WO2018199912A1 - Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole - Google Patents

Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole Download PDF

Info

Publication number
WO2018199912A1
WO2018199912A1 PCT/US2017/029239 US2017029239W WO2018199912A1 WO 2018199912 A1 WO2018199912 A1 WO 2018199912A1 US 2017029239 W US2017029239 W US 2017029239W WO 2018199912 A1 WO2018199912 A1 WO 2018199912A1
Authority
WO
WIPO (PCT)
Prior art keywords
asset
assets
control system
industrial control
discovery
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2017/029239
Other languages
English (en)
Inventor
Leandro Pfleger De Aguiar
Stefan Woronka
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Siemens Corp
Original Assignee
Siemens AG
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG, Siemens Corp filed Critical Siemens AG
Priority to PCT/US2017/029239 priority Critical patent/WO2018199912A1/fr
Publication of WO2018199912A1 publication Critical patent/WO2018199912A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Program-control systems
    • G05B19/02Program-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
    • G05B19/4184Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by fault tolerance, reliability of production system
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Program-control systems
    • G05B19/02Program-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
    • G05B19/41885Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by modeling, simulation of the manufacturing system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/08Logistics, e.g. warehousing, loading or distribution; Inventory or stock management
    • G06Q10/087Inventory or stock management, e.g. order filling, procurement or balancing against orders
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/04Manufacturing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/80Management or planning

Definitions

  • ICS products e.g., programmable logic controllers (PLCs), distributed control systems (DCS), motion controllers, supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs)
  • PLCs programmable logic controllers
  • DCS distributed control systems
  • SCADA supervisory control and data acquisition
  • HMIs human-machine interfaces
  • process control system networks including multiple PLCs, DCS devices, motion controllers, SCADA devices and HMIs, are also integrated without consideration for potential cyber threats.
  • process control system networks including multiple PLCs, DCS devices, motion controllers, SCADA devices and HMIs, are also integrated without consideration for potential cyber threats.
  • each industrial asset is typically identified in an inventory and baselined by an individual profile in order to detect unauthorized deviations from the baseline. As such, asset management is acknowledged by the security community as one of the most critical processes to ensure cyber security risks are appropriately controlled.
  • being able to identify and/or enumerate assets is typically the first step in defining stages of a cyber kill chain and preventing exploitation of a target.
  • Asset identification and classification is also considered by many international security frameworks (e.g., ISO 27001 and IEC 62443) as a key security control to be implemented as part of any organization's security program.
  • Standard IT asset inventory tools identify IT assets by deploying a range of automated methods to discover devices from a central server or network node. These methods typically include active connection methods through, for example, simple network management protocol (SNMP) and Windows Management Instrumentation (WMI) to identify devices supporting the protocols. Standard IT asset inventory tools also include special software agents for Windows and Linux based systems that typically run with local administrative privileges to collect and export detailed inventory information regarding the Windows and Linux based systems.
  • SNMP simple network management protocol
  • WMI Windows Management Instrumentation
  • Standard IT asset inventory tools also include special software agents for Windows and Linux based systems that typically run with local administrative privileges to collect and export detailed inventory information regarding the Windows and Linux based systems.
  • Existing tools directed to asset inventory for operations technology (OT) and industrial control systems often utilize similar active connection methods and special software agents, and also include passive detection options to avoid service disruption. For example, passive devices monitor and collect network traffic in order in order to make inferences about the assets that originate the traffic. The information gathered may be used to make inferences about vulnerabilities on these protocols and devices
  • the present embodiments relate to performing an asset inventory for an industrial control system.
  • the present embodiments described below include systems and methods for asset discovery, asset characterization and production process semantic analysis.
  • Incremental asset discovery in an industrial control system is provided using semantic analysis of the underlying production process with semantic models, template ontologies, and data analytics (e.g., based on metadata, network data, process data, etc.).
  • semantic analysis e.g., based on metadata, network data, process data, etc.
  • asset discovery methods are used to target individual assets of the industrial control systems to identify and baseline the assets.
  • An accurate asset inventory is provided without risking disruption of the production process, and the asset inventory includes assets from highly segmented and isolated networks by adopting a combination of discovery methods, intelligent agents, and data analytics.
