Browse Prior Art Database

DEDICATED PROGRAMMABLE SECURITY FUNCTIONS FOR AUTOMATION AND CONTROL DEVICES

IP.com Disclosure Number: IPCOM000248969D
Publication Date: 2017-Jan-24
Document File: 5 page(s) / 230K

Publishing Venue

The IP.com Prior Art Database

Related People

Maik Seewald: AUTHOR [+2]

Abstract

Described herein are techniques for security functions virtualization for automation and control devices. Critical network security functions are bundled, freely configurable, and virtualized. The security functions are programmable and allow for an integration of legacy devices with limited or zero security functions.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 42% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

DEDICATED PROGRAMMABLE SECURITY FUNCTIONS FOR AUTOMATION AND CONTROL DEVICES

AUTHORS: Maik Seewald

Patrick Wetterwald

CISCO SYSTEMS, INC.

ABSTRACT

Described herein are techniques for security functions virtualization for automation

and control devices. Critical network security functions are bundled, freely configurable,

and virtualized. The security functions are programmable and allow for an integration of

legacy devices with limited or zero security functions.

DETAILED DESCRIPTION

As new technologies (e.g., smart cities, smart grid, digital factory, industry 4.0,

etc.) develop, driven by enhanced connectivity, automation and control devices must

implement an increasing number of security functions. These functions must provide

update and upgrade mechanisms to address changeability and flexibility. This agility is

especially needed to keep security functions up-to-date because new threats and attack

patterns evolve quickly and continuously. On the other hand, many existing components,

often labelled as legacy devices, do not have these security functions and they are typically

not upgradeable. Retrofitting is not an option but these security requirements persist, with

an increasing number demanded by regulations.

Described herein are techniques for virtualized security functions provided for

automation and control devices. Figure 1 below illustrates the basic architecture.

Copyright 2017 Cisco Systems, Inc. 2

Figure 1

As illustrated in Figure 1, the control execution environment provides a set of

virtual machines (VM1, VM2, VMn), which are deployed as core components of an

automation and control network (e.g., process automation network, factory automation

network, substation automation network, etc.). Controllers (1,2,…, n) are connected to the

respective virtual machines (VM1, VM2, VMn) in a one-to-one relation. The controllers

and virtual machines are connected via an interface (e.g., basic input/output interface,

Ethernet interface, etc.) and virtual switch in the control execution environment.

Essential security functions that are virtualized may include one or more of the

following:

• Communication gateway

• Network address translation module

• Deep packet inspection module

• Firewalling

• Intrusion defense/prevention system

Copyright 2017 Cisco Systems, Inc. 3

• Virtual private network (VPN) - Client

• Access control (e.g., role-based access control)

• Anti- denial of service / distributed denial of service attack systems

These virtualized functions are executed in the virtual machines. The selection and

combination of these functions depend on the controller requirements of the respective

virtual machines. This is stipulated based on policies, as represented by the policy

management and enforcement module in Figure 1.

Figure 2 illustrates a scenario in which controller 1 is assigned to VM1. In VM1,

the following set of security functions is installed: access control, VPN-Client, and a

firewall. T...