WO2022022891A1 - Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation - Google Patents
Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation Download PDFInfo
- Publication number
- WO2022022891A1 WO2022022891A1 PCT/EP2021/066757 EP2021066757W WO2022022891A1 WO 2022022891 A1 WO2022022891 A1 WO 2022022891A1 EP 2021066757 W EP2021066757 W EP 2021066757W WO 2022022891 A1 WO2022022891 A1 WO 2022022891A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- digital signature
- entity
- automation component
- data
- verification data
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/05—Programmable logic controllers, e.g. simulating logic interconnections of signals according to ladder diagrams or function charts
- G05B19/058—Safety, monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Definitions
- the invention relates to a method for detecting any manipulation of an automation component, and to such an automation component which is designed for use in the method according to the invention.
- field devices are used as automation components, which are used in process automation technology as well as in production automation technology.
- all devices that are used close to the process and that supply or process process-relevant information are referred to as field devices.
- field devices are used to record and/or influence process variables. Measuring devices or sensors are used to record process variables. These are used, for example, to measure pressure and temperature,
- Conductivity measurement, flow measurement, pH measurement, level measurement, etc. uses and records the corresponding process variables pressure, temperature, conductivity, pH value, level, flow rate, etc.
- Actuators are used to influence process variables. These are, for example, pumps or valves that can influence the flow of a liquid in a pipe or the fill level in a container.
- automation components are also understood to mean gateways, edge devices, remote I/Os, wireless adapters or devices in general that are arranged at the field level.
- field devices are usually connected to higher-level units via communication networks such as fieldbuses ( Profibus® , Foundation® Fieldbus , HART® , etc.).
- the superordinate units are control systems or control units, such as a PLC (programmable logic controller) or a PLC (programmable logic controller).
- the higher-level units are used, among other things, for process control, process visualization, process monitoring and for commissioning the field devices.
- the measured values recorded by the field devices, in particular by sensors are transmitted via the respective bus system to one (or optionally several) higher-level unit(s).
- data transmission from the higher-level unit via the bus system to the field devices is also required, in particular for configuring and parameterizing field devices and for controlling actuators.
- Custody transfer systems are used in the oil and gas industry, among other things, and are used for transactions and the transport of physical substances between two operators - supplier and recipient.
- Such a custody transfer system contains one or more automation components which are used to record the quantity of a transported physical substance and to store the data of the transactions. All transactions must be carried out and recorded in a tamper-proof and incontestable manner.
- the automation components, in particular the field devices, must be verified and calibrated and certified in this regard by an authority.
- Automation components used in such custody transfer systems are checked by an authorized person for correct installation and configuration.
- the automation component is then mechanically and/or electronically sealed.
- Calibration documentation is often printed out on paper. Afterwards, the automation components are often unattended.
- a validation of an automation component in particular with regard to the question of whether the automation component is still sealed or whether the configuration is changed, must be checked manually on site.
- a broken seal which was caused by unauthorized opening, can only be proven afterwards and only directly on site, since there is no active alarm. An authorized person thus has to travel to individual automation components from time to time, which is time-consuming and expensive. Furthermore, a chronological assignment of the breaking of the seal is not possible. In addition, the degree of manipulation of an automation component, in particular with regard to the configuration data, is often not readily ascertainable.
- the object of the invention is to verify the sealing of an automation component from a remote location.
- the object is achieved by a method for detecting any manipulation of an automation component, the automation component having a data record, a first private key and first verification data, which data record contains parameter values, formulas, calibration data, firmware versions, checksums and/or identification data, in particular a serial number or a device tag, wherein the method comprises the following method steps:
- the advantage of the method according to the invention is that it can be checked from a remote location whether the data record stored in an automation component has been changed or not.
- the data record is sent to a first instance, for example an authority, which checks the data record, for example whether calibrations have been carried out correctly.
- the first instance then signs the data record and certifies the automation component in this way.
- the automation component then creates a digital seal. This can be read out by a further instance, for example a plant operator, and checked using verification data which are supplied by the first instance and by the automation component. If changes were made to the data record, or if the digital seal was manipulated, one or more of the digital signatures cannot be successfully verified. An alarm message, for example, is then displayed to the system operator.
- the method according to the invention in particular the steps of generating the digital signatures and the digital seal, is repeated if an authorized and documented change is made to the data record.
- the first verification data or the second verification data comprise digital certificates and/or public keys.
- the respective digital signatures can be verified in a simple manner by means of the digital certificates or the public keys.
