WO2022022891A1 - Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation - Google Patents

Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation Download PDF

Info

Publication number
WO2022022891A1
WO2022022891A1 PCT/EP2021/066757 EP2021066757W WO2022022891A1 WO 2022022891 A1 WO2022022891 A1 WO 2022022891A1 EP 2021066757 W EP2021066757 W EP 2021066757W WO 2022022891 A1 WO2022022891 A1 WO 2022022891A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital signature
entity
automation component
data
verification data
Prior art date
Application number
PCT/EP2021/066757
Other languages
German (de)
English (en)
Inventor
Marc KOEPKE
Alain Chomik
Sushil Siddesh
Matthias Brenzinger
Michael Blessing
Mikhail IGNATOV
Original Assignee
Endress+Hauser Flowtec Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Endress+Hauser Flowtec Ag filed Critical Endress+Hauser Flowtec Ag
Publication of WO2022022891A1 publication Critical patent/WO2022022891A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/05Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
    • G05B19/058Safety, monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • the invention relates to a method for detecting any manipulation of an automation component, and to such an automation component which is designed for use in the method according to the invention.
  • field devices are used as automation components, which are used in process automation technology as well as in production automation technology.
  • all devices that are used close to the process and that supply or process process-relevant information are referred to as field devices.
  • field devices are used to record and/or influence process variables. Measuring devices or sensors are used to record process variables. These are used, for example, to measure pressure and temperature,
  • Conductivity measurement, flow measurement, pH measurement, level measurement, etc. uses and records the corresponding process variables pressure, temperature, conductivity, pH value, level, flow rate, etc.
  • Actuators are used to influence process variables. These are, for example, pumps or valves that can influence the flow of a liquid in a pipe or the fill level in a container.
  • automation components are also understood to mean gateways, edge devices, remote I/Os, wireless adapters or devices in general that are arranged at the field level.
  • field devices are usually connected to higher-level units via communication networks such as fieldbuses ( Profibus® , Foundation® Fieldbus , HART® , etc.).
  • the superordinate units are control systems or control units, such as a PLC (programmable logic controller) or a PLC (programmable logic controller).
  • the higher-level units are used, among other things, for process control, process visualization, process monitoring and for commissioning the field devices.
  • the measured values recorded by the field devices, in particular by sensors are transmitted via the respective bus system to one (or optionally several) higher-level unit(s).
  • data transmission from the higher-level unit via the bus system to the field devices is also required, in particular for configuring and parameterizing field devices and for controlling actuators.
  • Custody transfer systems are used in the oil and gas industry, among other things, and are used for transactions and the transport of physical substances between two operators - supplier and recipient.
  • Such a custody transfer system contains one or more automation components which are used to record the quantity of a transported physical substance and to store the data of the transactions. All transactions must be carried out and recorded in a tamper-proof and incontestable manner.
  • the automation components, in particular the field devices, must be verified and calibrated and certified in this regard by an authority.
  • Automation components used in such custody transfer systems are checked by an authorized person for correct installation and configuration.
  • the automation component is then mechanically and/or electronically sealed.
  • Calibration documentation is often printed out on paper. Afterwards, the automation components are often unattended.
  • a validation of an automation component in particular with regard to the question of whether the automation component is still sealed or whether the configuration is changed, must be checked manually on site.
  • a broken seal which was caused by unauthorized opening, can only be proven afterwards and only directly on site, since there is no active alarm. An authorized person thus has to travel to individual automation components from time to time, which is time-consuming and expensive. Furthermore, a chronological assignment of the breaking of the seal is not possible. In addition, the degree of manipulation of an automation component, in particular with regard to the configuration data, is often not readily ascertainable.
  • the object of the invention is to verify the sealing of an automation component from a remote location.
  • the object is achieved by a method for detecting any manipulation of an automation component, the automation component having a data record, a first private key and first verification data, which data record contains parameter values, formulas, calibration data, firmware versions, checksums and/or identification data, in particular a serial number or a device tag, wherein the method comprises the following method steps:
  • the advantage of the method according to the invention is that it can be checked from a remote location whether the data record stored in an automation component has been changed or not.
  • the data record is sent to a first instance, for example an authority, which checks the data record, for example whether calibrations have been carried out correctly.
  • the first instance then signs the data record and certifies the automation component in this way.
