WO2020099934A1 - System and method for data transport security from isolated process control domains - Google Patents

System and method for data transport security from isolated process control domains Download PDF

Info

Publication number
WO2020099934A1
WO2020099934A1 PCT/IB2019/001259 IB2019001259W WO2020099934A1 WO 2020099934 A1 WO2020099934 A1 WO 2020099934A1 IB 2019001259 W IB2019001259 W IB 2019001259W WO 2020099934 A1 WO2020099934 A1 WO 2020099934A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
cloud
layer
control system
process control
Prior art date
Application number
PCT/IB2019/001259
Other languages
French (fr)
Inventor
Januar HIMANTONO
Jeroen Gerard GROENER
Original Assignee
Haffmans B.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haffmans B.V. filed Critical Haffmans B.V.
Priority to EP19850792.3A priority Critical patent/EP3881516A1/en
Publication of WO2020099934A1 publication Critical patent/WO2020099934A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • H04L12/4625Single bridge functionality, e.g. connection of two networks over a single bridge
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • Process control systems like those used in beverage production, chemical, or other processes, typically include one or more controllers coupled to one or more final control elements such as valves, valve positioners, and switches, and to one or more field devices, such as temperature, pressure and flow rate sensors.
  • the controllers perform functions within the process such as opening or closing valves and measuring process parameters (e.g., measured by the field devices).
  • the controllers receive signals indicative of process parameter measurements and/or other information pertaining to the field devices, use this information to implement a control routine (e.g., to execute a recipe), and then generate control signals that are sent to the final control elements to control the operation of the process.
  • a control routine e.g., to execute a recipe
  • Process control systems are often configured to perform processes in accordance with batch or continuous recipes to produce products.
  • Product designers or engineers prepare recipes during a design time and store the recipes to be subsequently used a plurality of times by a process control system.
  • a recipe typically includes a combination of unit procedures, operations, and phases, all of which include instructions to control process equipment (e.g., tanks, vats, mixers, boilers, evaporators, pumps, valves, etc.) to transfer, mix, etc. ingredients in a process control system to generate a product.
  • the controllers of such process control systems may be connected to an isolated process control domain in order to prevent malicious actors from acquiring information (e.g., trade secrets) associated with these recipes and related processes, or from interfering with the process/recipe being executed.
  • Some embodiments of the invention provide a process control system that may communicate with a remote endpoint device via a cloud network.
  • a cloud server may act as an intermediary or broker that facilitates secure, bidirectional data transfer between the process control system and the remote endpoint device, enabling remote monitoring and control by the remote endpoint device of a production line connected to the process control system.
  • This production line may be, for example, a brewing and fermentation system for the production of beer.
  • Communication between the process control system, the cloud server, and the remote endpoint device may be performed according to a Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol.
  • MQTTS Message Queuing Telemetry Transport over Transport Layer Security
  • Data transmitted between the process control system and the remote endpoint device may be encoded using one or more rotating keys for added security.
  • a system may include a production line, which may include multiple field devices that monitor the production line and multiple final control elements that control processing of material at the production line.
  • the system may further include a control system that controls the final control elements and that receives process parameter data from the field devices.
  • the control system may be in a process control domain.
  • the system may further include a cloud gateway coupled to the control system.
  • the cloud gateway may be coupled to the control system.
  • the cloud gateway may be configured to transfer first data from the control system to a remote endpoint device via a cloud server of a cloud network.
  • the cloud gateway may be configured to receive second data from the remote endpoint device via the cloud server.
  • the cloud gateway may be configured to transfer the second data to the control system.
  • the first data and the second data may be respectively encapsulated according to a message queuing telemetry transport over transport layer security protocol.
  • the cloud gateway may be configured to apply a message queuing telemetry transport over transport layer security protocol encryption to the first data based on a set of rotating certificates.
  • the cloud gateway may be configured to encode the first data based on one or more rotating keys.
  • the cloud gateway may be configured to encrypt the first data based on a cloud-managed encryption key.
  • the cloud-managed encryption key may include a 256 bit block cipher.
  • the production line may be a brewing and fermentation production line.
  • the multiple field devices may include at least one of a temperature sensor, a pH sensor, a specific gravity sensor, a flow rate sensor, an alcohol content sensor, or a pressure sensor.
  • the multiple final control elements may include at least one of a valve, a heating element, or a cooling element.
  • the process parameter data is selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data.
  • a method may include steps of receiving, by a gateway device, data from a control system within a process control domain, encoding, by the gateway device, the data to add an encoding layer to the data to produce encoded data, encrypting, by the gateway device, the encoded data to add an encryption layer to the encoded data to produce encrypted data, encapsulating, by the gateway device, the encrypted data to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, sending, by the gateway device, the encapsulated data to a cloud-based server, and sending, by the cloud-based server, the encapsulated data to an endpoint device that is outside of the process control domain.
  • the MQTTS protocol layer may include a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index.
  • the method may include the step of further encapsulating, by the gateway device, the encapsulated data to add a virtual private network (VPN) layer.
  • VPN virtual private network
  • the data may include parameter data generated by one or more field devices of the process control domain, the parameter data being selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data.
  • the method may include the step of generating, by the gateway device, the encoding layer based on a rotating key.
  • the method may include the step of generating, by the gateway device, the encryption layer based on an encryption key that is managed by the cloud-based server.
  • the encryption key corresponds to a block cipher.
  • the method may include the step of generating, by the gateway device, the MQTTS protocol layer based on at least one certificate of a set of rotating certificates.
  • a method may include steps of receiving, by a cloud- based server, data from an endpoint device that is outside of a process control domain, encoding, by the cloud-based server, the data to add an encoding layer to the data to produce encoded data, encrypting, by the cloud-based server, the encoded data to add an encryption layer to the encoded data to produce encrypted data, encapsulating, by the cloud-based server, the encrypted data according to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, sending, by the cloud-based server, the encapsulated data to a gateway device located at an edge between the process control domain and a cloud network that includes the cloud-based server, and sending, by the gateway device, the encapsulated data to a control system that is in the process control domain.
  • the MQTTS protocol layer may include a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index
  • the method may further include the step of further encapsulating, by the cloud-based server, the encapsulated data to add a virtual private network (VPN) layer.
  • VPN virtual private network
  • the data may include instructions for controlling one or more final control elements of a production line.
  • the method may further include steps of generating, by the cloud-based server, the encoding layer based on a rotating key, generating, by the cloud-based server, the encryption layer according to an encryption key that is managed by the cloud-based server, and generating, by the gateway device, the MQTTS protocol layer based on a set of rotating certificates.
  • the encryption key may correspond to a block cipher.
  • FIG. 1 is an illustrative block diagram of a system for the brewing and fermentation of beverages, the system including a control system that is in communication with an endpoint device through the internet and/or a wide-area network (WAN) according to one embodiment of the invention.
  • WAN wide-area network
  • FIG. 2A is a diagram illustrating batch data transport between a control system in a process control domain and a remote server using a virtual private network (VPN) over the internet and business domains.
  • VPN virtual private network
  • FIG. 2B is a diagram illustrating a batch data flow and data encapsulation architecture that may be applied to the data of FIG. 2 A.
  • FIG. 3A is a diagram illustrating continuous data transport between a control system in a process control domain and a remote endpoint device using Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol over a cloud network according to one embodiment of the invention.
