller 106 may use the measurements from one or more sensors 102a to control the operation of one or more actuators 102b. For example, a controller 106 could receive measurement data, from one or more sensors 102a and use the measurement data to generate control signals for one or more actuators 102b, Each controller 106 includes any suitable structure for interacting with one or more sensors 102a and controlling one or more actuators 102b, Each controller 106 could, for example, represent a muliivariable controller, such as a Robust Multivariable Predictive Control Technology (RMPCT) controller, or other type of controller implementing model predictive control (MFC) or other advanced predictive control (AFC). As a particular example, each controller 106 could represent a computing device running a real-time operating system.
[0019] Two networks 108 are coupled to the controllers 106. The networks 108 facilitate interaction with the controllers 106, such as by transporting data to and from the controllers 106. The networks 108 could represent any suitable networks or combination of networks. As particular examples, the networks 108 could represent a pair of Ethernet networks or a redundant pair of Ethernet networks, such as a FAULT TOLERANT ETHERNET (FTE) network from HONEYWELL INTERNATIONAL INC.
[0020] At least one switch/firewall 110 couples the networks 108 to two networks 1 12, The switch/firewall 1 10 may transport traffic from one network to another. The switch/firewall 1 10 may also block traffic on one network from reaching another network. The switch/firewall 110 includes any suitable structure for providing communication between networks, such as a HONEYWELL CONTROL FIREWALL (CF9) device. The networks 112 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network.
[0021] In the Purdue model, "Level 2" may include one or more machine-level controllers 1 14 coupled to the networks 1 12. The machine-level controllers 114 perform various functions to support the operation and control of the controllers 106, sensors 102a, and actuators 102b, which could be associated with a particular piece of industrial equipment (such as a boiler or other machine). For example, the machine-level controllers 1 14 could log information collected or generated by the controllers 106, such as measurement data from the sensors 102a or control signals for the actuators 102b. The machine-level controllers 1 14 could also execute applications that control the operation of the controllers 106, thereby controlling the operation of the actuators 102b. In addition, the machine-level controllers 1 14 could provide secure access to the controllers 106. Each of the machine-level controllers 1 14 includes any suitable structure for providing access to, control of, or operations related to a machine or other individual piece of equipment. Each of the machine-level controllers 1 14 could, for example, represent a server computing device miming a MICROSOFT WINDOWS operating system. Although not shown, different machine-level controllers 1 14 could be used to control different pieces of equipment in a process system (where each piece of equipment is associated with one or more controllers 106, sensors 102a, and actuators 102b).
[0022] One or more operator stations 116 are coupled to the networks 112. The operator stations 1 16 represent computing or communication devices providing user access to the machine-level controllers 1 14, which could then provide user access to the controllers 106 (and possibly the sensors 102a and actuators 102b). As particular examples, the operator stations 1 16 could allow users to review the operational history of the sensors 102a and actuators 102b using information collected by the controllers 106 and/or the machine-level controllers 1 14. The operator stations 1 16 could also allow the users to adjust the operation of the sensors 102a, actuators 102b, controllers 106, or machine- level controllers 114. In addition, the operator stations 1 16 could receive and display warnings, alerts, or other messages or displays generated by the controllers 106 or the machine-level controllers 1 14. Each of the operator stations 116 includes any suitable structure for supporting user access and control of one or more components in the system 100, Each of the operator stations 116 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
[0023] At least one router/firewall 118 couples the networks 112 to two networks 120. The router/firewall 1 18 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall. The networks 120 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network,
[0024] In the Purdue model, "Level 3" may include one or more unit-level controllers 122 coupled to the networks 120. Each unit-level controller 122 is typically associated with a unit in a process system, which represents a collection of different machines operating together to implement at least part of a process. The unit-level controllers 122 perform various functions to support the operation and control of components in the lower levels. For example, the unit-level controllers 122 could log information collected or generated by the components in the lower levels, execute applications that control the components in the lower levels, and provide secure access to the components in the lower levels. Each of the unit-level controllers 122 includes any suitable structure for providing access to, control of, or operations related to one or more machines or other pieces of equipment in a process unit. Each of the unit-level controllers 122 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating system. Although not shown, different unit-level controllers 122 could be used to control different units in a. process system (where each unit is associated with one or more machine-level controllers 114, controllers 106, sensors 102a, and actuators 102 b).
