WO2016081970A1 - Système d'automatisation et son procédé de fonctionnement - Google Patents

Système d'automatisation et son procédé de fonctionnement Download PDF

Info

Publication number
WO2016081970A1
WO2016081970A1 PCT/AT2015/050300 AT2015050300W WO2016081970A1 WO 2016081970 A1 WO2016081970 A1 WO 2016081970A1 AT 2015050300 W AT2015050300 W AT 2015050300W WO 2016081970 A1 WO2016081970 A1 WO 2016081970A1
Authority
WO
WIPO (PCT)
Prior art keywords
programmable logic
logic controller
scada
communication protocol
data
Prior art date
Application number
PCT/AT2015/050300
Other languages
German (de)
English (en)
Inventor
Michael Naderhirn
Original Assignee
S&T Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by S&T Ag filed Critical S&T Ag
Publication of WO2016081970A1 publication Critical patent/WO2016081970A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors

Definitions

  • Robotics systems in particular their control and regulation.
  • malware Stuxnet was known, with which a targeted attack on an industrial plant was carried out and this also successfully shut down.
  • the malware (malicious software) was developed specifically for a specific system for monitoring and controlling technical processes (Supervisory Control and Data Acquisition System, abbreviated SCADA system) from Siemens, the Simatic S7 (see http://de.wikipedia.org/). org / wiki / Stuxnet of 25/11/2014). It has heretofore been known to intervene in the control of frequency converters, which can be used, for example, to control the speed of other devices, such as those of the prior art. To control engines. Such controllers are widely used in various industrial plants such as e.g. Waterworks, air conditioning, pipelines, etc.
  • An automation system is described below which, according to one exemplary embodiment, has at least one programmable logic controller which is designed to communicate via a data bus with at least one system to be controlled using a second communication protocol.
  • the automation system further comprises at least one SCADA system configured to communicate with the programmable controller over a network and using a first communication protocol
  • Monitoring unit which is adapted to extract the operating information from the data transmitted between SCADA system and programmable logic controller and to compare this with a specification of permissible conditions of the system.
  • the automation system
  • a programmable logic controller which is adapted to be connected to a system to be controlled via a data line (for example a field bus)
  • the system further includes at least one SCADA system configured to communicate with the at least one programmable logic controller
  • Control over another data line e.g., a network
  • data packets are transmitted, which include read and write commands for writing or reading of at least one register of the spoke rogrammierbaren control and corresponding response messages.
  • a monitoring unit is designed to extract from the data packets transmitted between the SCADA system and the programmable logic controller by means of the first communication protocol operating data of the system to be controlled (ie operating information about desired and / or actual states of the system) and these with a previously known specification of permissible Compare operating data of the plant to be controlled.
  • the system to be controlled may have one or more actuators (eg motors) as well as one or more sensors, which actual values of deflections of the actuators (or also other operating parameters of the system to be controlled).
  • the system to be controlled is an industrial robot.
  • the programmable logic controller may be configured to communicate with the system to be controlled via the data line using a second real-time capable one
  • the data line can be, for example, a field bus (or part of a fieldbus system).
  • the first communication protocol does not have to be real-time capable.
  • the first one is
  • Communication Protocol a protocol based on TCP / IP such as e.g. ModBus / TCP.
  • the extracted operating data of the plant to be controlled comprises, for example, nominal and actual values of one or more states of the plant to be controlled, such as e.g. the desired value of a deflection of at least one actuator of the system to be controlled or the (measured by sensors) actual value of a deflection of at least one actuator of the system to be controlled (or both).
  • the mentioned permissible operating data of the system to be controlled include, for example, the maximum and / or minimum deflection of at least one actuator of the system to be controlled, the maximum and / or minimum temporal change of a target value of a deflection of at least one actuator of the system to be controlled, the maximum and / or minimum temporal change of an actual value of a deflection of at least one actuator of the system to be controlled or any combination of the aforementioned parameters.
  • These permissible operating data may e.g. depend on the date and time and / or other external variables and do not have to be constant.
  • the programmable logic controller may comprise at least one register which depends on a feedback signal received from the equipment to be controlled and / or on a write command received from the SCADA system (e.g.
  • Control command is described.
  • a control signal for the system to be controlled can be generated and / or a
  • the operating data to be extracted of the system to be controlled are stored, for example, in at least one register of the spoke-programmable controller.