  • MQTTS Message Queuing Telemetry Transport over Transport Layer Security
  • FIG. 3B is a diagram illustrating a data encapsulation architecture that may be applied to the data of FIG. 3 A according to one embodiment of the invention.
  • the terms“mounted,”“connected,”“supported,” and“coupled” and variations thereof are used broadly and encompass both direct and indirect mountings, connections, supports, and couplings. Further,“connected” and“coupled” are not restricted to physical or mechanical connections or couplings.
  • FIG. 1 illustrates a system 100 that includes a production line 101 (sometimes referred to herein as a brewing and fermentation production line) by which malt may be controllably milled, brewed, and fermented according to one embodiment of the invention.
  • the production line 101 can include one or more of a malt/grain source 102, a mill 104, a mash tun 106, a lauter tun 108, a kettle 110, a whirlpool tank 112, a fermentation vessel 114, a filtration system 116, a bright tank 118, and/or a carbonator 120.
  • a control system 122 may be connected to final control elements (FCEs) and field devices (FDs) 103 located at or between each stage of the production line 101.
  • FCEs final control elements
  • FDs field devices
  • the FCEs may include valves, valve positioners, switches, heating elements, cooling elements, and the like, which may control the flow and processing of material along the production line 101.
  • the FDs may include sensors, such as temperature, flow rate, specific gravity, pH, alcohol content, and pressure sensors.
  • the control system 122 may send commands to control the FCEs of the FCEs/FDs 103, and may receive process parameter data (e.g., temperature data, pH data, specific gravity data, pressure data, flow rate data, etc.) from the FDs of the FCEs/FDs 103 corresponding to measurements of process parameters taken by the FDs.
  • a communication system 125 enables electronic communication between the control system 122 and an endpoint device 130, and includes a gateway or router 124, a network 126 which may be the internet, a cloud network, and/or a wide-area network (WAN), and a gateway or router 128.
  • the malt/grain source 102 may provide malted barley and/or other grains to the mill 104.
  • the mill 104 may be a dry mill, such as a hammer mill or a roller mill, or may be a wet mill in which malt and/or grains are steeped in warm water to increase moisture content before being ground with rollers, for example.
  • the ground malt and/or grains is referred to as grist.
  • Grist produced by the mill 104 is provided to the mash tun 106, which is a vessel in which the grist is mixed with temperature-controlled water to produce a mash.
  • the mash may be held in the mash tun 106 for a predetermined time at a predetermined temperature until the starches of the grist convert to sugars.
  • one or more heating elements of the mash tun 106 may be controlled by the control system 122 (e.g., by programmable logic controllers (PLCs) thereof) based on temperature data measured by a temperature sensor in the mash tun 106 when heating the mash.
  • PLCs programmable logic controllers
  • the dissolved sugars of the grist are referred to as the "wort".
  • the mash After being held in the mash tun 106 at the predetermined temperature and time, the mash is provided to the lauter tun 108, which separates the wort from the rest of the mash.
  • the lauter tun 108 may include a slotted, perforated floor, which holds the spent malt/grains of the mash, while allowing the wort to filter through to be collected in a space beneath this floor.
  • the wort extracted by the lauter tun 108 is then provided to the kettle 110.
  • the wort is boiled with hops in order to sterilize the wort, denature enzymes, extract hop components, coagulate proteins and polyphenols, concentrate the wort, develop color, and drive off unwanted volatiles.
  • one or more heating elements may be controlled by the control system 122 (e.g., by PLCs thereof) based on temperature data measured by a temperature sensor in the kettle 110 when boiling the wort and hops.
  • the whirlpool tank 112 is a vessel that uses centripetal forces to cause solid particles suspended in the solution of hot wort and hops output by the kettle 110 to settle in the center of the whirlpool tank 112.
  • the whirlpool tank 112 may be a vertical, cylindrical tank with a flat bottom having a diameter that is at least equal to the depth of the solution of hot wort and hops when the tank is full (e.g., at a predefined maximum level).
  • the sediment that includes hop fragments and other solids separated from the hot wort is referred to as "trub".
  • the hot wort is pumped out of the whirlpool tank 112, and the trub that has collected at the center of the whirlpool tank may be discarded through a port located at that center.
  • the hot wort extracted by the whirlpool tank 112 is then provided to a fermentation vessel 114, at which yeast is introduced to the wort, which converts the sugars of the wort into alcohol, carbon dioxide, and heat to produce beer.
  • a fermentation vessel 114 at which yeast is introduced to the wort, which converts the sugars of the wort into alcohol, carbon dioxide, and heat to produce beer.
  • control of the heat generated by the yeast is generally important, as the development of the flavor of the end-product is affected by fermentation temperature.
  • cooling elements may be included at the fermentation vessel 114, which may be controlled, for example, by the control system 122 to keep the fermentation temperature within a predefined range.
  • specific gravity sensors, pH sensors, and/or alcohol content sensors may be included in the fermentation vessel 114, so that the decline in specific gravity, the decline in pH, and/or the increase in alcohol content of the fermenting wort associated with the fermentation process may be monitored, and so that the fermentation process may be ended when specific gravity, pH, and/or alcohol content conditions reach predefined thresholds.
  • the beer produced by the fermentation process is then passed through the filtration system 116.
  • the filtration system 116 may, for example, include one or more filters, such as diatomaceous earth (DE) or perlite based filters, membrane filters, cross-flow filters, candle filters, screen filters, and the like.
  • DE diatomaceous earth
  • perlite based filters such as diatomaceous earth (DE) or perlite based filters, membrane filters, cross-flow filters, candle filters, screen filters, and the like.
  • the filtration process performed on the beer by the filtration system 116 helps to remove suspended solids from the beer, which improves the clarity and stability of the beer.
  • Carbonation is introduced to the beer by the carbonator 120.
  • the beer may then be provided to the bright tank 118 where the beer is held in preparation for packaging.
  • the beer may instead be force-carbonated in-line anywhere between the fermentation vessel 114 and the bright tank 118.
  • controllable valves may be disposed at inputs and/or outputs of each device of the production line 101 (e.g., malt/grain source 102, mill 104, mash tun 106, lauter tun 108, kettle 110, whirlpool tank 112, fermentation vessel 114, filtration system 116, and bright tank 118), and these valves may be controlled by the control system 122 (e.g., by PLCs thereof) in order to control the flow of product through the system.
  • the control system 122 e.g., by PLCs thereof
  • the FCEs of the FCEs and FDs 103 may include the valves and the heating and cooling elements used to control the process, while the FDs of the FCEs and FDs 103 may include the sensors used to monitor the process. While not described here, it should be understood that other FCEs (e.g., electric switches for controlling milling speed and coarseness at the mill 104) and field devices (e.g., pressure and flow rate sensors) may be included along the production line 101.
  • FCEs e.g., electric switches for controlling milling speed and coarseness at the mill 104
  • field devices e.g., pressure and flow rate sensors
  • the control system 122 may be communicatively coupled to the FCEs and FDs at each of the malt/grain source 102, mill 104, mash tun 106, lauter tun 108, kettle 110, whirlpool tank 112, fermentation vessel 114, filtration system 116, and bright tank 118, such that the control system 122 may monitor the field devices (e.g., receiving temperature, specific gravity, pH, pressure, flow and control the FCEs.
  • field devices e.g., receiving temperature, specific gravity, pH, pressure, flow and control the FCEs.
  • solid lines in FIG. 1 represent production line flow
  • solid lines represent electronic communication, which can each be any suitable communications link or combination of communications links, such as wired links, fiber optic links, Wi-Fi links, Bluetooth links, cellular links, etc.
  • the control system 122 may include one or more controllers, computer systems (e.g., engineering and/or supervisory workstations), servers (e.g., for process management and maintaining a process history). For example, local process engineers may monitor the production line 101 and, with appropriate credentials, may manually control FCEs of the system 100 via the computer systems of the control system 122. Controllers of the control system 122 may include PLCs, which may be interconnected as part of a PLC network, for example. The control system 122 may implement a SCADA architecture for the control of FCEs and monitoring of FDs.
  • computer systems e.g., engineering and/or supervisory workstations
  • servers e.g., for process management and maintaining a process history.
  • local process engineers may monitor the production line 101 and, with appropriate credentials, may manually control FCEs of the system 100 via the computer systems of the control system 122.
  • Controllers of the control system 122 may include PLCs, which may be interconnected as part of a PLC network, for example.
