WO2018193277A1 - Système de données unidirectionnel (ods) - Google Patents

Système de données unidirectionnel (ods) Download PDF

Info

Publication number
WO2018193277A1
WO2018193277A1 PCT/IB2017/000455 IB2017000455W WO2018193277A1 WO 2018193277 A1 WO2018193277 A1 WO 2018193277A1 IB 2017000455 W IB2017000455 W IB 2017000455W WO 2018193277 A1 WO2018193277 A1 WO 2018193277A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
computer
transmitter
receiver
terminal
Prior art date
Application number
PCT/IB2017/000455
Other languages
English (en)
Inventor
Nasser M. LOOTAH
Tayeb Taher A R AL KHAJA
Muhammed Ali ZULFIQUER
Khaled Mahmoud Ahmed KULEY
Mohd Kamrul ISLAM
Seyed Esmaeel HOSEYNI
Muhammad Faisal A. A. MAKKI
Original Assignee
Dubai Electricity And Water Authority
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dubai Electricity And Water Authority filed Critical Dubai Electricity And Water Authority
Priority to PCT/IB2017/000455 priority Critical patent/WO2018193277A1/fr
Priority to GBGB1709043.2A priority patent/GB201709043D0/en
Publication of WO2018193277A1 publication Critical patent/WO2018193277A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/80Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
    • H04B10/85Protection from unauthorised access, e.g. eavesdrop protection