  • a method of asset discovery for an industrial control system includes characterizing production processes, production zones and automation packages of the industrial control system. Based on the characterization, the method includes instrumenting assets of the industrial control system for incremental asset discovery and performing incremental asset discovery.
  • the incremental asset discovery includes collecting data for the assets of the industrial control system using one or more instrumentation options, classifying the assets of the industrial control system based on the collected data and inferring semantic dependency between the assets of the industrial control system.
  • a system for industrial asset discovery includes a plurality of asset discovery methods configured to collect asset and process information from an industrial control system and a server configured to store the collected asset and process information received from the plurality of asset discovery methods.
  • the server is further configured to classify the assets of the industrial control system based on the collected asset and process information received from the server.
  • the server is also configured to infer semantic dependency between the assets of the industrial control system based on the collected asset and process information received from the server.
  • a method for automatically identifying and baselining industrial assets includes characterizing major production processes, production zones, and automation packages of the industrial control system.
  • the method also includes assigning discovery methods for an incremental asset discovery of assets of the industrial control system, executing the incremental asset discovery of the assets of the industrial control system and generating an output of the incremental asset discovery.
  • the output includes displaying an attack tree for the assets of the industrial control system.
  • the output also includes detailed asset information (e.g., Internet protocol (IP) addresses, operating systems, system types, etc.), dependency relationships of the production process to a given asset, etc.
  • IP Internet protocol
  • Figure 1 illustrates a flowchart diagram of an embodiment of a method of asset discovery for an industrial control system.
  • Figure 2 illustrates a flowchart diagram of an embodiment of a method of incremental asset discovery.
  • Figure 3 illustrates a flowchart diagram of another embodiment of a method of automatic incremental asset discovery.
  • Figure 4 illustrates an example of manually importing a production zone on from a pre-compiled list of production units into a process map.
  • Figure 5 illustrates an example of a process map for reporting an asset inventory.
  • Figure 6 illustrates an embodiment of a system for asset discovery for an industrial control system.
  • Figure 7 illustrates and example of an asset discovery agent configured as a relay agent.
  • Figure 8 illustrates a passive industrial perimeter assessment device configured to provide a temporary overlay asset inventory network.
  • the present embodiments provide systems and methods for identifying and baselining assets of an industrial control system.
  • a workflow begins by understanding a production process, capturing the essence of how the production process runs in real life.
  • a combination of hardware and software agents are then deployed based on the production process to perform asset discovery.
  • the workflow uses process related data sources and asset information gathered by the hardware and software agents to semantically infer additional information about the assets, such as asset categories, relationships between assets, and potential risks associated with the assets.
  • the present embodiments obviate one or more of the drawbacks or limitations in existing information technology (IT) and operations technology (OT) asset inventory tools preventing the existing tools from being successful in identifying and baselining assets of an industrial control system.
  • the asset inventory process begins by understanding the production process. By understanding the production process prior to identifying production assets, an intrinsically complex and heterogeneous OT environment is understood before connecting and deploying any automatic mapping tools that could negatively impact the process. By understanding the production process prior to performing asset discovery, efficiency and accuracy of the asset inventory process may be improved.
  • the process information gathered through understanding the production process is leveraged during asset discovery, allowing for improved risk assessment for OT systems including segregated and/or isolated non-IT related devices.
  • performing asset discovery is guided by the production process, such as by deploying a combination of automatic, manual and user-assisted automatic asset inventory tools.
  • Asset inventory information is automatically assembled using data collected through distributed asset inventory tools, such as from hardware and/or software sensors strategically deployed at different points of the OT network.
  • the deployed asset inventory tools identify and baseline assets in highly segmented and isolated networks by adopting one or more of the hardware and software discovery methods.
  • the asset information gathered by the deployed asset inventory tools is processed to infer connections and relationships between assets and production zones/cells.
  • risk assessment may be facilitated.
  • asset baselines and semantic relationships between assets an attack-tree may be derived with data analytics to facilitate risk assessment.
  • An accurate industrial asset inventory is thus provided including asset information from highly segmented and isolated networks, facilitating risk assessment by inferring semantic relationships and performing data analytics.
  • Figure 1 illustrates a flowchart diagram of an embodiment of a method of asset discovery for an industrial control system.