  • Controllers and/or computer systems of control system 122 may be part of an isolated process control domain (sometimes referred to as a process control network (PCN)) that is separated from other networks, such as business domains (e.g., business LANs/WANs) and the internet through one or more firewalls to ensure the security of devices connected to the PCN (e.g., to prevent access to the PCN by unauthorized users/devices).
  • PCN process control network
  • firewalls may tend to make continuous data transport between the PCN and authorized remote endpoint devices such as the endpoint device 130 (e.g., computer systems with permission to access the PCN and some or all of its constituent devices) impractical, as each firewall adds a hop to the data path.
  • Each hop in the data path also introduces a separate potential security breach, such as spoofing or man-in-the-middle attacks.
  • FIGS. 2A and 2B show an example of how data flow may occur between a control system, (e.g., control system 122 of FIG. 1) in an isolated process control domain and a remote server across several firewalls when virtual private network (VPN) encryption is used to secure data.
  • a control system 222 may be part of a process control domain, and may attempt to send data 244 (e.g., corresponding to monitored attributes of a process being executed by a production line such as the production line 101 of FIG. 1) to a remote server 240.
  • a firewall 232 at the edge of the process control domain may perform security checks on all data, including data 244, entering and leaving the process control domain.
  • the data 244 may pass through a business domain, which may correspond to a local area network (LAN) that is interposed between the process control domain and a connection to a network 242, which may correspond to the public internet or another wide-area network (WAN).
  • LAN local area network
  • WAN wide-area network
  • Another firewall 234 may be disposed at an edge of the business domain, separating the business domain from the internet, and may add an additional hop to the data path.
  • the data 244 may pass through the internet after successfully passing a security check at the firewall 234, and may be routed to another business domain of which the server 240 is a part.
  • the data 244 may be forced to pass through a third firewall 236, at which a third security check is performed and which adds another hop to the data path.
  • the data 244 may be encapsulated with an encryption layer 248 and a VPN layer 246.
  • the encryption layer 248 may correspond to a secure hash algorithm (SHA) encryption, such as SHA-1 or SHA-2.
  • the data 244 is transported through VPN tunnels.
  • the VPN layer 246 represents an Internet Protocol Security (IPSEC) VPN tunnel, which may act as an encryption layer only while the data 244 is being transported between the control system 222 and the remote server 240.
  • IPSEC Internet Protocol Security
  • a separate VPN tunnel may be applied between each of the firewall 232 and the firewall 234, the firewall 234 and the firewall 236, and the firewall 236 and the remote server 240.
  • FIGs. 3 A and 3B show an example of how data flow may occur between a control system 322, (e.g., control system 122 of FIG.
  • the control system 322 may communicate bi-directionally with a cloud server 350 through a gateway or router 324, which may be a cloud gateway located at an edge between the process control domain and the cloud network 326.
  • the gateway or router 324 may be a secured virtual edge environment that uses a rotating digital certificate for public key verification (e.g., an x.509 certificate). Certificate management may be provided by a cloud-based service (e.g., implemented in the cloud network 326).
  • the cloud server 350 may be a virtual server or may represent a cluster of servers.
  • Non-limiting examples of provider services that may be invoked or accessed to work in conjunction with the cloud server 350 include: security services that maintain and apply security policies, access controls, and the like, encrypt and decrypt information, create secure transmission (e.g., transport layer security (TLS)) channels, etc.; messaging services that transmit triggering events and other notifications between subscribing users and services, and or/ provide queueing services for prioritizing synchronous and asynchronous operations (e.g., API calls); monitoring services that monitor network activity and computing resource usage and generate logs of activity; data storage services that maintain distributed storage devices, databases, etc., and that may maintain and/or obtain data stored in an IoT device data store; and, data analytics services that may collect data (e.g., aggregated sensor data) and perform analytics on the data, such as machine learning, trend analysis, general monitoring/alerting, etc.
  • TLS transport layer security
  • the cloud server 350 may communicate bi-directionally with an endpoint device 330 (i.e., sending data to and receiving data from the endpoint device 330) that is located in a business domain or other local network outside of the process control domain.
  • the cloud server 350 may communicate with the endpoint device 330 directionally using Hyper Text Transfer Protocol Secure (HTTPS) and multi-factor authentication (MFA).
  • HTTPS Hyper Text Transfer Protocol Secure
  • MFA multi-factor authentication
  • the endpoint device 330 may be a computer system having authorization (e.g., in the form of a rotating key) to access the control system 322 to read and/or write data from/to one or more computer systems or controllers of the control system 322.
  • the cloud server 350 may act as an intermediary, passing the data 344 between the control system 322 and the endpoint device 330.
  • the cloud server 350 may remove some or all of the encapsulation layers 346, 348, 352, 354, (e.g., via decryption/decoding) that were added to the data by the gateway or server 324, and may then re encapsulate the data according to the protocol (e.g., HTTPS, MFA) that it is using to communicate with the endpoint device 330.
  • the control system 322 or the gateway or router 324 may communicate with the cloud server 350 using a Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol.
  • MQTT is a lightweight publish/subscribe messaging protocol, which may be used, for example, for machine-to-machine communications.
  • TLS is a cryptographic protocol that uses a handshake mechanism to secure a connection between two devices (e.g., a client and a server).
  • MQTT relies on the TCP transport protocol, and may be made more secure by using TLS instead of plain TCP.
  • the gateway or router 324 may, initiate a MQTTS connection with a set of rotating certificates, and may apply an encoding to the data 344 (e.g., based on a rotating index), as well as an encryption based on an encryption key (e.g., that uses a block cypher such as an Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) 256-bit block cypher).
  • AES Advanced Encryption Standard
  • GCM Galois/Counter Mode
  • the encryption key may be managed as a cloud-based service (e.g., provided over the cloud network 326).
  • the gateway or router 324 may optionally route the data 344 using an IPSEC VPN.
  • the endpoint device 330 may access the cloud server 350 via a connection that uses the HTTPS protocol.
  • the endpoint device 330 may connect to the cloud server 350 over the public internet, rather than the cloud network 326. In this way, the endpoint device 330 may securely access and remotely control the control system 322, and thereby control any FCEs controlled by the control system 322 and monitoring of any FDs monitored by the control system 322 (e.g., the FDs and FCEs of the brewing and fermentation production line 101 of FIG. 1).
  • the endpoint device 330 may remotely control the FCEs within the process control domain by generating and sending instruction data for controlling the FCEs to the cloud server 350.
  • the cloud server 350 may encapsulate the instruction data received from the endpoint device 330 (e.g., according to the encapsulation shown in FIG. 3B).
  • the encapsulated data may then be sent by the cloud server 350 to the gateway or router 324.
  • the gateway or router 324 may remove the encapsulation from the instruction data (e.g., via decryption/decoding), before passing the instruction data to the control system 322.
  • the control system 322 may then configure the FCEs according to the instruction data (e.g., opening/closing valves or switches, adjusting temperature set-points for heating or cooling elements, etc.)
  • the instruction data e.g., opening/closing valves or switches, adjusting temperature set-points for heating or cooling elements, etc.
  • the data 344 may be encapsulated with an encoding layer 354, an encryption layer 348 (e.g., corresponding to a cloud-managed encryption key that may, for example, apply an AES GCM 256 bit block cipher), a MQTTS layer 352 (e.g., corresponding to rotating x.509 certificates), and an optional VPN layer 346 (e.g., corresponding to an IPSEC VPN tunnel).
  • the encoding layer 354 may be encoded and decoded based on a rotating key for added security.
  • the encoding layer 354 will be unique to a particular endpoint device or gateway/router, only a single endpoint device or gateway/router should be affected in the event of a security breach. For example, when rotating the key for the encoding layer 354, a new key may be generated by the cloud server 350, and may be sent by the cloud server 350 to the endpoint device 330 and/or the gateway or router 324. The old key previously applied to generate the encoding layer 354 may discarded ("retired"), and subsequent data encoding may be performed using the new key by both the cloud server 350 and the gateway or router 324 and/or the endpoint device 330. The frequency at which such key rotation occurs may be automatically set, or may be set manually by adjusting corresponding settings via interaction with the cloud server 350.
  • the same rotating key or a different rotating key may be applied to encrypt the channels of the MQTTS layer 352.