[0025] Access to the unit-level controllers 122 may be provided by one or more operator stations 124. Each of the operator stations 124 includes any suitable structure for supporting user access and control of one or more components in the system 100. Each of the operator stations 124 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
[0026] At least one router/firewall 126 couples the networks 120 to two networks 128, The router/firewall 126 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall. The networks 128 could represent any suitable networks, such as a pair of Ethernet networks or an FTE network,
[0027] In the Purdue model, "Level 4" may include one or more plant-level controllers 130 coupled to the networks 128. Each plant-level controller 130 is typically associated with one of the plants lOla-lOln, which may include one or more process units that implement the same, similar, or different processes. The pla t-level controllers 130 perform various functions to support the operation and control of components in the lower levels. As particular examples, the plant-level controller 130 could execute one or more manufacturing execution system (MES) applications, scheduling applications, or other or additional plant or process control applications. Each of the plant-level controllers 130 includes any suitable structure for providing access to, control of, or operations related to one or more process units in a process plant. Each of the plant-level controllers 130 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating system.
[0028] Access to the plant-level controllers 130 may be provided by one or more operator stations 132. Each of the operator stations 132 includes any suitable structure for supporting user access and control of one or more components in the system 100. Each of the operator stations 132 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
[0029] At least one ro ter/firewall 134 couples the networks 128 to one or more networks 136. The router/firewall 134 includes any suitable structure for providing communication between networks, such as a secure router or combination router/firewall. The network 136 could represent any suitable network, such as an enterprise-wide Ethernet or other network or all or a portion of a larger network (such as the Internet).
[003Θ] In the Purdue model, "Level 5" may include one or more enterprise-level controllers 138 coupled to the network 136. Each enterprise-level controller 138 is typically able to perform planning operations for multiple plants .10 la- 10 I n and to control various aspects of the plants lOla-lOln. The enterprise-level controllers 138 can also perform various functions to support the operation and control of components in the plants lOl a-lOln. As particular examples, the enterprise-level controller 138 could execute one or more order processing applications, enterprise resource planning (ERP) applications, advanced planning and scheduling (APS) applications, or any other or additional enterprise control applications. Each of the enterprise-level controllers 138 includes any suitable structure for providing access to, control of, or operations related to the control of one or more plants. Each of the enterprise-level controllers 138 could, for example, represent a server computing device running a MICROSOFT WINDOWS operating sy stem. In this document, the term "enterprise" refers to an organization having one or more plants or other processing facilities to be managed. Note that if a single plant 101a is to be managed, the functionality of the enterprise-level controller 138 could be incorporated into the plant-level controller 130,
[0031] Access to the enterprise-level controllers 138 may be provided by one or more operator stations 140. Each of the operator stations 140 includes any suitable structure for supporting user access and control of one or more components in the system 100. Each of the operator stations 140 could, for example, represent a computing device running a MICROSOFT WINDOWS operating system.
[0032] Various l evels of the Purdue model can include other components, such as one or more databases. The database(s) associated with each level could store any suitable information associated with that level or one or more other levels of the system 100, For example, a historian 141 can be coupled to the network 136. The historian 141 could represent a component that stores various information about the system 100. The historian 141 could, for instance, store information used during production scheduling and optimization. The historian 141 represents any suitable structure for storing and facilitating retrieval of information. Although shown as a single centralized component coupled to the network 136, the historian 141 could be located elsewhere in the system 100, or multiple historians could be distributed in different locations in the system 100.
[0033] In particular embodiments, the various controllers and operator stations in FIGURE 1 may represent computing devices. For example, each of the controllers could include one or more processing devices 142 and one or more memories 144 for storing instructions and data used, generated, or collected by the processing device(s) 142. Each of the controllers could also include at least one network interface 146, such as one or more Ethernet interfaces or wireless transceivers. Also, each of the operator stations could include one or more processing devices 148 and one or more memories 150 for storing instructions and data used, generated, or collected by the processing device(s) 148. Each of the operator stations could also include at least one network interface 152, such as one or more Ethernet interfaces or wireless transceivers.