  • the monitoring unit may be configured to block a write command if an operating data extracted therefrom has a value which does not lie within a permissible range defined by specification.
  • the monitoring unit can also be designed to trigger an alarm when one of a
  • Reply message to a read command extracted operating data has a value that is not within a specified range defined by specification.
  • a method for operating at least one system is described, which is controlled by means of at least one spoke programmable controller and at least one SCADA system.
  • the programmable logic controller communicates via a data bus with a system to be controlled using a second communication protocol.
  • the SCADA system communicates with the programmable logic controller via a network and using a first communication protocol, wherein data is transmitted between the SCADA system and the programmable logic controller containing operating information about set and / or actual conditions of the system.
  • the operating information is extracted from the data transferred between the SCADA system and the programmable logic controller so that it can then be compared with a specification of permissible conditions of the system.
  • the programmable logic controller communicates with the system via a data line in order to control the latter, wherein one or more control signals from the programmable logic controller to the system and / or one or more feedback signals from the system to the system
  • the method comprises extracting plant operating data from the data packets transmitted between the SCADA system and the programmable logic controller using the first communication protocol. Furthermore, this includes Method of comparing the extracted operating data with a previously known
  • FIG. 1 shows an example of an automation system according to an example of FIG
  • FIG. 2 schematically shows an attack on an automation system according to FIG.
  • FIG. 3 shows an example of an automation system that is protected against external attacks via the Internet
  • Figure 4 shows the time course of a sensor or feedback signal
  • Figure 5 shows the possible configuration of a block in Matlab / Simulink
  • FIG. 6 shows the exemplary use of control blocks in a Matlab / Simulink
  • FIG. 7 shows a further example of an automation system which is protected against attacks from the outside via the Internet and has an encryption of the data communication.
  • the automation system 1 comprises a SCADA system 10, a programmable logic controller 20 (SPS, programmable logic
  • Controller PLC
  • a system 30 to be controlled plant, control system
  • plant control system
  • SCADA system 20 controls and monitors a programmable controller (PLC, PLC) using an industry protocol (communication protocol) (referred to herein as ModBus / TCP) for communications between SCADA system 10 and SPS 20, which typically has no or very limited real-time capability (for Modbus / TCP, TCP / IP packets are used to transmit the data; since 2007 the Modbus version Modbus / TCP is part of the IEC 61158 standard).
  • the SCADA system 10 may be connected to the SPS 20 via a computer network, which in turn may be connected to the Internet.
  • the SCADA system 10 may transmit read commands (such as reading one or more registers of a PLC) or write commands (such as commands that write a value to a register of the PLC 20) to the PLC 20.
  • the PLC / PLC 20 responds with responses defined in the specification of the communication protocol. For example, the value of the register is read out or a status message of the PLC 20 is sent back to the SCADA system 10.
  • a general explanation of SCADA can be found e.g. online at
  • the second part of the system typically includes the PLC 20 and the plant 30 to be controlled (eg, industrial robots).
  • a communication protocol referred to in the drawings as "Real Time Industrial Protocol”
  • a bus protocol eg a fieldbus protocol such as PROFIBUS, INTERBUS, etc.
  • PROFIBUS programmable gate array
  • INTERBUS INTERBUS
  • One or more sensor signals Y (generally feedback signals) of the system 30 are written into one or more registers of the PLC 20, which then converts them into control signals X for the system 30 by means of control or regulation algorithms (eg PID controller) and transmits to this.
  • PID controller control or regulation algorithms
  • a computing system in which programs for processing accumulating data are always operational, such that the processing results are available within a predetermined period of time.
  • the data may be generated randomly or at predetermined times.
  • Possibility 2 - the operating system of the PLC 20 is hacked and then targeted
  • FIG. 2 essentially shows the procedure of an attack
  • An automation system 1 is secured to avoid such attacks by providing an independent monitoring system 15 between SCADA system 10 and SPS 20. Becomes If the monitoring system 15 is placed in the left part (between SCADA system 10 and SPS 20, see Figure 3), no significant real-time requirements are necessary.
  • a placement of the monitoring unit in the right part of the system (between PLC 20 and control system 30) is difficult to implement, because there are typically hard
  • Real-time requirements are to be met. This would mean that a monitoring unit would have to have deterministic properties (the monitoring task would have to be fulfilled in a predefined time) and on the other side would be the