Definitions

  • ODS One-Way Data System
  • the present invention relates to a device for unidirectional data transmission, and a corresponding system and method. These relate to IT infrastructure, especially to connecting an operating technology (OT) network, e.g. at a power plant or factory, with larger, insecure networks such as the internet, while maintaining the isolation of the plant network that is required for security reasons.
  • OT operating technology
  • the object of the invention is achieved by a device for unidirectional data transmission, also called “one-way data device” or ODD, comprising a fiber-optic cable, a transmitter terminal, and a receiver terminal.
  • the transmitter terminal comprises a light source and no light detection sensor
  • the receiver terminal comprises a light detection sensor and no light source.
  • the transmitter terminal and the receiver terminal are connected by the fiber-optic cable such that data can be transmitted from the transmitter terminal to the receiver terminal.
  • the transmitter terminal contains no light detection sensor, it is physically incapable of receiving information from the cable.
  • the receiver terminal is physi- cally incapable of sending information through the cable, since it does not contain a light source.
  • Such a device provides a simple and effective means of ensuring that data is transmitted only in one direction. Security is enhanced, since the device is physically incapable of transmitting data from the receiver terminal to the transmitter terminal.
  • the device for unidirectional data transmission is located inside a container, which is secured with a lock.
  • the components are thus protected and, in particular, do not move relative to one another. Failure of the fiber-optic cable consequently becomes very unlikely. It is especially preferred if the container is designed to fit a 19-inch rack.
  • the receiver terminal and the transmitter terminal each have a modular connector.
  • a connector of the 8P8C type (commonly referred to as RJ45 Ethernet connector) is preferred.
  • RJ45 Ethernet connector a connector of the 8P8C type
  • the object of the invention is also achieved by a system for unidirectional data transmission, also called "one-way data system" or ODS, comprising a one-way data device as described above, a transmitter computer, and a receiver computer.
  • the receiver computer is connected to the transmitter computer by the one-way data device.
  • Such a system can provide a complete solution for connecting e.g. an OT network to e.g. the internet, while ensuring the security of the OT network, since the one-way data system can guarantee that the connection is unidirectional - it is then physically impossible for data to travel from the internet to the OT network through the ODS.
  • the transmitter computer is configured to a) receive or fetch data from a data source, b) write said data from said data source to a spreadsheet file, c) read data from said spreadsheet file, and d) send said data from said spreadsheet file to the device for unidirectional data transmission.
  • the data from said spreadsheet file is sent via the UDP protocol.
  • the data source could be, for example, a server in an operating technology network at a power plant or factory, typically an OPC (Open Platform Communication) server.
  • An OPC client could, for example, receive data from such a server and write it to a spreadsheet file, preferably in MS Excel format.
  • the receiver computer is configured to a) receive data from the device for unidirectional data transmission via the UDP protocol, b) check said data from the device for unidirectional data transmission for errors, c) generate a notification if an error is found, d) write said data from the device for unidirectional data transmission to a spreadsheet file, preferably in MS Excel format, and e) provide data from said spreadsheet file over a network connection.
  • the error checking feature is necessary, since UDP does not guarantee error-free delivery of data.
  • the checksums provided by UDP may be used for this purpose. It is preferred, however, to include additional error-checking signals in the data in order to increase data security. If an error in the data is found, the notification could be generated in form of e.g. an email or an SMS to e.g. the relevant system administrator.
  • the transmitter computer, the receiver computer and the device for unidirectional data transmission are each designed to fit a 19-inch rack.
  • a method for unidirectional data transmission comprising the following steps:
  • Fig. 1 shows a schematic diagram of a device for unidirectional data transmission
  • ODD unidirectional data transmission
  • Fig. 2 shows a diagram of the data flow through a one-way data system (ODS);
  • Fig. 3 shows a schematic of a first preferred embodiment of the invention for realtime data transfer
  • Fig. 4 shows a schematic of a second preferred embodiment of the invention for remote file transfer.
  • the configuration of a one-way data device according to the invention is shown in Fig. 1.
  • This device for unidirectional data transmission ODD, the transmitter computer 100 and the receiver computer 110 together form a system for unidirectional data transfer ODS.
  • the one-way data device ODD typically provides modular connectors IN, OUT for connections to these computers 100, 110 via Ethernet cables RJ45.
  • the input connector IN is connected to a transmitter terminal Tx (e.g. by an Ethernet cable RJ45).
  • the transmitter terminal Tx contains a light source, but no light detection sensor, and is designed to convert the electrical signals from the input into optical signals. These are transmit- ted along the fiber-optic cable FO to the receiver terminal Rx, which contains a suitable light detection sensor, but no light source.
  • the receiver terminal Rx converts the optical signals received back into electrical signals, which are supplied to the output connector OUT (typically via an Ethernet cable RJ45).
  • the receiver terminal Rx is thus unable to send information back along the fiber-optic cable FO.
  • the typical data flow through a system for unidirectional data transmission according to the invention is shown in Fig. 2:
  • the data is fetched 200 from a server, or otherwise supplied to the transmitter computer 100.
  • the data is supplied by an OPC server, e.g. located at a power plant or factory, and fetched by an OPC client installed on the transmitter computer 100.
  • the data from the OPC server is then written 210 to a spreadsheet file, e.g. in MS Excel format.
  • the data can be modified by an operator, e.g. in order to add or remove additional signals according to the desired use of the data.
  • Transmitter software on the transmitter computer 100 then reads data from said spreadsheet file, converts the data to UDP datagrams and sends 220 these to the device for unidirectional data transmis- sion ODD.
  • signals for data verification and error checking may be added.
  • the data transfer may preferably occur as a continuous stream.
  • the UDP datagrams are received 230 by receiver software installed on the receiver computer 1 10.