  • the method illustrated in figure 1 provides accurate and efficient industrial asset discovery and analysis.
  • the method is implemented by the system of figure 6 (discussed below) and/or a different system. Additional, different or fewer acts may be provided.
  • the acts of figure 1 may be combined with the acts illustrated in figure 2 (discussed below).
  • the method is provided in the order shown. Other orders may be provided and/or acts may be repeated.
  • acts 101-105 may be repeated for a plurality of assets, or repeated for each production cell/zone. Further, the acts 101-105 may be performed concurrently as parallel acts.
  • Each of acts 101-105 may include sub-acts, such as acts 201-205 illustrated in figure 2 (discussed below).
  • production processes, production zones and automation packages of the industrial control system are characterized.
  • the main steps of the production process, production cells/zones and/or automation packages may be mapped and characterized based on information derived from multiple sources.
  • multiple sources of information may be processed by the system, such a data from a process historian (e.g., plant information management system (PIMS)), control system project files (e.g., process control engineering files, totally integrated automation (TIA) portal engineering .S7P project files, etc.), configuration files, direct device reading (e.g., PLC memory reading, running PLC control logic, etc.), etc.
  • PIMS plant information management system
  • control system project files e.g., process control engineering files, totally integrated automation (TIA) portal engineering .S7P project files, etc.
  • configuration files e.g., direct device reading (e.g., PLC memory reading, running PLC control logic, etc.), etc.
  • direct device reading e.g., PLC memory reading, running PLC control
  • characteristics of the cells/zones are inferred by the system based on available information. For example, the system age, automation package vendors, typical assets for a process or production step and typical interconnections between process steps are inferred and mapped.
  • an intrinsically complex and heterogeneous industrial control system is understood and mapped before the connection of any automatic mapping tools that could potentially generate negative impacts to the industrial control system, such as when the system performs a continuous production process or a process with limited downtime.
  • assets of the industrial control system are instrumented for incremental asset discovery. The industrial control system is instrumented based on the mapped and characterized production process.
  • the mapped production process includes a SCADA server coupled to unknown assets of the industrial control system (e.g., various industrial devices, such as controllers, PLCs, etc.). Based on the mapped production process, the system instruments to SCADA server to automatically discover the assets coupled the SCADA server. Instrumenting the industrial control system includes deploying asset inventory tools (e.g., asset discovery agents) for the different assets of the industrial control system.
  • asset inventory tools e.g., asset discovery agents
  • the industrial control system network is instrumented to perform an incremental industrial asset discovery using a combination of deployed hardware and software discovery agents (e.g., quickly and easily deployable sensors) configured to employ a mixture of active, passive, intrusive, and/or non- intrusive discovery methods.
  • the instrumentation is installed at the control cell where the control equipment resides (e.g., a ruggedized industrial personal computer (IPC) installed in a network of a control cell).
  • IPC industrial personal computer
  • a combination of hardware and software asset discovery agents are deployed for each of the cells/zones of the production process. Using information gathered for each of the cells/zones, specific hardware and software asset discovery agents are selected and deployed to perform asset discovery and to baseline the discovered assets.
  • Hardware asset discovery agents are connected to an asset and/or are installed in the network of the industrial control system to monitor and collect communication, activity, and other information about one or more assets of the industrial control system.
  • Software asset discovery agents are installed on and executed by an asset to monitor and collect communications, activity, and other information about one or more assets.
  • the deployed discovery agents may be a combination of active and passive discovery agents.
  • Active discovery agents actively interact with an asset, such as by sending a command to the asset and receiving a response. Based upon the response to a command, the active discovery agent gathers information for classifying and baselining assets.
  • Passive discovery agents do not actively interact with the asset.
  • the passive discovery agents monitor action by the asset, such as by passively monitoring communication and activity of the asset (e.g., read-only). For example, based on the type, frequency, and other characteristics of communication and activity, information gathered by a passive discovery agent may be used for classifying and baselining assets. Further, classifying assets may be performed based on data analytics (e.g., asset signatures) pushed from the cloud database.
  • data analytics e.g., asset signatures
  • the deployed discovery agents may be a combination of intrusive and non-intrusive discovery agents.
  • Non-intrusive discovery agents do not impact the production process as the agents monitor assets and/or collect information.