Abstract

Embodiments of the invention provide a process control system that may communicate with a remote endpoint device via a cloud network. A cloud server may act as an intermediary or broker that facilitates secure, bidirectional data transfer between the process control system and the remote endpoint device, enabling remote monitoring and control by the remote endpoint device of a production line connected to the process control system. This production line may be, for example, a brewing and fermentation system for the production of beer. Communication between the process control system, the cloud server, and the remote endpoint device may be performed according to a Message Queuing Telemetry Transport over Transport Layer Security (MQTTS). Data transmitted between the process control system and the remote endpoint device may be encoded using one or more rotating keys for added security.

Description

SYSTEM AND METHOD FOR DATA TRANSPORT SECURITY FROM ISOLATED
PROCESS CONTROL DOMAINS
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims priority to U.S. Provisional Application No. 62/760,112 filed November 13, 2018, which is incorporated by reference in their entirety for all purposes.
BACKGROUND
[0002] Process control systems, like those used in beverage production, chemical, or other processes, typically include one or more controllers coupled to one or more final control elements such as valves, valve positioners, and switches, and to one or more field devices, such as temperature, pressure and flow rate sensors. The controllers perform functions within the process such as opening or closing valves and measuring process parameters (e.g., measured by the field devices). The controllers receive signals indicative of process parameter measurements and/or other information pertaining to the field devices, use this information to implement a control routine (e.g., to execute a recipe), and then generate control signals that are sent to the final control elements to control the operation of the process.
[0003] Process control systems are often configured to perform processes in accordance with batch or continuous recipes to produce products. Product designers or engineers prepare recipes during a design time and store the recipes to be subsequently used a plurality of times by a process control system. A recipe typically includes a combination of unit procedures, operations, and phases, all of which include instructions to control process equipment (e.g., tanks, vats, mixers, boilers, evaporators, pumps, valves, etc.) to transfer, mix, etc. ingredients in a process control system to generate a product. The controllers of such process control systems may be connected to an isolated process control domain in order to prevent malicious actors from acquiring information (e.g., trade secrets) associated with these recipes and related processes, or from interfering with the process/recipe being executed. However, limiting communication with these controllers to isolated process control domains generally inhibits the ability of process engineers and operators to easily remotely monitor or control a process being executed by the system. Thus, it may be desirable to provide a system and method for secure data transport between a process control system in an isolated process control domain and a remote endpoint device that is outside of the isolated process control domain.
SUMMARY
[0004] Some embodiments of the invention provide a process control system that may communicate with a remote endpoint device via a cloud network. A cloud server may act as an intermediary or broker that facilitates secure, bidirectional data transfer between the process control system and the remote endpoint device, enabling remote monitoring and control by the remote endpoint device of a production line connected to the process control system. This production line may be, for example, a brewing and fermentation system for the production of beer. Communication between the process control system, the cloud server, and the remote endpoint device may be performed according to a Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol. Data transmitted between the process control system and the remote endpoint device may be encoded using one or more rotating keys for added security.
[0005] In an example embodiment, a system may include a production line, which may include multiple field devices that monitor the production line and multiple final control elements that control processing of material at the production line. The system may further include a control system that controls the final control elements and that receives process parameter data from the field devices. The control system may be in a process control domain. The system may further include a cloud gateway coupled to the control system. The cloud gateway may be coupled to the control system. The cloud gateway may be configured to transfer first data from the control system to a remote endpoint device via a cloud server of a cloud network. The cloud gateway may be configured to receive second data from the remote endpoint device via the cloud server. The cloud gateway may be configured to transfer the second data to the control system. The first data and the second data may be respectively encapsulated according to a message queuing telemetry transport over transport layer security protocol.
[0006] In some embodiments, the cloud gateway may be configured to apply a message queuing telemetry transport over transport layer security protocol encryption to the first data based on a set of rotating certificates. [0007] In some embodiments, the cloud gateway may be configured to encode the first data based on one or more rotating keys.
[0008] In some embodiments, the cloud gateway may be configured to encrypt the first data based on a cloud-managed encryption key.
[0009] In some embodiments, the cloud-managed encryption key may include a 256 bit block cipher.
[0010] In some embodiments, the production line may be a brewing and fermentation production line.
[0011] In some embodiments, the multiple field devices may include at least one of a temperature sensor, a pH sensor, a specific gravity sensor, a flow rate sensor, an alcohol content sensor, or a pressure sensor.
[0012] In some embodiments, the multiple final control elements may include at least one of a valve, a heating element, or a cooling element.
[0013] In some embodiments, the process parameter data is selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data.
[0014] In an example embodiment, a method may include steps of receiving, by a gateway device, data from a control system within a process control domain, encoding, by the gateway device, the data to add an encoding layer to the data to produce encoded data, encrypting, by the gateway device, the encoded data to add an encryption layer to the encoded data to produce encrypted data, encapsulating, by the gateway device, the encrypted data to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, sending, by the gateway device, the encapsulated data to a cloud-based server, and sending, by the cloud-based server, the encapsulated data to an endpoint device that is outside of the process control domain. The MQTTS protocol layer may include a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index.
[0015] In some embodiments, the method may include the step of further encapsulating, by the gateway device, the encapsulated data to add a virtual private network (VPN) layer.
[0016] In some embodiments, the data may include parameter data generated by one or more field devices of the process control domain, the parameter data being selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data. [0017] In some embodiments, the method may include the step of generating, by the gateway device, the encoding layer based on a rotating key.
[0018] In some embodiments, the method may include the step of generating, by the gateway device, the encryption layer based on an encryption key that is managed by the cloud-based server.
[0019] In some embodiments, the encryption key corresponds to a block cipher.
[0020] In some embodiments, the method may include the step of generating, by the gateway device, the MQTTS protocol layer based on at least one certificate of a set of rotating certificates.