  • the automation component then creates a digital seal. This can be read out by a further instance, for example a plant operator, and checked using verification data which are supplied by the first instance and by the automation component. If changes were made to the data record, or if the digital seal was manipulated, one or more of the digital signatures cannot be successfully verified. An alarm message, for example, is then displayed to the system operator.
  • the method according to the invention in particular the steps of generating the digital signatures and the digital seal, is repeated if an authorized and documented change is made to the data record.
  • the first verification data or the second verification data comprise digital certificates and/or public keys.
  • the respective digital signatures can be verified in a simple manner by means of the digital certificates or the public keys.
  • At least one further instance is provided, the first instance having a further private key and further verification data, in particular a further digital certificate and/or a further public key, further comprising:
  • the digital seal comprising the data record, the further digital signature, the second digital signature and the first verification data
  • the data record is thus digitally signed by another entity, for example another authority or by a computer owned by the system operator.
  • a further level of security is thus added.
  • OPC UA Open Platform Communication Unified Architecture
  • OPC UA Open Platform Communication Unified Architecture
  • the steps of reading out and transmitting can thus be carried out in a tamper-proof manner.
  • the field device and/or the second entity is in communication with a higher-level unit via an OPC UA network and the automation component or the second entity converts the alarm message as a device status into cyclic, Inserts OPC UA telegrams requested by the higher-level unit.
  • OPC UA telegrams contain a device status.
  • the device status is changed if the corresponding digital signatures could not be successfully verified and manipulation is therefore suspected. For example, the device status can be changed to "Verification failed" or "Needs verification".
  • the automation component is switched off or a communication functionality of the automation component is deactivated. This can happen automatically so that no damage to the process or manipulation of the value stream occurs, especially in custody transfer applications or in safety-critical applications.
  • the digital signatures include hash values of the data set, which are generated using the respective private key.
  • the object is also achieved by an automation component which is designed for use in the method according to the invention.
  • the automation component requires appropriate software or firmware, which is loaded onto the automation component by an authorized person before the method is carried out.
  • the version of the software and the time it was uploaded is added to the record.
  • the automation component is a field device which is designed to record a physical measured variable of a technical process or to influence a process variable.
  • the automation component is a control system, an industrial gateway, a remote I/O, a plant access point or an edge device.
  • FIG. 1 shows an exemplary embodiment of the method according to the invention
  • FIG. 2 a detail of the exemplary embodiment.
  • a field device is used as the automation component AK, specifically a flow meter for detecting a mass flow of a measurement medium that flows through a pipeline.
  • the field device can be used in a custody transfer system, for example, and the measurement medium is crude oil, for example. In such a system it is of great importance that the measured values of the field device are calibrated and cannot be manipulated.
  • the field device must be calibrated for this.
  • the calibration data or calibration certificates, together with other data such as identification data of the automation component AK, parameter values of the automation component AK, the current firmware version, etc., are stored in a data record DS on the automation component AK.
  • the automation component has a first private key and first verification data VD1. These components are used in a later process step. Verification data, which are mentioned in this method step and in further method steps, have a public key and/or digital certificates, for example.
  • a network device for example a gateway, a flow computer, an edge device, etc. can be used as the automation component AK.
  • the data set DS is read out by a first entity IN1. All data transmission processes (reading and transmission), which are mentioned in this and the following method steps, are carried out via a communication network that uses OPC UA as a protocol. This protocol allows data to be transmitted without manipulation.
  • the first entity IN1 is, for example, an authority.
  • the authority checks the data record DS, in particular the identification data, parameter values, firmware versions, checksums, calibration certificates and/or the amount of measurement medium that has flowed through the automation instrument, and signs the data record DS cryptographically, in particular by forming a hash value of the data record DS.
  • the authority has a second private key KY2 for this purpose.
  • the first instance IN1 has second verification data VD2, which allow conclusions to be drawn about the correctness of the data record DS and the identity of the first instance IN1.
  • the verification data VD2 is a public key that corresponds to the private key KY2.
  • the verification can be carried out as follows:
  • H designates the hash value of the data set DS.
  • H f(DS), where f denotes a hash function.
  • g denotes an asymmetric cryptographic function.
  • SN1 g(DS, K2).