[0034] Various devices shown in FIGURE I can be arranged in redundant pairs or other redundant sets of devices. For example, various critical or other controllers could be arranged in redundant pairs, where each pair includes (i) a primary controller that actively performs control actions in a primary role and (ii) a secondary controller that passively operates in a secondary role. The secondary controller could receive the same data as the primary controller and perform the same calculations as the primary controller, but the secondary controller could refrain from outputting signals to implement control actions. This allows the secondary controller to switch into the primary role when needed or desired, such as when the primary controller fails. Any other redundant set(s) of distributed control system (DCS) devices could be used in the industrial process control and automation system 100.
[0035] In order to prevent malicious access to components in an industrial process control and automation system, various technologies have been employed to secure networks in the system (such as networks 108, 1 12, 120, 128, and 136). For example, the Internet Protocol Security (IPsec) protocol suite can be enabled on various components in an industrial process control and automation system. The TPsec protocol suite is typically used to establish a trust relationship between components attempting to interact. In the following description, a "DCS device" represents one of multiple components arranged in a redundant pair or other redundant set of components. Also, a "network node" represents a component that interacts with one or more DCS devices. This distinction is made merely for convenience and does not prevent, for example, a component from functioning both as a DCS device and as a network node.
[0036] When DCS devices in an industrial process control and automation system are arranged in redundant pairs or other redundant sets, the secondary DCS devices often use floating network addresses (such as IP address). In this configuration, when a primary DCS device fails, its secondary DCS device assumes the primary role and often assumes the primary DCS device's network address. If a trust relationship existed with the primary DCS device before the switchover, that trust relationship needs to be reestablished with the secondary DCS device after the switchover. This disclosure provides techniques for reestablishing a trust relationship when a secondary device takes over a primary role during a switchover, such as by using IPsec.
[0037] Details of this functionality are shown in FIGURE 2, where redundant DCS devices 202 interact with a network node 204. The DCS devices 202 and the network node 204 could represent any suitable components in a control system, such as any of the controllers, servers, or operator stations shown in FIG LIRE 1. For exa mple, the DCS devices 202 could represent a redundant pair of controllers or servers, and the network node 204 could represent a controller, server, or operator station that interacts with the DCS devices 202. [0038] Also shown in FIGURE 2 are a security manager 206 and a. certificate authority (CA) 208. The security manager 206 operates to maintain information about components that have been configured or are in the process of being configured to support secure communications in an industrial process control and automation system. The security manager 206 also provides security credentials (such as digital certificates) and communication policies to the components, allowing the components to communicate securely with one another. A policy provides information on how two components should communicate and can be used to configure IPsec. The certificate authority 208 generates the digital certificates or other security credentials provided by the security manager 206.
0039J The security manager 206 includes any suitable structure for providing security credentials to DCS components, such as a computing device having one or more processing devices, one or more memories, and one or more network interfaces. There could be one or multiple security managers 206 in the system, such as a redundant pair of security managers 206. The certificate authority 208 includes any suitable structure for generating security credentials, such as a computing device having one or more processing devices, one or more memories, and one or more network interfaces. The security manager 206 and certificate authority 208 could also be used at any suitable level(s) in the industrial process control and automation system 100. For example, in some embodiments, the security manager 206 and certificate authority 208 could represent Level 3, Level 4, or Level 5 components and be used to secure DCS components at Level 1 , Level 2 , or Level 3 of the system 100.
[0040] Although FIGURES 1 and 2 illustrate one example of an industrial process control and automation system 100 and related details, various changes may be made to FIGURES 1 and 2. For example, a control and automation system could include any number of sensors, actuators, controllers, operator stations, networks, DCS devices, network nodes, security managers, and certificate authorities. Also, the makeup and arrangement of the system 100 in FIGURES I and 2 are for illustration only. Components could be added, omitted, combined, or placed in any other suitable configuration according to particular needs. As a particular example, the security manager 206 and certificate authority 208 could be combined into a single functional unit. Further, particular functions have been described as being performed by particular components of the system 100. This is for illustration only. In general, process control and automation systems are highly configurable and can be configured in any suitable manner according to particular needs. In addition, FIGURES 1 and 2 illustrate an example environment in which a tmst relationship can be reestablished with a secondary device that assumes a primary role during a switchover. This functionality can be used in any other suitable device or system.