  • Monitoring unit part of the control system and would thus e.g. Part of a
  • an arrangement of the monitoring unit in the right-hand part would have a high outlay in terms of compliance with laws and directives, a reduced set of rules to be processed in a given time and in an increased level
  • One aspect to defend an attack is to match the specifications of the plant 30 to be controlled (eg, specified limits for the target values of the
  • Actuator states or limits for the actual values determined by the sensors is used to monitor the communication between SCADA system 10 and PLC 20 with the aid of the independent monitoring unit 15 independent of the PLC 20 and the SCADA system 10 and to check whether the specifications are respected or violated. If it is determined in the monitoring unit 15 that operating data of the system (which represent operating information about desired and / or actual states of the system, such as desired or actual values of the states of the actuators, temperature, etc.) are in the range specified as permissible , one can assume that the system works reasonably. In the case of values outside of a specified range, either an alarm or other safety measures are triggered, the corresponding command is blocked so that it does not reach the PLC 20 at all.
  • Fig. 4 shows the time course of a sensor signal X (which is transmitted, for example, from the system to be controlled 30 to the PLC 20).
  • a permissible working range of the signal X can now be defined be (signal level Signal_max and _min signal) or a time limit such as the time derivative dX / dt of the signal X (tangent slopes dSignal_max and dSignal_min).
  • signal_max and _min signal signal
  • a time limit such as the time derivative dX / dt of the signal X (tangent slopes dSignal_max and dSignal_min).
  • Boundary conditions such as concerning calculated quality criteria possible.
  • a dynamic observer eg Kalman filter
  • non-directly measurable operating data states, state variables
  • Operating data can also be based on indirectly measured or monitored states of the system.
  • the sensor signal X exceeds the permissible maximum signal level Signal_max at the point 1, at the point 2 it falls below the permissible minimum values
  • Tangent slope (the tangent to the sensor signal X, corresponds to the first derivative or the rate of change) the permissible upper or lower limit dSignal_max and dSignal_min.
  • the monitoring unit 15 is shown in the left part of FIG.
  • rules or rule sets are used which examine the content of the data according to the communication protocol used and block the corresponding commands in case of a detected violation of a specified area.
  • a pattern matching program can be used, for example, which works in a similar way.
  • Snort a free Network Intrusion Detection System (NIDS) and a Network Intrusion Prevention System (NIPS)
  • NIDS Network Intrusion Detection System
  • NIPS Network Intrusion Prevention System
  • Another possibility is that the rules (rules) in a logic or a
  • a typical rule consists of the following components, as exemplified by a typical Snort rule: alert tcp 10.0.2.10/32 any -> 10.0.1.10/32 502 ⁇
  • msg "IDS Alert: 10.0.1.10 to 10.0.2.10, function code 04, start address 0003, value to small"
  • ⁇ byte test - describes the test of a value whether it is within or outside the specfication range
  • msg - is the command that produces the textual output if the value is outside the specification range.
  • FIG. 5 shows the possible configuration of a block in Matlab / Simulink.
  • Fig. 6 shows the exemplary use of control blocks in a Matlab / Simulink model. The check rules can then be generated during the processing of a block in the Matlab / Simulink, which enables the control engineer not to have to deal in detail with the details of the safeguarding of the automation system 1 against attackers.
  • Rule sets consists of reading the communication between SCADA system 10 and PLC 20 for a certain time (during a learning phase). In this case, the content of the communication is extracted according to the protocol used and read out the register contents of the PLC, and thereby stored during the learning phase minimum and maximum values for each register.
  • These "learned" minimum and maximum values can be manually adjusted in the next step and then converted into rules by computer-assisted methods, which makes sense if the monitoring unit 15 is to be integrated into an existing system, but this approach has the disadvantage in that one can not determine whether the automation system 1 had already been attacked in the learning phase, detection would only be possible if the learned minimum or maximum values were outside a range specified as permissible.
  • the attack occurs "on the fly” during encrypted data transmission over the data line (ie, over a computer network) .
  • This type of attack protects the encryption as long as the key used remains secret instead of end-to-end encryption between SCADA system 10 and PLC 20 (see Fig. 1), the communication between SCADA system 10 and monitoring unit 15 can be encrypted with a first key ENC I (or key pair) and the communication between monitoring unit 15 and PLC 20 with a second key
  • ENC I or key pair
  • the monitoring unit 15 is arranged between SCADA system 10 and PLC 20 and configured to receive the data sent from the SCADA system 10 (and destined for the PLC 20) to decrypt data, check it by rules or rule sets as described above and then again (with the second key ENC 2) to encrypt.