  • g' denotes an asymmetric cryptographic function for decrypting what was encrypted by g.
  • So DS g'(SN1 , VD2).
  • the first entity IN1 transmits the first digital signature SN1 and the second verification data to the automation component AK, whereupon this data be written into the automation component AK.
  • the automation component In a fourth method step 4.), the automation component generates a second digital signature SN2.
  • the data record DS, the first digital signature SN1 and the second verification data VD2 are cryptographically signed using the first private key KY1, in particular by forming a hash value or by encrypting the data.
  • the automation component then creates a so-called digital seal SG.
  • This contains the data record DS, the first digital signature SN1, the second digital signature SN2 and the first verification data VD1.
  • method steps 1.) to 4.) are repeated.
  • the contents of the digital seal SG always correspond to the current data record DS. If the data record DS is manipulated by an unauthorized person, the content of the digital seal SG no longer corresponds to the data record. An unauthorized person cannot update the digital seal, as this always involves at least one instance IN1 over which he cannot exercise any control. Checking the digital seal SG for consistency with the current data record DS is described below:
  • the automation component AK transfers this to an external database, for example a cloud-based database, in a method step 5.).
  • the digital seal SG remains in a data memory of the automation component AK.
  • a second entity IN2 for example another authority or the plant operator, reads the digital seal SG in a method step 6.) from the database or the automation component AK.
  • the second entity verifies in a method step 7.) the first signature SN1, ie in particular the identity of the first entity IN.
  • the second instance IN2 reads out the current data set DS from the automation component AK in a method step 8.). In a method step 9.), the second entity IN2 then verifies the second digital signature using the first verification data VD1, for example by decrypting the data record and comparing the decrypted data record with the current data record DS.
  • the result is then made known. If the first signature SN1 and the second signature SN2 could be successfully verified, then the data record DS was not changed without authorization. If one or both of the signatures SN1, SN2 cannot be verified successfully, the current data record DS stored in the automation component AK may have been manipulated. In this case, an alarm message is generated for example directly in the second entity IN2.
  • the cyclical status of the automation component which is retrieved from a higher-level unit, is changed.
  • the automation component AK is in communication connection with the superordinate unit, for example a control unit, via an OPC UA network. The device status is inserted into the cyclic OPC-UA telegrams requested by the higher-level unit, so that an alarm message is automatically detected. As a reaction, for example, the communication functionality of the automation component is restricted.
  • additional entities INx, INn are provided, which generate additional digital signatures SNx, SNn.
  • the digital seal SG is not generated directly.
  • the first digital signature and the second verification data are transmitted to the further instance INx in a method step 1.a).
  • the further instance INx In a method step 2.a), the further instance INx generates a further digital signature SNx by cryptographically signing the data record (DS), the first digital signature SN1 and the second verification data VD2 using a further private key KYx assigned to the further instance.
  • the further entity INx transmits the further digital signature SNx and the further verification data VDx to the automation component AK, whereupon this data is written into the automation component.
  • the automation component then creates the digital seal DS (similar to method step 4.) ff.). This contains all of the entities IN1, INx, . . . INn and the automation component itself generated digital signatures SN1, SN2, SNx, itself. An unauthorized person would have to exercise control over all instances IN1, INx, ..., INn in order to change the data record DS and to write this update in the digital seal SG.
  • the second entity IN2 verifies all digital signatures SN1, SN2, SNx, SNn in succession, ending with the second signature, which verifies the verification of the data record DS allows. If just one of the digital signatures SN1, SN2, SNx, SNn cannot be verified, then the alarm message is generated.
  • the method according to the invention is particularly suitable for use in custody transfer systems in which transactions must be carried out and recorded in a tamper-proof and incontestable manner.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un appareil réseau (NG) ayant une première interface (SN1) et une unité électronique (EE), la première interface (SN1) étant conçue pour recevoir sans fil des données, en particulier des données provenant d'au moins un dispositif de terrain d'automatisation (FG) selon un protocole OPC UA, l'appareil réseau (NG) étant conçu pour afficher les données reçues et/ou traiter en outre lesdites données au moyen de l'unité électronique (EE). L'invention concerne également un système de transmission sans trafiquage des données d'un appareil de terrain d'automatisation (FG), ledit système comprenant l'appareil réseau (NG) selon l'invention.
PCT/EP2021/066757 2020-07-31 2021-06-21 Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation WO2022022891A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102020120300.4A DE102020120300A1 (de) 2020-07-31 2020-07-31 Verfahren zum Detektieren einer etwaigen Manipulation einer Automatisierungskomponente
DE102020120300.4 2020-07-31