  • hardware discovery agents configured to monitor communication in a readonly configuration may not impact the production process as data is collected.
  • Intrusive discovery agents impact the production process as discovery agents monitor and/or collect information about one or more assets of the industrial control system. For example, for a software agent installed and executed by an asset, the software agent may utilize computational bandwidth of the installed asset, impacting the performance of the installed asset (e.g., by slowing down the asset).
  • the intrusive discovery agents are deployed under strict monitoring for potential adverse impacts to the production process, and may be configured to prevent the adverse effects during production.
  • the collective network bandwidth used by all agents during active asset inventory operations may be limited to a given amount of Mbps and/or during a given timeframe where dependency on systems is less critical to the production.
  • Local impact by deployed software agents e.g., overall CPU percent usage, physical memory consumption, etc.
  • Such constraints may be learned and derived automatically (e.g., via machine learning) based on processing configured data sources.
  • some assets cannot be discovered without adversely impacting or stopping the production process.
  • the intrusive discovery agent may only be deployed during an idle phase of the production process.
  • Instrumenting assets of the industrial control system may also include deploying temporary or permanent networking devices for asset discovery and monitoring in the industrial control system.
  • various cells/zones of the industrial control system may be isolated or segregated, such as air-gapped or firewalled assets or networks of assets.
  • an overlay network is deployed for connecting discovery agents collecting information for assets within the isolated or segregated cells/zones of the industrial control system.
  • a hardware device is connected to an asset or network device for monitoring the asset or network.
  • the overlay network facilitates one-way (e.g., unidirectional) communication from the control system over the overlay network.
  • the hardware device is also configured to transmit collected data to a server using the overlay network.
  • An overlay network is a network (e.g., a wireless network) deployed in addition to and without affecting existing networks of the industrial control system.
  • the asset information may be provided for risk assessment, such as uploaded to a central server for analysis.
  • mobile USB or Ethernet sniffing dongles e.g., USB storage with the one-way effect
  • the mobile collector is installed (e.g., plugged-in) for a period of time (e.g., two weeks, etc.) and removed for manual upload.
  • incremental asset discovery is performed. As discussed above, the discovery agents are deployed and monitored for potential adverse impacts to the production process. Using the deployed discovery agents, asset information is gathered and used to classify the discovered assets by type.
  • semantic dependency between assets within the production process may be inferred.
  • risk assessment may be accurately performed.
  • Figure 2 illustrates a flowchart diagram of an embodiment of a method of incremental asset discovery.
  • the method illustrated in figure 2 may perform incremental asset discovery executed in act 105 of figure 1.
  • the method is implemented by the system of figure 6 (discussed below) and/or a different system. Additional, different or fewer acts may be provided. The method is provided in the order shown. Other orders may be provided and/or acts may be repeated.
  • act 205 may be performed before act 203, or acts 201-205 may be repeated for a plurality of assets, and/or repeated for each production cell/zone. Further, the acts 201- 205 may be performed concurrently as parallel acts. Act 205 may be omitted in some embodiments.
  • data is collected for assets of the industrial control system.
  • Data is collected using the deployed instrumentation of act 103 (e.g., by each asset discovery agent).
  • the data is stored locally or uploaded to a central server by each discovery agent.
  • data for the assets of the industrial control system is collected by monitoring asset activity and communication between assets.
  • data is collected by scanning for assets coupled to each software or hardware discovery agent.
  • a software agent is installed on a SCADA server coupled to multiple PLCs and other assets. The software agent scans and collects data for each PLC and uploads the data to a central server configured to store the data in an asset database.
  • a hardware agent is installed for monitoring communication from an asset. The hardware agent is deployed for a period of time (e.g., two weeks) and the
  • communication data is automatically or manually uploaded to the asset database stored on the central server.
  • a discovery agent may send commands and other communications to an asset and receiving a response or monitoring data from the asset.
  • Different discovery assets are deployed to gather data for each asset of the industrial control system.
  • the assets of the industrial control system are classified.
  • an inference is made classifying each asset of the industrial control system. For example, by monitoring communication and activity of the assets, inferences are automatically generated classifying the assets. Based on the type, duration, frequency, etc. of each communication and/or activity, the type of asset is determined.