- At least one further instance is provided, the first instance having a further private key and further verification data, in particular a further digital certificate and/or a further public key, further comprising:
- the digital seal comprising the data record, the further digital signature, the second digital signature and the first verification data
- the data record is thus digitally signed by another entity, for example another authority or by a computer owned by the system operator.
- a further level of security is thus added.
- OPC UA Open Platform Communication Unified Architecture
- OPC UA Open Platform Communication Unified Architecture
- the steps of reading out and transmitting can thus be carried out in a tamper-proof manner.
- the field device and/or the second entity is in communication with a higher-level unit via an OPC UA network and the automation component or the second entity converts the alarm message as a device status into cyclic, Inserts OPC UA telegrams requested by the higher-level unit.
- OPC UA telegrams contain a device status.
- the device status is changed if the corresponding digital signatures could not be successfully verified and manipulation is therefore suspected. For example, the device status can be changed to "Verification failed" or "Needs verification".
- the automation component is switched off or a communication functionality of the automation component is deactivated. This can happen automatically so that no damage to the process or manipulation of the value stream occurs, especially in custody transfer applications or in safety-critical applications.
- the digital signatures include hash values of the data set, which are generated using the respective private key.
- the object is also achieved by an automation component which is designed for use in the method according to the invention.
- the automation component requires appropriate software or firmware, which is loaded onto the automation component by an authorized person before the method is carried out.
- the version of the software and the time it was uploaded is added to the record.
- the automation component is a field device which is designed to record a physical measured variable of a technical process or to influence a process variable.
- the automation component is a control system, an industrial gateway, a remote I/O, a plant access point or an edge device.
- FIG. 1 shows an exemplary embodiment of the method according to the invention
- FIG. 2 a detail of the exemplary embodiment.
- a field device is used as the automation component AK, specifically a flow meter for detecting a mass flow of a measurement medium that flows through a pipeline.
- the field device can be used in a custody transfer system, for example, and the measurement medium is crude oil, for example. In such a system it is of great importance that the measured values of the field device are calibrated and cannot be manipulated.
- the field device must be calibrated for this.
- the calibration data or calibration certificates, together with other data such as identification data of the automation component AK, parameter values of the automation component AK, the current firmware version, etc., are stored in a data record DS on the automation component AK.
- the automation component has a first private key and first verification data VD1. These components are used in a later process step. Verification data, which are mentioned in this method step and in further method steps, have a public key and/or digital certificates, for example.
- a network device for example a gateway, a flow computer, an edge device, etc. can be used as the automation component AK.
- the data set DS is read out by a first entity IN1. All data transmission processes (reading and transmission), which are mentioned in this and the following method steps, are carried out via a communication network that uses OPC UA as a protocol. This protocol allows data to be transmitted without manipulation.
- the first entity IN1 is, for example, an authority.
- the authority checks the data record DS, in particular the identification data, parameter values, firmware versions, checksums, calibration certificates and/or the amount of measurement medium that has flowed through the automation instrument, and signs the data record DS cryptographically, in particular by forming a hash value of the data record DS.
- the authority has a second private key KY2 for this purpose.
- the first instance IN1 has second verification data VD2, which allow conclusions to be drawn about the correctness of the data record DS and the identity of the first instance IN1.
- the verification data VD2 is a public key that corresponds to the private key KY2.
- the verification can be carried out as follows:
- H designates the hash value of the data set DS.
- H f(DS), where f denotes a hash function.
- g denotes an asymmetric cryptographic function.
- SN1 g(DS, K2).
- g' denotes an asymmetric cryptographic function for decrypting what was encrypted by g.
- So DS g'(SN1 , VD2).
- the first entity IN1 transmits the first digital signature SN1 and the second verification data to the automation component AK, whereupon this data be written into the automation component AK.
- the automation component In a fourth method step 4.), the automation component generates a second digital signature SN2.
- the data record DS, the first digital signature SN1 and the second verification data VD2 are cryptographically signed using the first private key KY1, in particular by forming a hash value or by encrypting the data.
- the automation component then creates a so-called digital seal SG.
- This contains the data record DS, the first digital signature SN1, the second digital signature SN2 and the first verification data VD1.
- method steps 1.) to 4.) are repeated.
- the contents of the digital seal SG always correspond to the current data record DS. If the data record DS is manipulated by an unauthorized person, the content of the digital seal SG no longer corresponds to the data record. An unauthorized person cannot update the digital seal, as this always involves at least one instance IN1 over which he cannot exercise any control. Checking the digital seal SG for consistency with the current data record DS is described below:
- the automation component AK transfers this to an external database, for example a cloud-based database, in a method step 5.).
- the digital seal SG remains in a data memory of the automation component AK.