[0041] FIGURE 3 illustrates an example switchover 300 from a primary device to a secondary device in an industrial process control and automation system according to this disclosure. For ease of explanation, the switchover 300 shown in FIGU RE 3 is described with respect to the components of FIGURE 2 operating in the system 100 of FIGURE 1. The switchover 300 could be used with any other suitable components in any suitable system.
[0042] As shown in FIGURE 3, the system includes two DCS devices 202a-202b operating as a redundant pair, where the DCS device 202a operates in the primary role and the DCS device 202b operates in the secondary role. The DCS device 202a has its own network address (X.X.X.1 in this example), and the DCS device 202b has a different network address (X.X.X.2 in this example). The DCS device 202a in the primary role can establish a security association or other trust relationship with the network node 204, which has its own network address (X.X.X.3 in this example).
[0043] In order to preven t malicious access to componen ts on a network, IPsec or other security protocol can be enabled on the components. Thus, for example, the DCS device 202a. and the network node 204 can interact in a secure manner, while the DCS device 202b remains in the standby or secondary role. IPsec establishes a trusted relationship between a network node and a device that the network node is trying to access, such as between the primary DCS device 202a and the network node 204.
[0044] As noted above, many industrial process control and automation devices are redundant and use floating network addresses when their primary devices fell. This means that, upon a failure of a primary DCS device, its secondary DCS device assumes the primary role as well as the primary device's network address. An example of this is shown in FIGURE 3, where the secondary DCS device 202b assumes the primary role and the primary device's network address (X.X.X.1) upon a failure of the primary DCS device 202a. [0045] Assume the network node 204 is accessing data from the primary DCS device 202a, where both components 202a and 204 are configured with IPsec. By using TPsec, the components 202a and 204 form trusted relationships with each other, allowing for secure communications between the components 202a and 204, However, the trust relationships present a problem when the primary DCS device 202a fails and the secondary DCS device 202b takes over the primary role. Since the trust relationships were established using an IP address of the DCS device 202a, the DCS device 202b will not be trusted by the network node 204.
[0046] Under conventional approaches, the DCS device 202b would drop ail packets from the network node 204 because a trust relationship had not been established. With both sides unable to tmst one another, the components 202b and 204 would be unable to communicate until a dead band timeout occurs and the components 202b and 204 can renegotiate a trust relationship. Unfortunately, while waiting for the dead band timeout to occur, there is no effective communication between the components 202b and 204 for that period of time. With no communication between the components 202b and 204, a loss of vie to the primar device occurs, which can be detrimental to the control system's operations.
[0047] In accordance with this disclosure, a techn ique is provided to reestabli sh a tmst relationship when a secondary device takes over as a primary device. Instead of waiting for a dead band timeout, the new primary device (the DCS device 202b) performs the following operations to reestablish a trust relationship with the network node 204. After the switchover, the new primary DCS device 202b removes security credentials, communication policies, and other information that it had previously configured or used. Once a secured payload, such as an Encapsulation Security Payload (ESP) message, is received, the new primary DCS device 202b cannot find security credentials or communication policies for the received message, and the new primary DCS device 202b initiates a key exchange with the network node 204. This re-establishes a trust relationship between the DCS device 202b and the network node 204, but it can be accomplished more quickly than waiting for the dead band timeout.
[0048] Although FIGURE 3 illustrates one example of a switchover 300 from a primary device to a secondary device in an industrial process control and automation system, various changes may be made to FIGURE 3. For example, the network addresses shown here are examples only, and the nodes need not have consecutive network addresses. Also, a redundant pair of DCS nodes could communicate with any number of other devices for which secure communication connections can be established.
0049J FIGURE 4 illustrates an example method 400 for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system according to this disclosure. For ease of explanation, the method 400 is described with respect to the components of FIGURE 2 operating in the system 100 of FIGURE I . The method 400 could be used with any other suitable components in any suitable system.
005Θ] First and second redundant devices are operated in an industrial process control and automation system at step 402. This could include, for example, operating the DCS devices 202a-202b as a redundant pair of process controllers or servers. The DCS device 202a could be operating in the primary role, and the DCS device 202b could be operating in the secondary role. A secure connection is established between the first device and a network node in the system at step 404. This could include, for example, the primary DCS device 202a establishing a secure connection with the network node 104 using IPsec. The second device is synchronized with the first device during operation of the first device at step 406. This could include, for example, the secondary DCS device 202b receiving the same data that is received by the primary DCS device 202a and performing the same computations as the primary DCS device 202a.