  • asset data collected in act 201 an asset age, asset vendor (e.g., for third-party assets), typical characteristics, and other asset characteristics is also inferred for each asset.
  • Classifying the assets may include identifying the vendor of a given system and the role of the asset in the network.
  • Additional data may be provided by a user (e.g., semi-supervised machine learning) and user provided asset signatures may be used to automatically classify similar devices in future.
  • a user e.g., semi-supervised machine learning
  • user provided asset signatures may be used to automatically classify similar devices in future.
  • Characterizing each asset may also include baselining each asset to determine activities and communications that are typical of the asset during different production processes, etc. For example, using the data collected for each asset, abnormal activity by one or more assets may be easily identified (e.g., for risk assessment and/or deriving an attack-tree) based on deviation from the recorded norm. Abnormal activities may also be used then to detect subsequent changes made to these inventoried assets.
  • classifying assets also includes supervised or semi- supervised machine learning based on user input. For example, similar unclassified assets (e.g., third-party assets) are classified based on a user input. For example, similar unclassified assets are identified from monitored communications and other collected data. An unclassified asset representative of the unclassified assets is presented to a user for manual classification. Based on a user input, the presented asset and similar unclassified assets may be classified and/or characterized. Alternatively, a
  • representative asset is classified and presented to a user to confirm the classification.
  • representative and similar third-party assets are classified and/or characterized.
  • the related third-party assets may be classified utilizing the user input and further inferences from collected data to classify each asset. For example, based on monitored communication between the assets, related dissimilar assets are identified and classified using a user input related to one of the assets. For example, classifying one asset of a third-party automation platform is provided based on a user input of one asset of a plurality of assets making up the automation platform.
  • semantic dependency is inferred between the assets of the industrial control system. For example, using asset data collected in act 201, asset classifications and characteristics provided in act 203, and/or the characterized processes, production zones and automation packages of the industrial control system of act 101, semantic relationships and an associated criticality is inferred for each identified assed. For example, based on the frequency, average packet size, traffic direction, and protocols uses, roles of each asset (e.g., a human-machine interface (HMI), PLC, etc.) may be identified. Based on the discovered topology of connected assets, additional computer systems that belong to the same control cell are identified, and based on the grouping of such devices, groups of control cells are mapped.
  • HMI human-machine interface
  • the activity observed at the application layer of the communication e.g., process control and monitoring commands
  • asset and user activity may be used to infer process sequences. For example, in a discrete manufacturing process, such as a car assembling line, inferences are automatically generated about the process sequence based on the observed network communications between nodes and content exchanged. Data provenance techniques may be used to track raw data being transmitted and
  • Supervised or semi- supervised machine learning may also be performed with user input to provide additional semantic relationships, or to confirm inferences of semantic relationships between assets.
  • the semantic information may be used to identify abnormal activity by one or more assets (e.g., for risk assessment and/or deriving an attack-tree).
  • abnormal activity may include one or more assets performing activities during an idle phase of the process for the asset(s), one or more assets idling during an active phase of the process for the asset(s), higher than normal computational loads for one or more of the assets, communications or other signals from one or more assets that are inconsistent with the process, one or more of the assets being unresponsive to a communication from another asset, etc.
  • Other abnormal activities may also be detected, such as when an asset is active or inactive when other related assets are active or are not active.
  • an associated criticality may be inferred. For example, some assets of the industrial control system have a larger impact on the production process than others.
  • a SCADA server connecting multiple PLCs and other assets to the industrial control system may have a larger impact on the production process than any one of the PLCs or other assets of the system.
  • a higher criticality level may be inferred for the SCADA server than for each of the assets connected to the SCADA server.
  • the SCADA server may also be at a higher risk because of being coupled to and able to communicate with other devices accessible to an outside network.
  • Figure 3 illustrates a flowchart diagram of an embodiment of a method of automatic incremental asset discovery for OT systems, industrial control systems and other systems that include segregated and non-IT related devices.
  • the main acts of the automated asset inventory process are provided for identifying and baselining industrial assets.
  • the method is implemented by the system of figure 6 (discussed below) and/or a different system.
  • the automated asset inventory process performs an understand act.
  • data from multiple sources is processed to derive and infer production steps, production zones, and to classify different automation packages.