- a second entity IN2 for example another authority or the plant operator, reads the digital seal SG in a method step 6.) from the database or the automation component AK.
- the second entity verifies in a method step 7.) the first signature SN1, ie in particular the identity of the first entity IN.
- the second instance IN2 reads out the current data set DS from the automation component AK in a method step 8.). In a method step 9.), the second entity IN2 then verifies the second digital signature using the first verification data VD1, for example by decrypting the data record and comparing the decrypted data record with the current data record DS.
- the result is then made known. If the first signature SN1 and the second signature SN2 could be successfully verified, then the data record DS was not changed without authorization. If one or both of the signatures SN1, SN2 cannot be verified successfully, the current data record DS stored in the automation component AK may have been manipulated. In this case, an alarm message is generated for example directly in the second entity IN2.
- the cyclical status of the automation component which is retrieved from a higher-level unit, is changed.
- the automation component AK is in communication connection with the superordinate unit, for example a control unit, via an OPC UA network. The device status is inserted into the cyclic OPC-UA telegrams requested by the higher-level unit, so that an alarm message is automatically detected. As a reaction, for example, the communication functionality of the automation component is restricted.
- additional entities INx, INn are provided, which generate additional digital signatures SNx, SNn.
- the digital seal SG is not generated directly.
- the first digital signature and the second verification data are transmitted to the further instance INx in a method step 1.a).
- the further instance INx In a method step 2.a), the further instance INx generates a further digital signature SNx by cryptographically signing the data record (DS), the first digital signature SN1 and the second verification data VD2 using a further private key KYx assigned to the further instance.
- the further entity INx transmits the further digital signature SNx and the further verification data VDx to the automation component AK, whereupon this data is written into the automation component.
- the automation component then creates the digital seal DS (similar to method step 4.) ff.). This contains all of the entities IN1, INx, . . . INn and the automation component itself generated digital signatures SN1, SN2, SNx, itself. An unauthorized person would have to exercise control over all instances IN1, INx, ..., INn in order to change the data record DS and to write this update in the digital seal SG.
- the second entity IN2 verifies all digital signatures SN1, SN2, SNx, SNn in succession, ending with the second signature, which verifies the verification of the data record DS allows. If just one of the digital signatures SN1, SN2, SNx, SNn cannot be verified, then the alarm message is generated.
- the method according to the invention is particularly suitable for use in custody transfer systems in which transactions must be carried out and recorded in a tamper-proof and incontestable manner.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un appareil réseau (NG) ayant une première interface (SN1) et une unité électronique (EE), la première interface (SN1) étant conçue pour recevoir sans fil des données, en particulier des données provenant d'au moins un dispositif de terrain d'automatisation (FG) selon un protocole OPC UA, l'appareil réseau (NG) étant conçu pour afficher les données reçues et/ou traiter en outre lesdites données au moyen de l'unité électronique (EE). L'invention concerne également un système de transmission sans trafiquage des données d'un appareil de terrain d'automatisation (FG), ledit système comprenant l'appareil réseau (NG) selon l'invention.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102020120300.4A DE102020120300A1 (de) | 2020-07-31 | 2020-07-31 | Verfahren zum Detektieren einer etwaigen Manipulation einer Automatisierungskomponente |
DE102020120300.4 | 2020-07-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022022891A1 true WO2022022891A1 (fr) | 2022-02-03 |
Family
ID=76708205
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2021/066757 WO2022022891A1 (fr) | 2020-07-31 | 2021-06-21 | Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation |
Country Status (2)
Country | Link |
---|---|
DE (1) | DE102020120300A1 (fr) |
WO (1) | WO2022022891A1 (fr) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102012004542A1 (de) * | 2012-03-09 | 2013-09-12 | Rwe Ag | Elektronisches Typenschild für Messgeräte |
US20160359825A1 (en) * | 2015-06-02 | 2016-12-08 | Rockwell Automation Technologies, Inc. | Active Response Security System for Industrial Control Infrastructure |