Abstract

L'invention concerne un système d'automatisation qui comprend, selon un mode de réalisation donné à titre d'exemple, au moins un automate programmable industriel qui est conçu pour communiquer avec au moins un équipement destiné à être commandé, par l'intermédiaire d'un bus de données, selon un deuxième protocole de communication. Le système d'automatisation comprend également au moins un système SCADA qui est conçu pour communiquer avec l'automate programmable industriel par l'intermédiaire d'un réseau et selon un premier protocole de communication, des données contenant des informations de fonctionnement relatives à des états théoriques et/ou réels de l'équipement étant transférées entre le système SCADA et l'automate programmable industriel. Le système d'automatisation est équipé d'une unité de surveillance qui est conçue pour extraire les informations de fonctionnement à partir des données transférées entre le système SCADA et l'automate programmable industriel et pour comparer ces informations avec une spécification d'états admissibles dudit équipement.
PCT/AT2015/050300 2014-11-25 2015-11-25 Système d'automatisation et son procédé de fonctionnement WO2016081970A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102014117282.5 2014-11-25
DE102014117282.5A DE102014117282A1 (de) 2014-11-25 2014-11-25 Automatisierungssystem und Verfahren zu dessen Betrieb

Publications (1)

Publication Number Publication Date
WO2016081970A1 true WO2016081970A1 (fr) 2016-06-02

Family

ID=55315244

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AT2015/050300 WO2016081970A1 (fr) 2014-11-25 2015-11-25 Système d'automatisation et son procédé de fonctionnement

Country Status (2)

Country Link
DE (1) DE102014117282A1 (fr)
WO (1) WO2016081970A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112214373A (zh) * 2020-09-17 2021-01-12 上海金仕达软件科技有限公司 硬件监控方法、装置及电子设备
DE102021212607A1 (de) 2021-11-09 2023-05-11 Siemens Healthcare Gmbh Verfahren zum Bereitstellen eines Trigger-Tokens

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3428756B1 (fr) * 2017-07-10 2019-06-19 Siemens Aktiengesellschaft Surveillance d'intégrité pour des systèmes d'automatisation
EP3709107A1 (fr) * 2019-03-14 2020-09-16 Siemens Aktiengesellschaft Procédé et système de surveillance de l'intégrité d'un système d'automatisation

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162957A1 (en) * 2003-07-01 2007-07-12 Andrew Bartels Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications
US20120304007A1 (en) * 2011-05-23 2012-11-29 Hanks Carl J Methods and systems for use in identifying abnormal behavior in a control system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2855621B1 (fr) * 2003-05-28 2005-07-01 Schneider Electric Ind Sas Systeme de controle d'acces a un equipement d'automatisme
US7853677B2 (en) * 2005-09-12 2010-12-14 Rockwell Automation Technologies, Inc. Transparent bridging and routing in an industrial automation environment
DE102011006668B3 (de) * 2011-04-01 2012-09-13 Siemens Aktiengesellschaft Schnittstellenmodul für ein modulares Steuerungsgerät