[0051] A determination is made whether a failover occurs at step 408. This could include, for example, the primary DCS device 202a failing or otherwise suffering a fault that triggers the failover, wiiich causes the secondary DCS device 202b to switch and begin operating in the primary role. As part of this failover process, the new primary DCS device 202b can assume the network address of the old primary DCS device 202a. The switchover could be detected at the secondary DCS device 202b as part of a continuous loop that monitors an Internet Key Exchange (IKE) session.
[0052] In order to help speed up reestablishment of a trust association with the network node, the second device flushes security parameters from its memory at step 410. This could include, for example, the new primary DCS device 202b flushing all security parameters index (SPI) values, IKE keys, and IPsec Security Policy Database (SPD) policies from its memory. Receipt of a secure payload is detected at step 412. This could include, for example, the new primary DCS device 202b receiving an ESP message from the network node 104 via a User Datagram Protocol (UDP) socket. The second device determines that a security association is not established with the network node at step 414. This could include, for example, the new primary DCS device 202b determining that the network node 104 that sent the ESP message is not associated with an established IPsec connection.
[0053] In response to determining that no security association has been established with the network node, a key exchange is initiated between the second device and the network node at step 416. This could include, for example, the new primary DCS device 202b initiating an IKE session with the network node 104 in order to exchange security credentials (such as authentication keys) with the network node 104. This allows the second device and the network node to establish a security association at step 418. As part of this process, the ne primary DCS device 202b and the network node 104 can apply one or more specified communication policies to establish an IPsec connection between the components.
[0054] At this point, the second device and the network node can operate in the industrial process control and automation system at step 420. This could include, for example, the new primary DCS device 202b and the network node 104 operating to provide desired process control or automation functions, where the new primary DCS device 202b and the network node 104 engage in secure communications. The security- association here can be established more quickly that simply forcing the new primary DCS device 202b to wait for a dead band timeout to occur.
[0055] Although FIGURE 4 illustrates one example of a method 400 for establishing secure communication with a redundant device after a switchover in an industrial process control and automation system, various changes may be made to FIGURE 4. For example, while shown as a series of steps, various steps in FIGURE 4 could overlap, occur in parallel, occur in a different order, or occur multiple times.
[0056] In some embodiments, various functions described in this patent document are implemented or supported by a computer program that is formed from computer readable program code and that is embodied in a computer readable medium. The phrase "computer readable program code" includes any type of computer code, including source code, object code, and executable code. The phrase "computer readable medium" includes any type of medium capable of being accessed by a computer, such as read only memory (ROM), random access memory (RAM), a hard disk drive, a compact disc (CD), a digital video disc (DVD), or any other type of memory, A "non-transitory" computer readable medium excludes wired, wireless, optical, or other communication links that transport transitory electrical or other signals. A non-transitory computer readable medium includes media where data can be permanently stored and media where data can be stored and later overwritten, such as a rewritable optical disc or an erasable memory device,
[0057] It may be advantageous to set forth definitions of certain words and phrases used throughout this patent document. The terms "application" and "program" refer to one or more computer programs, software components, sets of instructions, procedures, functions, objects, classes, instances, related data, or a portion thereof adapted for implementation in a suitable computer code (including source code, object code, or executable code). The term "communicate," as well as derivatives thereof, encompasses both direct and indirect communication. The terms "include" and "comprise," as well as derivatives thereof, mean inclusion without limitation. The term "or" is inclusive, meaning and/or. The phrase "associated with," as well as derivatives thereof, may mean to include, be included within, interconnect with, contain, be contained within, connect to or with, couple to or with, be communicable with, cooperate with, interleave, juxtapose, be proximate to, be bound to or with, have, have a property of, have a relationship to or with, or the like. The phrase "at least one of," when used with a. list of items, means that different combinations of one or more of the listed items may be used, and only one item in the list may be needed. For example, "at least one of: A, B, and C" includes any of the following combinations: A, B, C, A and B, A and C, B and C, and A and B and C.
[0058] While this disclosure has described certain embodiments and generally associated methods, alterations and permutations of these embodiments and methods will be apparent to those skilled in the art. Accordingly, the above description of example embodiments does not define or constrain this disclosure. Other changes, substitutions, and alterations are also possible without departing from the spirit and scope of this disclosure, as defined by the following claims.