  • the transmitted data is checked for errors and then written 240 to a spreadsheet file, typically in MS Excel format. Users may be allowed to modify tag descrip- tions etc. as required. If errors are detected, a corresponding notification can be generated, usually in form of an email or SMS, in order to warn a responsible person that the one-way data system is not working correctly.
  • Data from this spreadsheet file is provided 250 by the receiver computer 110, for example by an OPC server installed on the receiver computer that acts - to the outside world - as a substitute for the OPC server at the plant, which is thus protected from outside influences by the one-way data system.
  • FIG. 3 A use-case of the system for unidirectional data transmission ODS for real-time data transfer is illustrated schematically in Fig. 3.
  • an OPC server computer 310 resides on a plant DCS (Distributed Control system) network 300.
  • the server 310 is tasked with fetching and subsequently providing real-time operating, monitoring and control signals of machines connected to the plant network 300.
  • the one-way data system ODS is connected to this server 310.
  • the transmitter computer 100 of the ODS gets the data from the OPC server 310 in real-time using OPC client software and transfers these real-time data into a spreadsheet.
  • MS Excel or similar software can thus be used as a user interface tool to add or remove any additional signals that may be required.
  • the transmitter software on the transmitter computer 100 continuously checks for changes in the data, obtains any identified data change from the spreadsheet in real-time and pushes these data through the device for unidirectional data transmission ODD to the receiver computer 1 10 via UDP.
  • the receiver software on the receiver computer 1 10 receives the transmitted data from the transmitter computer 100 and continuously updates the data into a spreadsheet in realtime, for example in Excel format.
  • An OPC Server installed on the receiver computer 1 10 receives the real-time data available in the spreadsheet, e.g. through DDE (Dynamic Data Exchange) or a similar interprocess communication method.
  • This OPC server (on the receiv- er computer 110) is linked to an interface computer 320, which is part of an outside network 330, e.g. a corporate business network.
  • a diagnostics computer 400 collects diagnostic data, e.g. from machines installed at the plant, from the plant network 300. At scheduled times, the diagnostics computer 400 pushes the data, e.g. in form of files, to the transmitter computer 100 of the system for unidirectional data transmis- sion ODS, e.g. via the plant network 300.
  • the transmitter software installed on the transmitter computer 100 receives these data files from the diagnostics computer 400 and (if applicable) converts and pushes them through the device for unidirectional data transmission ODD to the receiver computer 1 10 using UDP.
  • the receiver software installed on the receiv- er computer 1 10 receives the transmitted data file(s) from the transmitter computer 100 and pushes to the remote service/diagnostic system 420 over the internet 410, e.g. via an ADSL line.
  • the remote service/diagnostics system 420 is thus regularly supplied with diagnostics data from the local diagnostics computer 400 located at the plant, even via the insecure internet 410, without actually exposing the plant network 300 to the internet. Even if the remote service/diagnostics system 420 were to become compromised, it could not send any (potentially dangerous) signals to the plant network.
  • a datagram is a basic transfer unit associated with a packet-switched network. Data- grams are typically structured in header and payload sections. Datagrams provide a connectionless communication service across a packet-switched network. The delivery, arrival time, and order of arrival of datagrams need not be guaranteed by the network.
  • the term datagram is often considered synonymous to packet, but datagram is generally reserved for packets of an unreliable service, which cannot notify the sender if delivery fails, while the term packet applies to any packet, reliable or not (according to https://en.wikipedia.org/wiki/Datagram).
  • a distributed control system is a computerized control system for a process or plant, in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control. This is in contrast to non-distributed control systems that use centralized controllers; either discrete controllers located at a central control room or within a central computer.
  • the DCS concept increases reliability and reduces installation costs by localizing control functions near the process plant, but enables monitoring and su- pervisory control of the process remotely (according to https://en.wikipedia.org/wiki/Distributed_control_system).
  • Dynamic Data Exchange is a method of interprocess communication under Mi- crosoft Windows or OS/2. It allows one program to subscribe to items made available by another program, for example a cell in a Microsoft Excel spreadsheet, and be notified whenever that item changes. DDE was partially superseded by Object Linking and Embedding (OLE), but remains used for simple interprocess communication tasks. (See https://en.wikipedia.org/wiki/Dynamic_Data_Exchange.)
  • a modular connector is an electrical connector that was originally designed for use in telephone wiring, but has since been used for many other purposes. Probably the most well- known applications of modular connectors are for telephone jacks and for Ethernet jacks, both of which are nearly always modular connectors.
  • the 8 position 8 contact (8P8C) connector is a modular connector commonly used to terminate twisted pair and multi-conductor flat cable. These connectors are commonly used for Ethernet over twisted pair, registered jacks and other telephone applications, RS-232 serial using the EIA/TIA-561 and Yost standards, and other applications involving unshielded twisted pair, shielded twisted pair, and multi-conductor flat cable. 8P8C un-keyed modular connectors are commonly referred to as RJ45 in the context of Ethernet. (See https://en.wikipedia.org/wiki/Modular_connector.)
  • Open Platform Communication (OPC, formerly known as OLE for Process Control) is a series of standards and specifications for industrial telecommunication and specifies the communication of real-time data, e.g. at a power plant, between various control devices, e.g. from different manufacturers.
  • OPC servers provide standardized methods for any OPC client software to access data from a process control device (such as a distributed control system DCS).
  • DCS distributed control system
  • UDP User Datagram Protocol
  • RFC 768 The User Datagram Protocol
  • UDP uses a simple connectionless transmission model with a minimum of protocol mechanism.
  • UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram. It has no handshaking dialogues, and thus exposes the user's program to any unreliability of the underlying network: there is no guarantee of delivery, ordering, or duplicate protection.
  • UDP is suitable for purposes where error checking and correction are either not necessary or are performed in the application.
  • Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system (According to https://en.wikipedia.org/wiki/User_Datagram_Protocol). References
  • ODD device for unidirectional data transmission