EP3554050A1 (fr) * | 2018-04-09 | 2019-10-16 | Siemens Aktiengesellschaft | Procédé de sécurisation d'un composants d'automatisation |
US20190349204A1 (en) * | 2018-05-14 | 2019-11-14 | NStar Technology Incorporated | Trusted Contextual Content |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7757944B2 (en) | 2004-12-30 | 2010-07-20 | Life Technologies Corporation | System and method for offering and managing online purchasing card transactions |
MX366941B (es) | 2013-03-15 | 2019-07-31 | Wellaware Holdings Inc | Sistemas y métodos para proporcionar seguimiento y/o control, de principio a fin, de activos remotos de producción de petróleo y gas. |
US20170032382A1 (en) | 2014-04-14 | 2017-02-02 | Jenda Tag, LLC | System and Method for Product Authentication |
WO2017176429A1 (fr) | 2016-04-05 | 2017-10-12 | Wellaware Holdings, Inc. | Surveillance et commande d'un équipement industriel |
DE102016208512A1 (de) | 2016-05-18 | 2017-11-23 | Bundesdruckerei Gmbh | Zugangskontrolle mit einem Mobilfunkgerät |
-
2020
- 2020-07-31 DE DE102020120300.4A patent/DE102020120300A1/de active Pending
-
2021
- 2021-06-21 WO PCT/EP2021/066757 patent/WO2022022891A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102012004542A1 (de) * | 2012-03-09 | 2013-09-12 | Rwe Ag | Elektronisches Typenschild für Messgeräte |
US20160359825A1 (en) * | 2015-06-02 | 2016-12-08 | Rockwell Automation Technologies, Inc. | Active Response Security System for Industrial Control Infrastructure |
EP3554050A1 (fr) * | 2018-04-09 | 2019-10-16 | Siemens Aktiengesellschaft | Procédé de sécurisation d'un composants d'automatisation |
US20190349204A1 (en) * | 2018-05-14 | 2019-11-14 | NStar Technology Incorporated | Trusted Contextual Content |
Also Published As
Publication number | Publication date |
---|---|
DE102020120300A1 (de) | 2022-02-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
DE102017111928A1 (de) | Verfahren zur autorisierten Aktualisierung eines Feldgeräts der Automatisierungstechnik | |
EP3264208A1 (fr) | Procede d'actualisation d'objets de processus dans un systeme d'ingenierie | |
DE102016124350A1 (de) | Verfahren und System zum Überwachen einer Anlage der Prozessautomatisierung | |
DE102012109348A1 (de) | Verfahren zum sicheren Bedienen eines Feldgerätes | |
DE202016105474U1 (de) | Vorrichtung zur manipulationssicheren Registrierung von Messwerten | |
DE102017102677A1 (de) | Verfahren zur Authentifizierung eines Feldgeräts der Automatisierungstechnik | |
EP3607405B1 (fr) | Procédé de paramétrage d'un appareil de terrain et appareil de terrain paramétrable | |
WO2016026622A1 (fr) | Procédé de paramétrage d'un appareil de terrain | |
DE102010044184B4 (de) | Verfahren und Kommunikationseinheit zum Erstellen einer Diagnose eines Feldgerätes | |
EP3391611B1 (fr) | Clé d'accès pour appareil de terrain | |
DE102014112226A1 (de) | Verfahren zum Übertragen von Feldgerätedaten | |
EP2018603A1 (fr) | Procede pour le parametrage d'un appareil de terrain de la technique d'automatisation de processus par reproduction de services acycliques | |
WO2022022891A1 (fr) | Procédé de détection d'un trafiquage potentiel d'un composant d'automatisation | |
EP3732868B1 (fr) | Procédé de sécurisation d'un composants d'automatisation | |
WO2005109133A2 (fr) | Procede pour determiner des intervalles de service pour des appareils de champ relevant de la technique d'automatisation | |
DE102010028152A1 (de) | Aufzeichnung von History-Informationen in einem Feldgerät | |
DE102010027963A1 (de) | Verfahren zum Betreiben eines Feldgerätes der Prozessautomatisierungstechnik | |
DE102007022006A1 (de) | Verfahren zum Übertragen von Daten zu einem Feldgerät der Automatisierungstechnik insbesondere der Prozessautomatisierungstechnik | |
DE102007035159A1 (de) | Verfahren zum Parametrieren von mehreren Feldgeräten der Automatisierungstechnik | |
WO2022135844A1 (fr) | Leurre pour une connexion entre un dispositif périphérique et une plate-forme de service en nuage | |
AT522276B1 (de) | Vorrichtung und Verfahren zur Integritätsprüfung von Sensordatenströmen | |
DE102020127079A1 (de) | Verfahren und System zum Einbinden von Feldgeräten der Automatisierungstechnik in eine cloudbasierte Serviceplattform | |
DE102020118958A1 (de) | Feldvorrichtung und Verfahren zur Integration einer Feldvorrichtung | |
EP3820081A1 (fr) | Procédé permettant de mettre en uvre une communication dépendante d'une autorisation entre au moins un appareil de terrain de la technique de l'automatisation et un appareil de commande | |
DE102011084321A1 (de) | Kommunikationseinheit mit Informationsdarstellung basierend auf Anlagenstruktur |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21736270 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21736270 Country of ref document: EP Kind code of ref document: A1 |