Claims

WHAT IS CLAIMED IS:
1. A method comprising:
transitioning a device (202b) in an industrial process control and automation system (100) from a secondary role to a primary role during a switchover (408); in response to the switchover, clearing (410) one or more security values stored by the device;
receiving (412) a message at the device from a network node (204); and in response to determining (414) that no security association is associated with the received message or the network node, exchanging (416) security credentials and establishing (41 8) a trust relationship with the network node;
wherein transitioning the device comprises assuming a network address of another device (202a) that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
2. The method of Claim 1 , further comprising:
prior to the switchover, synchronizing (406) the device with the other device as the other device communicates with the network node.
3. The method of Claim 1 , wherein clearing the one or more security values comprises:
flushing one or more Security Parameters Index (SPI) values, one or more authentication keys, and one or more communication policies from at least one memory (144, 150) of the device.
4. The method of Claim I, wherein:
receiving the message comprises receiving an encapsulation security payload from the network node; and
the method further comprises determining that no security association is associated with the received encapsulation security payload.
5. The method of Claim 1, wherein establishing the trust relationship comprises establishing the trust relationship using Internet Protocol Security (IPsec).
6. The method of Cl aim 1 , wherein the security credential s comprise one or more authentication keys.
7. The method of Claim 1 , wherein clearing the one or more security values prevents the device from having the trust relationship associated with the network node when the device receives the message from the network node.
8. The method of Claim 1, wherein the device comprises one device in a redundant set of process controllers or servers.
9. A device (202b) comprising:
at least one memory (144, 150) configured to store one or more security values; and
at least one processing device (142, 148) configured to:
transition the device from a secondary role to a primary role in an industrial process control and automation system (100) during a switchover;
clear the one or more security values in response to the switchover; receive a message at the device from a network node (204); and in response to determining that no security association is associated with the received message or the network node, exchange security credentials and establish a trust relationship with the network node;
wherein the at least one processing device is configured to transition the device by assuming a network address of another device (:202a) that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
10. The device of Claim 9, wherein, prior to the switchover, the at least one processing device is configured to synchronize the device with the other device as the other device communicates with the network node.
11. The device of Claim 9, wherein the at least one processing device is configured to flush one or more Security Parameters Index (SPI) values, one or more authentication keys, and one or more communication policies from the at least one memory.
12. The device of Claim 9, wherein:
the at least one processing device is configured to receive an encapsulation security payload from the network node; and
the at least one processing device is further configured to determine that no security association is associated with the received encapsulation security payload.
13. The device of Claim 9, wherein the at least one processing device is configured to clear the one or more security values in order to prevent the device from having the trust relationship associated with the network node when the device receives the message from the network node.
14. A non-transitory computer readable medium embodying a computer program, the computer program comprising computer readable program code for: transitioning a device (202b) in an industrial process control and automation system (100) from a secondary role to a primary role during a switchover (408); in response to the switchover, clearing (410) one or more security values stored by the device;
receiving (412) a message at the device from a network node (204); and in response to determining (414) that no securi ty association is associated with the received message, exchanging (416) security credentials and establishing (418) a trust relationship with the network node;
wherein transitioning the device comprises assuming a network address of another device (202a) that previously operated in the primary role, that previously communicated with the network node, and that previously had a security association with the network node.
PCT/US2015/011978 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant device after switchover WO2015116431A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201580006411.4A CN106063221B (en) 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant devices after handoff
AU2015211329A AU2015211329A1 (en) 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant device after switchover
EP15743520.7A EP3100434A4 (en) 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant device after switchover
JP2016549315A JP2017505072A (en) 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant devices after switching