[0021] In an example embodiment, a method may include steps of receiving, by a cloud- based server, data from an endpoint device that is outside of a process control domain, encoding, by the cloud-based server, the data to add an encoding layer to the data to produce encoded data, encrypting, by the cloud-based server, the encoded data to add an encryption layer to the encoded data to produce encrypted data, encapsulating, by the cloud-based server, the encrypted data according to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, sending, by the cloud-based server, the encapsulated data to a gateway device located at an edge between the process control domain and a cloud network that includes the cloud-based server, and sending, by the gateway device, the encapsulated data to a control system that is in the process control domain. The MQTTS protocol layer may include a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index
[0022] In some embodiments, the method may further include the step of further encapsulating, by the cloud-based server, the encapsulated data to add a virtual private network (VPN) layer.
[0023] In some embodiments, the data may include instructions for controlling one or more final control elements of a production line.
[0024] In some embodiments, the method may further include steps of generating, by the cloud-based server, the encoding layer based on a rotating key, generating, by the cloud-based server, the encryption layer according to an encryption key that is managed by the cloud-based server, and generating, by the gateway device, the MQTTS protocol layer based on a set of rotating certificates. [0025] In some embodiments, the encryption key may correspond to a block cipher.
DESCRIPTION OF THE DRAWINGS
[0026] FIG. 1 is an illustrative block diagram of a system for the brewing and fermentation of beverages, the system including a control system that is in communication with an endpoint device through the internet and/or a wide-area network (WAN) according to one embodiment of the invention.
[0027] FIG. 2A is a diagram illustrating batch data transport between a control system in a process control domain and a remote server using a virtual private network (VPN) over the internet and business domains.
[0028] FIG. 2B is a diagram illustrating a batch data flow and data encapsulation architecture that may be applied to the data of FIG. 2 A.
[0029] FIG. 3A is a diagram illustrating continuous data transport between a control system in a process control domain and a remote endpoint device using Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol over a cloud network according to one embodiment of the invention.
[0030] FIG. 3B is a diagram illustrating a data encapsulation architecture that may be applied to the data of FIG. 3 A according to one embodiment of the invention.
DETAILED DESCRIPTION
[0031] Before any embodiments of the invention are explained in detail, it is to be understood that the invention is not limited in its application to the details of construction and the arrangement of components set forth in the following description or illustrated in the following drawings. The invention is capable of other embodiments and of being practiced or of being carried out in various ways. Also, it is to be understood that the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of “including,”“comprising,” or“having” and variations thereof herein is meant to encompass the items listed thereafter and equivalents thereof as well as additional items. Unless specified or limited otherwise, the terms“mounted,”“connected,”“supported,” and“coupled” and variations thereof are used broadly and encompass both direct and indirect mountings, connections, supports, and couplings. Further,“connected” and“coupled” are not restricted to physical or mechanical connections or couplings.
[0032] The following discussion is presented to enable a person skilled in the art to make and use embodiments of the invention. Various modifications to the illustrated embodiments will be readily apparent to those skilled in the art, and the generic principles herein can be applied to other embodiments and applications without departing from embodiments of the invention. Thus, embodiments of the invention are not intended to be limited to embodiments shown, but are to be accorded the widest scope consistent with the principles and features disclosed herein. The following detailed description is to be read with reference to the figures, in which like elements in different figures have like reference numerals. The figures, which are not necessarily to scale, depict selected embodiments and are not intended to limit the scope of embodiments of the invention. Skilled artisans will recognize the examples provided herein have many useful alternatives and fall within the scope of embodiments of the invention.
[0033] FIG. 1 illustrates a system 100 that includes a production line 101 (sometimes referred to herein as a brewing and fermentation production line) by which malt may be controllably milled, brewed, and fermented according to one embodiment of the invention. The production line 101 can include one or more of a malt/grain source 102, a mill 104, a mash tun 106, a lauter tun 108, a kettle 110, a whirlpool tank 112, a fermentation vessel 114, a filtration system 116, a bright tank 118, and/or a carbonator 120. A control system 122 may be connected to final control elements (FCEs) and field devices (FDs) 103 located at or between each stage of the production line 101. For example, the FCEs may include valves, valve positioners, switches, heating elements, cooling elements, and the like, which may control the flow and processing of material along the production line 101. The FDs may include sensors, such as temperature, flow rate, specific gravity, pH, alcohol content, and pressure sensors. The control system 122 may send commands to control the FCEs of the FCEs/FDs 103, and may receive process parameter data (e.g., temperature data, pH data, specific gravity data, pressure data, flow rate data, etc.) from the FDs of the FCEs/FDs 103 corresponding to measurements of process parameters taken by the FDs. A communication system 125 enables electronic communication between the control system 122 and an endpoint device 130, and includes a gateway or router 124, a network 126 which may be the internet, a cloud network, and/or a wide-area network (WAN), and a gateway or router 128.
[0034] The malt/grain source 102 may provide malted barley and/or other grains to the mill 104. The mill 104 may be a dry mill, such as a hammer mill or a roller mill, or may be a wet mill in which malt and/or grains are steeped in warm water to increase moisture content before being ground with rollers, for example. The ground malt and/or grains is referred to as grist. Grist produced by the mill 104 is provided to the mash tun 106, which is a vessel in which the grist is mixed with temperature-controlled water to produce a mash. The mash may be held in the mash tun 106 for a predetermined time at a predetermined temperature until the starches of the grist convert to sugars. For example, one or more heating elements of the mash tun 106 may be controlled by the control system 122 (e.g., by programmable logic controllers (PLCs) thereof) based on temperature data measured by a temperature sensor in the mash tun 106 when heating the mash. The dissolved sugars of the grist are referred to as the "wort".
[0035] After being held in the mash tun 106 at the predetermined temperature and time, the mash is provided to the lauter tun 108, which separates the wort from the rest of the mash. For example, the lauter tun 108 may include a slotted, perforated floor, which holds the spent malt/grains of the mash, while allowing the wort to filter through to be collected in a space beneath this floor. The wort extracted by the lauter tun 108 is then provided to the kettle 110. At the kettle 110, the wort is boiled with hops in order to sterilize the wort, denature enzymes, extract hop components, coagulate proteins and polyphenols, concentrate the wort, develop color, and drive off unwanted volatiles. For example, one or more heating elements may be controlled by the control system 122 (e.g., by PLCs thereof) based on temperature data measured by a temperature sensor in the kettle 110 when boiling the wort and hops.