Publications (1)

Publication Number Publication Date
WO2022022891A1 true WO2022022891A1 (fr) 2022-02-03

Family

ID=76708205

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/066757 WO2022022891A1 (fr) 2020-07-31 2021-06-21 Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation

Country Status (2)

Country Link
DE (1) DE102020120300A1 (fr)
WO (1) WO2022022891A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102012004542A1 (de) * 2012-03-09 2013-09-12 Rwe Ag Elektronisches Typenschild für Messgeräte
US20160359825A1 (en) * 2015-06-02 2016-12-08 Rockwell Automation Technologies, Inc. Active Response Security System for Industrial Control Infrastructure
EP3554050A1 (fr) * 2018-04-09 2019-10-16 Siemens Aktiengesellschaft Procédé de sécurisation d'un composants d'automatisation
US20190349204A1 (en) * 2018-05-14 2019-11-14 NStar Technology Incorporated Trusted Contextual Content

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7757944B2 (en) 2004-12-30 2010-07-20 Life Technologies Corporation System and method for offering and managing online purchasing card transactions
MX366941B (es) 2013-03-15 2019-07-31 Wellaware Holdings Inc Sistemas y métodos para proporcionar seguimiento y/o control, de principio a fin, de activos remotos de producción de petróleo y gas.
US20170032382A1 (en) 2014-04-14 2017-02-02 Jenda Tag, LLC System and Method for Product Authentication
WO2017176429A1 (fr) 2016-04-05 2017-10-12 Wellaware Holdings, Inc. Surveillance et commande d'un équipement industriel
DE102016208512A1 (de) 2016-05-18 2017-11-23 Bundesdruckerei Gmbh Zugangskontrolle mit einem Mobilfunkgerät

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102012004542A1 (de) * 2012-03-09 2013-09-12 Rwe Ag Elektronisches Typenschild für Messgeräte
US20160359825A1 (en) * 2015-06-02 2016-12-08 Rockwell Automation Technologies, Inc. Active Response Security System for Industrial Control Infrastructure
EP3554050A1 (fr) * 2018-04-09 2019-10-16 Siemens Aktiengesellschaft Procédé de sécurisation d'un composants d'automatisation
US20190349204A1 (en) * 2018-05-14 2019-11-14 NStar Technology Incorporated Trusted Contextual Content

Also Published As

Publication number Publication date
DE102020120300A1 (de) 2022-02-03

Similar Documents

Publication Publication Date Title
DE102017111928A1 (de) Verfahren zur autorisierten Aktualisierung eines Feldgeräts der Automatisierungstechnik
EP3264208A1 (fr) Procede d'actualisation d'objets de processus dans un systeme d'ingenierie
DE102016124350A1 (de) Verfahren und System zum Überwachen einer Anlage der Prozessautomatisierung
DE102012109348A1 (de) Verfahren zum sicheren Bedienen eines Feldgerätes
DE202016105474U1 (de) Vorrichtung zur manipulationssicheren Registrierung von Messwerten
DE102017102677A1 (de) Verfahren zur Authentifizierung eines Feldgeräts der Automatisierungstechnik
EP3607405B1 (fr) Procédé de paramétrage d'un appareil de terrain et appareil de terrain paramétrable
WO2016026622A1 (fr) Procédé de paramétrage d'un appareil de terrain
DE102010044184B4 (de) Verfahren und Kommunikationseinheit zum Erstellen einer Diagnose eines Feldgerätes
EP3391611B1 (fr) Clé d'accès pour appareil de terrain
DE102014112226A1 (de) Verfahren zum Übertragen von Feldgerätedaten
EP2018603A1 (fr) Procede pour le parametrage d'un appareil de terrain de la technique d'automatisation de processus par reproduction de services acycliques
WO2022022891A1 (fr) Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation
EP3732868B1 (fr) Procédé de sécurisation d'un composants d'automatisation
WO2005109133A2 (fr) Procede pour determiner des intervalles de service pour des appareils de champ relevant de la technique d'automatisation
DE102010028152A1 (de) Aufzeichnung von History-Informationen in einem Feldgerät
DE102010027963A1 (de) Verfahren zum Betreiben eines Feldgerätes der Prozessautomatisierungstechnik
DE102007022006A1 (de) Verfahren zum Übertragen von Daten zu einem Feldgerät der Automatisierungstechnik insbesondere der Prozessautomatisierungstechnik
DE102007035159A1 (de) Verfahren zum Parametrieren von mehreren Feldgeräten der Automatisierungstechnik
WO2022135844A1 (fr) Leurre pour une connexion entre un dispositif périphérique et une plate-forme de service en nuage
AT522276B1 (de) Vorrichtung und Verfahren zur Integritätsprüfung von Sensordatenströmen
DE102020127079A1 (de) Verfahren und System zum Einbinden von Feldgeräten der Automatisierungstechnik in eine cloudbasierte Serviceplattform
DE102020118958A1 (de) Feldvorrichtung und Verfahren zur Integration einer Feldvorrichtung
EP3820081A1 (fr) Procédé permettant de mettre en uvre une communication dépendante d'une autorisation entre au moins un appareil de terrain de la technique de l'automatisation et un appareil de commande
DE102011084321A1 (de) Kommunikationseinheit mit Informationsdarstellung basierend auf Anlagenstruktur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21736270

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21736270

Country of ref document: EP

Kind code of ref document: A1