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201461933081P 2014-01-29 2014-01-29
US61/933,081 2014-01-29
US14/311,572 US9961054B2 (en) 2014-01-29 2014-06-23 Apparatus and method for establishing secure communication with redundant device after switchover
US14/311,572 2014-06-23

Publications (1)

Publication Number Publication Date
WO2015116431A1 true WO2015116431A1 (en) 2015-08-06

Family

ID=53680204

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/011978 WO2015116431A1 (en) 2014-01-29 2015-01-20 Apparatus and method for establishing secure communication with redundant device after switchover

Country Status (6)

Country Link
US (1) US9961054B2 (en)
EP (1) EP3100434A4 (en)
JP (1) JP2017505072A (en)
CN (1) CN106063221B (en)
AU (1) AU2015211329A1 (en)
WO (1) WO2015116431A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10416630B2 (en) * 2017-03-07 2019-09-17 Uop Llc System and method for industrial process automation controller farm with flexible redundancy schema and dynamic resource management through machine learning
US11301332B2 (en) * 2017-07-31 2022-04-12 Honeywell International Inc. Automatic firmware upgrade of an embedded node
US10924338B2 (en) * 2019-03-29 2021-02-16 Honeywell International Inc. Controller application module orchestrator
US11368298B2 (en) 2019-05-16 2022-06-21 Cisco Technology, Inc. Decentralized internet protocol security key negotiation
US11762742B2 (en) 2020-03-31 2023-09-19 Honeywell International Inc. Process control system with different hardware architecture controller backup
US11294843B2 (en) * 2020-03-31 2022-04-05 Honeywell International Inc. On-process migration of controller(s) to utilize an IO pool
US11874938B2 (en) 2020-11-03 2024-01-16 Honeywell International Inc. Admittance mechanism

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070037621A (en) * 2004-07-20 2007-04-05 유티스타컴, 인코포레이티드 Switchover facilitation apparatus and method
US20070260870A1 (en) * 2006-05-08 2007-11-08 Audiocodes Ltd. Switching between secured media devices
US20080114961A1 (en) * 2006-11-15 2008-05-15 Cisco Technology, Inc. Transparent device switchover in a storage area network
US7689722B1 (en) * 2002-10-07 2010-03-30 Cisco Technology, Inc. Methods and apparatus for virtual private network fault tolerance
US20110145585A1 (en) * 2009-09-09 2011-06-16 Research In Motion Limited System and method for providing credentials