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070162957A1 (en) * 2003-07-01 2007-07-12 Andrew Bartels Methods, systems and devices for securing supervisory control and data acquisition (SCADA) communications
US20120304007A1 (en) * 2011-05-23 2012-11-29 Hanks Carl J Methods and systems for use in identifying abnormal behavior in a control system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112214373A (zh) * 2020-09-17 2021-01-12 上海金仕达软件科技有限公司 硬件监控方法、装置及电子设备
CN112214373B (zh) * 2020-09-17 2022-04-12 上海金仕达软件科技有限公司 硬件监控方法、装置及电子设备
DE102021212607A1 (de) 2021-11-09 2023-05-11 Siemens Healthcare Gmbh Verfahren zum Bereitstellen eines Trigger-Tokens

Also Published As

Publication number Publication date
DE102014117282A1 (de) 2016-05-25

Similar Documents

Publication Publication Date Title
EP2908195B1 (fr) Procédé de surveillance de la sécurité dans un réseau d'automatisation et réseau d'automatisation
EP2980662B1 (fr) Protection d'un composant d'automatisation contre des manipulations de programme par mise en correspondance de signature
WO2018059855A1 (fr) Procédé pour enregistrer données d'un appareil de terrain d'une manière sécurisée contre des manipulations
DE102010033229A1 (de) Verfahren und System zur manipulationssicheren Übertragung von Steuerdaten
WO2016081970A1 (fr) Système d'automatisation et son procédé de fonctionnement
DE102018103772A1 (de) Überwachungssystem für eine Schutzeinrichtung und Schutzeinrichtung
EP3079028A1 (fr) Procédé de planification et d'ingénierie, outil de logiciel et outil de simulation pour une solution d'automatisation
DE102017102677A1 (de) Verfahren zur Authentifizierung eines Feldgeräts der Automatisierungstechnik
EP3122016B1 (fr) Reseau d'automatisation et procede de surveillance de la securite de la transmission de paquets de donnees
EP2509265B1 (fr) Appareil de protection d'accès pour un réseau d'automatisation
DE102015205370A1 (de) Verfahren und Vorrichtung zur Bereitstellung von Daten für eine Zustandsüberwachung einer Maschine
EP2954534B1 (fr) Dispositif et procédé de détection de manipulations non autorisée de l'état du système d'une unité de commande et de régulation d'une installation nucléaire
EP3414632A1 (fr) Procédé et dispositif pour contrôler un traitement et une transmission de données dans une chaîne de sécurité d'un système de sécurité
EP3469429B1 (fr) Procédé pour empêcher un accès non autorisé à des applications logicielles dans des appareils de terrain, et réseau de communication
EP3525390A1 (fr) Dispositif et procédé de fourniture d'au moins une clé cryptographique sécurisée pour une protection de données cryptographique initiée par un appareil de commande
EP3470939B1 (fr) Procédé et système de surveillance de l'intégrité de sécurité d'une fonction de sécurité fournie par un système de sécurité
EP3470937A1 (fr) Procédé et dispositifs de surveillance du temps réactionnel d'une fonction de sécurité fournie par un système de sécurité
DE102021132493A1 (de) Integritätsprüfungen auf variablenebene für die kommunikation in prozesssteuerungsumgebungen
WO2016096298A1 (fr) Procédé de vérification d'au moins un télégramme
DE102016119744A1 (de) Verfahren und System zum Verhindern eines unerwünschten Zugriffs auf ein Feldgerät
DE102020127079A1 (de) Verfahren und System zum Einbinden von Feldgeräten der Automatisierungstechnik in eine cloudbasierte Serviceplattform
EP3144842A1 (fr) Systeme et procede d'analyse d'un objet
EP2446599B1 (fr) Transmission securisee contre la manipulation de donnees entre des appareils d'automatisation
DE202015004439U1 (de) Überwachungsvorrichtung und Netzwerkteilnehmer
EP2618522A1 (fr) Procédé de conception assistée par ordinateur d'une installation d'automatisation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15832788

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15832788

Country of ref document: EP

Kind code of ref document: A1