[0036] After being boiled in the kettle 110, the hot wort is separated from the hop fragments and other solid particles at the whirlpool tank 112. The whirlpool tank 112 is a vessel that uses centripetal forces to cause solid particles suspended in the solution of hot wort and hops output by the kettle 110 to settle in the center of the whirlpool tank 112. For example, the whirlpool tank 112 may be a vertical, cylindrical tank with a flat bottom having a diameter that is at least equal to the depth of the solution of hot wort and hops when the tank is full (e.g., at a predefined maximum level). The sediment that includes hop fragments and other solids separated from the hot wort is referred to as "trub". Once the trub has been separated from the hot wort, the hot wort is pumped out of the whirlpool tank 112, and the trub that has collected at the center of the whirlpool tank may be discarded through a port located at that center.
[0037] The hot wort extracted by the whirlpool tank 112 is then provided to a fermentation vessel 114, at which yeast is introduced to the wort, which converts the sugars of the wort into alcohol, carbon dioxide, and heat to produce beer. During fermentation, control of the heat generated by the yeast is generally important, as the development of the flavor of the end-product is affected by fermentation temperature. Thus, cooling elements may be included at the fermentation vessel 114, which may be controlled, for example, by the control system 122 to keep the fermentation temperature within a predefined range. Additionally, specific gravity sensors, pH sensors, and/or alcohol content sensors may be included in the fermentation vessel 114, so that the decline in specific gravity, the decline in pH, and/or the increase in alcohol content of the fermenting wort associated with the fermentation process may be monitored, and so that the fermentation process may be ended when specific gravity, pH, and/or alcohol content conditions reach predefined thresholds.
[0038] The beer produced by the fermentation process is then passed through the filtration system 116. The filtration system 116 may, for example, include one or more filters, such as diatomaceous earth (DE) or perlite based filters, membrane filters, cross-flow filters, candle filters, screen filters, and the like. The filtration process performed on the beer by the filtration system 116 helps to remove suspended solids from the beer, which improves the clarity and stability of the beer.
[0039] Carbonation is introduced to the beer by the carbonator 120. The beer may then be provided to the bright tank 118 where the beer is held in preparation for packaging. In some embodiments, the beer may instead be force-carbonated in-line anywhere between the fermentation vessel 114 and the bright tank 118. In addition to the sensors and heating elements described above, controllable valves may be disposed at inputs and/or outputs of each device of the production line 101 (e.g., malt/grain source 102, mill 104, mash tun 106, lauter tun 108, kettle 110, whirlpool tank 112, fermentation vessel 114, filtration system 116, and bright tank 118), and these valves may be controlled by the control system 122 (e.g., by PLCs thereof) in order to control the flow of product through the system. In the above example, the FCEs of the FCEs and FDs 103 may include the valves and the heating and cooling elements used to control the process, while the FDs of the FCEs and FDs 103 may include the sensors used to monitor the process. While not described here, it should be understood that other FCEs (e.g., electric switches for controlling milling speed and coarseness at the mill 104) and field devices (e.g., pressure and flow rate sensors) may be included along the production line 101.
[0040] The control system 122 may be communicatively coupled to the FCEs and FDs at each of the malt/grain source 102, mill 104, mash tun 106, lauter tun 108, kettle 110, whirlpool tank 112, fermentation vessel 114, filtration system 116, and bright tank 118, such that the control system 122 may monitor the field devices (e.g., receiving temperature, specific gravity, pH, pressure, flow and control the FCEs. It should be noted that solid lines in FIG. 1 represent production line flow, while solid lines represent electronic communication, which can each be any suitable communications link or combination of communications links, such as wired links, fiber optic links, Wi-Fi links, Bluetooth links, cellular links, etc.
[0041] The control system 122 may include one or more controllers, computer systems (e.g., engineering and/or supervisory workstations), servers (e.g., for process management and maintaining a process history). For example, local process engineers may monitor the production line 101 and, with appropriate credentials, may manually control FCEs of the system 100 via the computer systems of the control system 122. Controllers of the control system 122 may include PLCs, which may be interconnected as part of a PLC network, for example. The control system 122 may implement a SCADA architecture for the control of FCEs and monitoring of FDs. Controllers and/or computer systems of control system 122 may be part of an isolated process control domain (sometimes referred to as a process control network (PCN)) that is separated from other networks, such as business domains (e.g., business LANs/WANs) and the internet through one or more firewalls to ensure the security of devices connected to the PCN (e.g., to prevent access to the PCN by unauthorized users/devices). However, such firewalls may tend to make continuous data transport between the PCN and authorized remote endpoint devices such as the endpoint device 130 (e.g., computer systems with permission to access the PCN and some or all of its constituent devices) impractical, as each firewall adds a hop to the data path. Each hop in the data path also introduces a separate potential security breach, such as spoofing or man-in-the-middle attacks.
[0042] FIGS. 2A and 2B show an example of how data flow may occur between a control system, (e.g., control system 122 of FIG. 1) in an isolated process control domain and a remote server across several firewalls when virtual private network (VPN) encryption is used to secure data. As shown in FIG. 2, a control system 222 may be part of a process control domain, and may attempt to send data 244 (e.g., corresponding to monitored attributes of a process being executed by a production line such as the production line 101 of FIG. 1) to a remote server 240. A firewall 232 at the edge of the process control domain may perform security checks on all data, including data 244, entering and leaving the process control domain. After passing through the firewall 232, the data 244 may pass through a business domain, which may correspond to a local area network (LAN) that is interposed between the process control domain and a connection to a network 242, which may correspond to the public internet or another wide-area network (WAN). Another firewall 234 may be disposed at an edge of the business domain, separating the business domain from the internet, and may add an additional hop to the data path. The data 244 may pass through the internet after successfully passing a security check at the firewall 234, and may be routed to another business domain of which the server 240 is a part. In order to enter the business domain of the server 240, the data 244 may be forced to pass through a third firewall 236, at which a third security check is performed and which adds another hop to the data path.