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6170044B1 (en) 1997-12-19 2001-01-02 Honeywell Inc. Systems and methods for synchronizing redundant controllers with minimal control disruption
US6272386B1 (en) * 1998-03-27 2001-08-07 Honeywell International Inc Systems and methods for minimizing peer-to-peer control disruption during fail-over in a system of redundant controllers
DE102006014594A1 (en) * 2006-03-29 2007-10-04 Siemens Ag Proxy server and user unit connection restoring method, involves replicating information regarding cryptographic security of connection in proxy server, which has been stored before loss in application layer in another proxy server
US8583929B2 (en) * 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
US8281389B2 (en) * 2006-12-21 2012-10-02 Seagate Technology Llc System and method for tamper evident certification
US7948983B2 (en) * 2006-12-21 2011-05-24 Verizon Patent And Licensing Inc. Method, computer program product, and apparatus for providing passive automated provisioning
US9009327B2 (en) * 2007-08-03 2015-04-14 Citrix Systems, Inc. Systems and methods for providing IIP address stickiness in an SSL VPN session failover environment
US8756412B2 (en) * 2010-04-16 2014-06-17 Honeywell International Inc. Gateway supporting transparent redundancy in process control systems and other systems and related method
CN103731407B (en) * 2012-10-12 2017-08-11 华为技术有限公司 The method and system of IKE message negotiations
CN103607325A (en) * 2013-11-26 2014-02-26 国家电网公司 Data network link monitoring automatic switching system
CN103970624A (en) * 2014-05-06 2014-08-06 上海动联信息技术股份有限公司 Backup method and restoration method for identity authentication all-in-one machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7689722B1 (en) * 2002-10-07 2010-03-30 Cisco Technology, Inc. Methods and apparatus for virtual private network fault tolerance
KR20070037621A (en) * 2004-07-20 2007-04-05 유티스타컴, 인코포레이티드 Switchover facilitation apparatus and method
US20070260870A1 (en) * 2006-05-08 2007-11-08 Audiocodes Ltd. Switching between secured media devices
US20080114961A1 (en) * 2006-11-15 2008-05-15 Cisco Technology, Inc. Transparent device switchover in a storage area network
US20110145585A1 (en) * 2009-09-09 2011-06-16 Research In Motion Limited System and method for providing credentials

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3100434A4 *

Also Published As

Publication number Publication date
AU2015211329A1 (en) 2016-08-04
CN106063221A (en) 2016-10-26
EP3100434A4 (en) 2017-08-30
US20150215300A1 (en) 2015-07-30
US9961054B2 (en) 2018-05-01
CN106063221B (en) 2020-05-15
EP3100434A1 (en) 2016-12-07
JP2017505072A (en) 2017-02-09

Similar Documents

Publication Publication Date Title
US9961054B2 (en) Apparatus and method for establishing secure communication with redundant device after switchover
US9438628B2 (en) Apparatus and method for securing a distributed control system (DCS)
AU2016369256B2 (en) Apparatus and method for using an internet of things edge secure gateway
US10244000B2 (en) Apparatus and method for establishing seamless secure communications between components in an industrial control and automation system
US10270745B2 (en) Securely transporting data across a data diode for secured process control communications
US20180115517A1 (en) Secured Process Control Communications
US10042330B2 (en) Redundant process controllers for segregated supervisory and industrial control networks
AU2016366997A1 (en) Apparatus and method for using a distributed systems architecture (DSA) in an internet of things (IoT) edge appliance
JP6419389B2 (en) Method for setting modular control device of industrial automation system and modular control device
US10310467B2 (en) Cloud-based control platform with connectivity to remote embedded devices in distributed control system
AU2018258112B2 (en) Consolidated enterprise view of cybersecurity data from multiple sites
US20170163619A1 (en) Apparatus and method for using a security appliance with iec 61131-3

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15743520

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2015743520

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015743520

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2016549315

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2015211329

Country of ref document: AU

Date of ref document: 20150120

Kind code of ref document: A