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un dispositif de données unidirectionnel (ODD), comprenant un câble à fibre optique (FO), un terminal émetteur (Tx) et un terminal récepteur (Rx). Le terminal émetteur (Tx) comprend une source de lumière et aucun capteur de détection de lumière, et le terminal récepteur (Rx) comprend un capteur de détection de lumière et aucune source de lumière. Le terminal émetteur (Tx) et le terminal récepteur (Rx) sont reliés par le câble à fibre optique (FO) de sorte que des données peuvent être transmises du terminal émetteur (Tx) au terminal récepteur (Rx). Un tel dispositif constitue un moyen simple et efficace de garantir que les données ne sont transmises que dans une seule direction. L'invention concerne également un système de données unidirectionnel (ODS), comprenant un ordinateur émetteur (100) et un ordinateur récepteur (110) reliés par un dispositif de données unidirectionnel (ODD). L'invention concerne également un procédé correspondant.
PCT/IB2017/000455 2017-04-21 2017-04-21 Système de données unidirectionnel (ods) WO2018193277A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/IB2017/000455 WO2018193277A1 (fr) 2017-04-21 2017-04-21 Système de données unidirectionnel (ods)
GBGB1709043.2A GB201709043D0 (en) 2017-04-21 2017-04-21 No details

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2017/000455 WO2018193277A1 (fr) 2017-04-21 2017-04-21 Système de données unidirectionnel (ods)

Publications (1)

Publication Number Publication Date
WO2018193277A1 true WO2018193277A1 (fr) 2018-10-25

Family

ID=59349863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2017/000455 WO2018193277A1 (fr) 2017-04-21 2017-04-21 Système de données unidirectionnel (ods)

Country Status (2)

Country Link
GB (1) GB201709043D0 (fr)
WO (1) WO2018193277A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021043830A1 (fr) 2019-09-05 2021-03-11 Terega Systeme de transfert unidirectionnel de donnees et procede correspondant
CN116054945A (zh) * 2023-04-06 2023-05-02 深圳华创芯光科技有限公司 一种高可靠单向光无线通信数据传输系统

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202906969U (zh) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 一种基于单向光技术的边界安全传输设备及通信系统

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN202906969U (zh) * 2012-09-25 2013-04-24 上海辰锐信息科技公司 一种基于单向光技术的边界安全传输设备及通信系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
COMPUTER HOUSING: "Fantec TCG-3830KX07-1", FANTEC, 8 March 2012 (2012-03-08), Retrieved from the Internet <URL:https://geizhals.at/?phist=746369> [retrieved on 20180323] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021043830A1 (fr) 2019-09-05 2021-03-11 Terega Systeme de transfert unidirectionnel de donnees et procede correspondant
FR3100626A1 (fr) 2019-09-05 2021-03-12 Terega Systeme de transfert unidirectionnel de donnees et procede correspondant
CN116054945A (zh) * 2023-04-06 2023-05-02 深圳华创芯光科技有限公司 一种高可靠单向光无线通信数据传输系统

Also Published As

Publication number Publication date
GB201709043D0 (en) 2017-07-19

Similar Documents

Publication Publication Date Title
US11734213B2 (en) Integration of multiple communication physical layers and protocols in a process control input/output device
US9411769B2 (en) Apparatus and methods to communicatively couple field devices to controllers in a process control system
JP6638089B2 (ja) オートメーションシステムの運用のための接続ユニット、モニタリングシステム、および運用方法
US20060031577A1 (en) Remote processing and protocol conversion interface module
US7685267B2 (en) Method and system for connecting to a field device
CN107852415B (zh) 用于在网络之间无反作用地传输数据的方法和装置
JP6606293B2 (ja) 安全システムの安全チェーン内でデータ処理およびデータ送信を監視するための方法およびデバイス
CN104169817A (zh) 用于在自动化设备中控制安全关键过程的控制装置和用于使控制装置参数化的方法
US12107835B2 (en) Secure remote access to historical data
WO2018193277A1 (fr) Système de données unidirectionnel (ods)
US20190250686A1 (en) Control System and Associated Method for Startup, Control and Monitoring of Power Supply Components
JP7063976B2 (ja) 少なくとも1つの安全なプロデューサーと少なくとも1つの安全なコンシューマーとの間のデータ伝送
LU100282B1 (en) One-Way Data System (ODS)
KR20170093562A (ko) 스마트 팩토리 연동 모듈 및 이의 작동 방법
KR101740236B1 (ko) 엠큐티티(mqtt) 및 디디에스(dds) 클라이언트 모듈을 갖는 장치를 위한 원격관리시스템
AU2018373682B2 (en) Method for remote management of a device connected to a residential gateway
GB2477444A (en) Isolation circuitry for field device.
KR101789199B1 (ko) Iec61850 다중경로에서 데이터 송수신을 위한 시스템
US8402150B1 (en) Manipulation of LonWorks® protocol for RF communications
CN116255492A (zh) 一种新型阀门控制系统
US20090097470A1 (en) Methods and systems for communicating data
Berrie et al. Networks in Process Automation: Hardware Structures and Integration of Process Variables into Networks
HE800ETN200 et al. SmartStack™

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 1709043.2

Country of ref document: GB

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17906467

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17906467

Country of ref document: EP

Kind code of ref document: A1