[0043] As shown in FIG. 2B, the data 244 may be encapsulated with an encryption layer 248 and a VPN layer 246. The encryption layer 248 may correspond to a secure hash algorithm (SHA) encryption, such as SHA-1 or SHA-2. The data 244 is transported through VPN tunnels. The VPN layer 246 represents an Internet Protocol Security (IPSEC) VPN tunnel, which may act as an encryption layer only while the data 244 is being transported between the control system 222 and the remote server 240. A separate VPN tunnel may be applied between each of the firewall 232 and the firewall 234, the firewall 234 and the firewall 236, and the firewall 236 and the remote server 240. Because of the presence of the firewalls 232, 234, and 236, the data 244 may be sent in batches, rather than being sent continuously, as the possibility of data being slowed down, or even dropped at each firewall security check may make continuous data transmission somewhat unreliable. Additionally, each of the firewalls 232, 234, and 236 acts as a potential man-in-middle attack location (e.g., because each individual with access to a given firewall presents a potential security risk), as the data 244 is only protected by the encryption layer 248 at these nodes. Reducing or eliminating potential human interactions with the data 244 could increase its security. [0044] FIGs. 3 A and 3B show an example of how data flow may occur between a control system 322, (e.g., control system 122 of FIG. 1) in an isolated process control domain and a remote endpoint device 330 through a public cloud network 326. As shown in FIG. 3A, the control system 322 may communicate bi-directionally with a cloud server 350 through a gateway or router 324, which may be a cloud gateway located at an edge between the process control domain and the cloud network 326. The gateway or router 324 may be a secured virtual edge environment that uses a rotating digital certificate for public key verification (e.g., an x.509 certificate). Certificate management may be provided by a cloud-based service (e.g., implemented in the cloud network 326). In some embodiments, the cloud server 350 may be a virtual server or may represent a cluster of servers. Non-limiting examples of provider services that may be invoked or accessed to work in conjunction with the cloud server 350 include: security services that maintain and apply security policies, access controls, and the like, encrypt and decrypt information, create secure transmission (e.g., transport layer security (TLS)) channels, etc.; messaging services that transmit triggering events and other notifications between subscribing users and services, and or/ provide queueing services for prioritizing synchronous and asynchronous operations (e.g., API calls); monitoring services that monitor network activity and computing resource usage and generate logs of activity; data storage services that maintain distributed storage devices, databases, etc., and that may maintain and/or obtain data stored in an IoT device data store; and, data analytics services that may collect data (e.g., aggregated sensor data) and perform analytics on the data, such as machine learning, trend analysis, general monitoring/alerting, etc.
[0045] The cloud server 350 may communicate bi-directionally with an endpoint device 330 (i.e., sending data to and receiving data from the endpoint device 330) that is located in a business domain or other local network outside of the process control domain. For example, the cloud server 350 may communicate with the endpoint device 330 directionally using Hyper Text Transfer Protocol Secure (HTTPS) and multi-factor authentication (MFA). The endpoint device 330 may be a computer system having authorization (e.g., in the form of a rotating key) to access the control system 322 to read and/or write data from/to one or more computer systems or controllers of the control system 322. The cloud server 350 may act as an intermediary, passing the data 344 between the control system 322 and the endpoint device 330. The cloud server 350 may remove some or all of the encapsulation layers 346, 348, 352, 354, (e.g., via decryption/decoding) that were added to the data by the gateway or server 324, and may then re encapsulate the data according to the protocol (e.g., HTTPS, MFA) that it is using to communicate with the endpoint device 330. For example, the control system 322 or the gateway or router 324 may communicate with the cloud server 350 using a Message Queuing Telemetry Transport over Transport Layer Security (MQTTS) protocol. MQTT is a lightweight publish/subscribe messaging protocol, which may be used, for example, for machine-to-machine communications. TLS is a cryptographic protocol that uses a handshake mechanism to secure a connection between two devices (e.g., a client and a server). MQTT relies on the TCP transport protocol, and may be made more secure by using TLS instead of plain TCP. For example, the gateway or router 324 may, initiate a MQTTS connection with a set of rotating certificates, and may apply an encoding to the data 344 (e.g., based on a rotating index), as well as an encryption based on an encryption key (e.g., that uses a block cypher such as an Advanced Encryption Standard (AES) Galois/Counter Mode (GCM) 256-bit block cypher). The encryption key may be managed as a cloud-based service (e.g., provided over the cloud network 326). In some embodiments, the gateway or router 324 may optionally route the data 344 using an IPSEC VPN. The endpoint device 330 may access the cloud server 350 via a connection that uses the HTTPS protocol. In some embodiments, the endpoint device 330 may connect to the cloud server 350 over the public internet, rather than the cloud network 326. In this way, the endpoint device 330 may securely access and remotely control the control system 322, and thereby control any FCEs controlled by the control system 322 and monitoring of any FDs monitored by the control system 322 (e.g., the FDs and FCEs of the brewing and fermentation production line 101 of FIG. 1). For example, the endpoint device 330 may remotely control the FCEs within the process control domain by generating and sending instruction data for controlling the FCEs to the cloud server 350. The cloud server 350 may encapsulate the instruction data received from the endpoint device 330 (e.g., according to the encapsulation shown in FIG. 3B). The encapsulated data may then be sent by the cloud server 350 to the gateway or router 324. The gateway or router 324 may remove the encapsulation from the instruction data (e.g., via decryption/decoding), before passing the instruction data to the control system 322. The control system 322 may then configure the FCEs according to the instruction data (e.g., opening/closing valves or switches, adjusting temperature set-points for heating or cooling elements, etc.) By using MQTTS for communication between the gateway or router 324 and the cloud server 350, the direct need for multiple VPN tunnels is eliminated.
[0046] As shown in FIG. 3B, the data 344 may be encapsulated with an encoding layer 354, an encryption layer 348 (e.g., corresponding to a cloud-managed encryption key that may, for example, apply an AES GCM 256 bit block cipher), a MQTTS layer 352 (e.g., corresponding to rotating x.509 certificates), and an optional VPN layer 346 (e.g., corresponding to an IPSEC VPN tunnel). The encoding layer 354 may be encoded and decoded based on a rotating key for added security. Because the encoding layer 354 will be unique to a particular endpoint device or gateway/router, only a single endpoint device or gateway/router should be affected in the event of a security breach. For example, when rotating the key for the encoding layer 354, a new key may be generated by the cloud server 350, and may be sent by the cloud server 350 to the endpoint device 330 and/or the gateway or router 324. The old key previously applied to generate the encoding layer 354 may discarded ("retired"), and subsequent data encoding may be performed using the new key by both the cloud server 350 and the gateway or router 324 and/or the endpoint device 330. The frequency at which such key rotation occurs may be automatically set, or may be set manually by adjusting corresponding settings via interaction with the cloud server 350. In some embodiments, instead of or in addition to applying a rotating-key -based encryption at the encoding layer 354 (e.g., to the payload data itself), the same rotating key or a different rotating key may be applied to encrypt the channels of the MQTTS layer 352.
[0047] Because communication between the gateway or router 324 and the cloud server 350 is secured without the use of firewalls, continuous data transmission between the endpoint device 330 and the control system 322 is possible. The use of the MQTTS protocol over the public cloud network 326 removes the possibility of the data 344 being compromised by spoofing or man in the middle attacks.
[0048] It will be appreciated by those skilled in the art that while the invention has been described above in connection with particular embodiments and examples, the invention is not necessarily so limited, and that numerous other embodiments, examples, uses, modifications and departures from the embodiments, examples and uses are intended to be encompassed by the claims attached hereto. The entire disclosure of each patent and publication cited herein is incorporated by reference, as if each such patent or publication were individually incorporated by reference herein. Various features and advantages of the invention are set forth in the following claims.

