Browse Prior Art Database

ADAPTIVE, MODEL-BASED SECURITY FRAMEWORK FOR INDUSTRIAL AUTOMATION NETWORKS

IP.com Disclosure Number: IPCOM000246532D
Publication Date: 2016-Jun-15
Document File: 4 page(s) / 98K

Publishing Venue

The IP.com Prior Art Database

Related People

Maik Seewald: AUTHOR

Abstract

Presented herein is a security framework for industrial control systems, where domain specific data is used to configure security controls and network devices, either manual/statically or dynamically. Domain specific configuration data is inherently less error prone than manual configuration. In an automated mode, the framework allows for dynamic and constant reconfiguration of network devices and security appliances., Moreover, the framework creates a more complete picture of configuration data and communication to support a behavior based security approach.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 4

ADAPTIVE, MODEL-BASED SECURITY FRAMEWORK FOR INDUSTRIAL AUTOMATION NETWORKS

 AUTHOR: Maik Seewald

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein is a security framework for industrial control systems, where domain specific data is used to configure security controls and network devices, either manual/statically or dynamically. Domain specific configuration data is inherently less error prone than manual configuration. In an automated mode, the framework allows for dynamic and constant reconfiguration of network devices and security appliances., Moreover, the framework creates a more complete picture of configuration data and communication to support a behavior based security approach.

DETAILED DESCRIPTION

    The paradigm of the Industrial Automation domain is changing to one based on interconnectivity and a growing number of connected systems and devices. This includes enterprise systems, business applications and third party entities. While the change creates new opportunities for applications and services, it necessarily increases the burden placed on network security and raises the standard for security beyond that of tradition segmentation and access control. In a now dynamic security environment, a security system must be both adaptable and domain-centric; that is it must be able to address new devices and new network paths in a flexible and automated manner and it must address the specifics of the domain on top of the network layer to achieve better visibility and control.

    Presented herein is a dynamic security framework that meets both requirements described above. Domain specific configuration data for automation devices is used as input for the network and security appliances (switches, routers, firewalls, etc.) deployed throughout the network.The Open Platform Communications (OPC) Unified Architecture (OPC UA) is an industrial machine-to-machine (M2M) communication

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 4

protocol for interoperability developed by the OPC Foundation The OPC-UA protocol suite is not only a protocol; it also consists of an extensive data model including communication and security mapping services, making the OPC-UA the communication standard for the digitalization of factory automation. The communication relations and definitions (IP addresses, media access control (MAC) addresses) are part of the data and configuration model. The dynamic security framework involves the following basic steps:

• Retrieve configuration and engineering data from the configuration files (OPC- UA configuration files); integrate into OPC-UA configuration tool chain or access the XML-based configuration files separately.

• Process network and security configuration and determine the n...