Claims

1. A system comprising:
a production line that comprises:
a plurality of field devices that monitor the production line; and
a plurality of final control elements that control processing of material at the production line;
a control system that controls the final control elements and that receives process parameter data from the field devices, the control system being in a process control domain; and a cloud gateway coupled to the control system, wherein the cloud gateway is configured to:
transfer first data from the control system to a remote endpoint device via a cloud server of a cloud network;
receive second data from the remote endpoint device via the cloud server; and transfer the second data to the control system, wherein the first data and the second data are respectively encapsulated according to a message queuing telemetry transport over transport layer security protocol.
2. The system of claim 1, wherein the cloud gateway is configured to apply a message queuing telemetry transport over transport layer security protocol encryption to the first data based on a set of rotating certificates.
3. The system of claim 2, wherein the cloud gateway is configured to encode the first data based on one or more rotating keys.
4. The system of claim 3, wherein cloud gateway is configured to encrypt the first data based on a cloud-managed encryption key.
5. The system of claim 4, wherein the cloud-managed encryption key includes a 256 bit block cipher.
6. The system of claim 1, wherein the process parameter data is selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data.
7. The system of claim 1, wherein the plurality of field devices comprises at least one of a temperature sensor, a pH sensor, a specific gravity sensor, a flow rate sensor, an alcohol content sensor, or a pressure sensor.
8. The system of claim 1, wherein the plurality of final control elements comprises at least one of a valve, a heating element, or a cooling element.
9. A method comprising:
receiving, by a gateway device, data from a control system within a process control domain;
encoding, by the gateway device, the data to add an encoding layer to the data to produce encoded data;
encrypting, by the gateway device, the encoded data to add an encryption layer to the encoded data to produce encrypted data;
encapsulating, by the gateway device, the encrypted data to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, wherein the MQTTS protocol layer comprises a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index;
sending, by the gateway device, the encapsulated data to a cloud-based server; and sending, by the cloud-based server, the encapsulated data to an endpoint device that is outside of the process control domain.
10. The method of claim 9, further comprising:
further encapsulating, by the gateway device, the encapsulated data to add a virtual private network (VPN) layer.
11. The method of claim 10, wherein the data comprises parameter data generated by one or more field devices of the process control domain, the parameter data being selected from a group consisting of: temperature data, pH data, specific gravity data, pressure data, and flow rate data.
12. The method of claim 10, further comprising:
generating, by the gateway device, the encoding layer based on a rotating key.
13. The method of claim 12, further comprising:
generating, by the gateway device, the encryption layer based on an encryption key that is managed by the cloud-based server.
14. The method of claim 13, wherein the encryption key corresponds to a block cipher.
15. The method of claim 13, further comprising:
generating, by the gateway device, the MQTTS protocol layer based on at least one certificate of a set of rotating certificates.
16. A method comprising:
receiving, by a cloud-based server, data from an endpoint device that is outside of a process control domain;
encoding, by the cloud-based server, the data to add an encoding layer to the data to produce encoded data;
encrypting, by the cloud-based server, the encoded data to add an encryption layer to the encoded data to produce encrypted data;
encapsulating, by the cloud-based server, the encrypted data according to add a message queuing telemetry transport over transport layer security (MQTTS) protocol layer to produce encapsulated data, wherein the MQTTS protocol layer comprises a plurality of encrypted MQTTS channels corresponding to a multichannel rotating index;
sending, by the cloud-based server, the encapsulated data to a gateway device located at an edge between the process control domain and a cloud network that includes the cloud-based server; and sending, by the gateway device, the encapsulated data to a control system that is in the process control domain.
17. The method of claim 16, further comprising:
further encapsulating, by the cloud-based server, the encapsulated data to add a virtual private network (VPN) layer.
18. The method of claim 16, wherein the data comprises instructions for controlling one or more final control elements of a production line.
19. The method of claim 16, further comprising:
generating, by the cloud-based server, the encoding layer based on a rotating key;
generating, by the cloud-based server, the encryption layer according to an encryption key that is managed by the cloud-based server; and
generating, by the gateway device, the MQTTS protocol layer based on a set of rotating certificates.
20. The method of claim 19, wherein the encryption key corresponds to a block cipher.
PCT/IB2019/001259 2018-11-13 2019-11-13 System and method for data transport security from isolated process control domains WO2020099934A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP19850792.3A EP3881516A1 (en) 2018-11-13 2019-11-13 System and method for data transport security from isolated process control domains

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862760112P 2018-11-13 2018-11-13
US62/760,112 2018-11-13

Publications (1)

Publication Number Publication Date
WO2020099934A1 true WO2020099934A1 (en) 2020-05-22

Family

ID=69582144

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2019/001259 WO2020099934A1 (en) 2018-11-13 2019-11-13 System and method for data transport security from isolated process control domains

Country Status (2)

Country Link
EP (1) EP3881516A1 (en)
WO (1) WO2020099934A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111506038A (en) * 2020-07-01 2020-08-07 粤海永顺泰(广州)麦芽有限公司 Malt monitoring and inspection data processing method and system
CN117255116A (en) * 2023-11-20 2023-12-19 中国移动紫金(江苏)创新研究院有限公司 Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115857361B (en) * 2023-02-27 2023-04-28 山东申东智能装备有限公司 Optimized control method and system for beer fermentation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180164778A1 (en) * 2016-12-14 2018-06-14 Codewrights Gmbh Method and System for Monitoring a Plant of Process Automation

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180164778A1 (en) * 2016-12-14 2018-06-14 Codewrights Gmbh Method and System for Monitoring a Plant of Process Automation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Introduction to MQTT Security Mechanisms- Beginners Guide", 14 September 2018 (2018-09-14), XP055676111, Retrieved from the Internet <URL:https://web.archive.org/web/20180914234120/http://www.steves-internet-guide.com/mqtt-security-mechanisms/> [retrieved on 20200312] *
PENIAK PETER ET AL: "Extended Model of Secure Communication for Embedded Systems with IoT and MQTT", 2018 INTERNATIONAL CONFERENCE ON APPLIED ELECTRONICS (AE), UNIVERSITY OF WEST BOHEMIA, 11 September 2018 (2018-09-11), pages 1 - 4, XP033423724, DOI: 10.23919/AE.2018.8501434 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111506038A (en) * 2020-07-01 2020-08-07 粤海永顺泰(广州)麦芽有限公司 Malt monitoring and inspection data processing method and system
CN117255116A (en) * 2023-11-20 2023-12-19 中国移动紫金(江苏)创新研究院有限公司 Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box
CN117255116B (en) * 2023-11-20 2024-02-13 中国移动紫金(江苏)创新研究院有限公司 Method and system for supporting traditional PLC cloud and remote operation and maintenance based on safety Box

Also Published As

Publication number Publication date
EP3881516A1 (en) 2021-09-22

Similar Documents

Publication Publication Date Title
EP3881516A1 (en) System and method for data transport security from isolated process control domains
US10270745B2 (en) Securely transporting data across a data diode for secured process control communications
US10257163B2 (en) Secured process control communications
US10158991B2 (en) Method and system for managing security keys for user and M2M devices in a wireless communication network environment
US10172000B2 (en) Method and system for managing security keys for user and M2M devices in a wireless communication network environment
US8694770B1 (en) Auditable cryptographic protected cloud computing communication system
US20120233453A1 (en) Reducing Processing Load in Proxies for Secure Communications
EP3075128B1 (en) Communication system
AU2012315751B2 (en) Implementation of secure communications in a support system
EP3228059B1 (en) Secure connections establishment
US20030081783A1 (en) Selecting a security format conversion for wired and wireless devices
CN110012026B (en) Unmanned ship intelligent gateway based on hybrid password and data transmission method
CN109040318B (en) HTTPS connection method of CDN (content delivery network) and CDN node server
KR20160145682A (en) Apparatus and method for transmitting data
US20140053255A1 (en) Secure Non-Geospatially Derived Device Presence Information
KR101448866B1 (en) Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof
CN111132148A (en) Method and device for configuring and accessing intelligent household electrical appliance network and storage medium
US11349882B2 (en) Connecting devices to the cloud
US8316232B1 (en) Cryptographic manager tool system
KR101847636B1 (en) Method and apprapatus for watching encrypted traffic
WO2020109624A1 (en) Key negotiation and provisioning for devices in a network
WO2019209184A1 (en) System and method for establishing secure communication
WO2005057842A1 (en) A wireless lan system
WO2009041804A2 (en) Secure instant messaging
KR100958098B1 (en) Virtual private network service method and its system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19850792

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019850792

Country of ref document: EP

Effective date: 20210614