  • automation packages to be classified include a Siemens PCS7 control system used to control a water pump station, an Allen Bradley ControlLogix control system used to control a gas turbine, or any other group of automation hardware and software provided and commissioned as a "turn-key" package.
  • the multiple sources of information may include process historian information, control system project files, configuration files, direct device information (e.g., PLC memory reading), etc.
  • Other types of information may be processed to understand the production process.
  • production steps and zones are automatically inferred by a semantic mapper of a software platform. Production steps and zones may also be suggested to a user for confirmation, or manually entered by the user.
  • Production steps and zones may be imported manually based on a predefined list of standard production units.
  • figure 4 illustrates manually importing a production zone from a pre-compiled list of production units into a process map.
  • a production zone A may be imported into a semantic mapper using drag and drop functionality from the available process blocks.
  • the semantic mapper adopts industry specific vertically provided ontology packets as process blocks.
  • Ontology packets are industry specific (e.g., Oil & Gas, Metals & Mining, etc.) production units that define common production steps and assets based on the industry and/or process.
  • the semantic mapper processes and transforms the multiple sources of data into data elements and namespaces in process map.
  • the process map includes a combination of automatically and manually defined process zones.
  • the understand act also includes mapping network topologies of the industrial control system.
  • the various networks employed by the production process are understood and mapped.
  • the production process may utilize connections to the Internet, a local intranet, segregated networks, firewalled networks and/or isolated networks. Other types of networks may be mapped.
  • the understand act identifies the different types of networks and maps each topology to understand connectivity and
  • the understand act may additionally classify automation packages of the industrial control system and different asset types. For example, based on the industry specific production units, common automation packages may be mapped. For example, in a production zone of an Oil & Gas process, a batch or continuous automation process may include a package of hardware and software specifically designed and implemented for the zone.
  • the automation package may include controllers, PLCs, sensors, motors, valves, actuators, etc.
  • the understand act may also identify and classify asset types (e.g., switches, PLCs, etc.) and characteristics (e.g., new or legacy, model, vendor, etc.) of each zone prior to performing asset discovery, simplifying the asset discovery process and providing additional information to draw from to infer semantic relationships. For example, based on the classified asset types and characteristics, asset discovery methods may be assigned based on the types and characteristics to discovery unknown assets in the production zones and automation packages.
  • asset types e.g., switches, PLCs, etc.
  • characteristics e.g., new or legacy, model, vendor, etc.
  • the automated asset inventory process performs a plan act. Using the process map and information gathered during the understand act, incremental asset discovery is planned for each production zone, automation package, etc. Different discovery methods (e.g., asset discovery agents) are suggested and assigned based on information and inferences about existing controls systems and assets (e.g., the system age, automation package vendor, etc.). Further, centralized passive discovery may be used in the planning act to provide additional insights about assets to be mapped. The centralized passive discovery gathers asset information without deploying additional discovery agents and discovery methods. The planning act uses this asset information to better plan for the deployment of additional discovery agents and discovery methods for undiscovered and non-baselined assets.
  • asset discovery agents e.g., asset discovery agents
  • centralized passive discovery may be used in the planning act to provide additional insights about assets to be mapped. The centralized passive discovery gathers asset information without deploying additional discovery agents and discovery methods. The planning act uses this asset information to better plan for the deployment of additional discovery agents and discovery methods for undiscovered and non-baselined assets.
  • each mapped production zone or network zone is assigned a combination of different asset discovery agents.
  • zones that do not tolerate active intrusive discovery methods e.g., due to risks of running such active methods on legacy equipment
  • zones that do not tolerate active intrusive discovery methods are configured with passive methods only
  • zones with newer control equipment are be configured with more intrusive methods (e.g., providing more detailed results).
  • the central server controls which method will be triggered at which time and under specific constraints for each zone.
  • the asset discovery relay agents may be hardware, software or a combination thereof that gathers asset information and relays the information to a central information server.
  • Each asset discovery agent is also specified as having one or more discovery methods, including active, passive, intrusive, non-intrusive and/or a combination thereof.
  • asset discovery agents and asset discovery methods may be specified based on the inferences derived for the production process, production and network zones, automation packages, learned asset information for different assets, etc.
  • the specified asset discovery agents may be confirmed by a user during planning, and the asset inventory plan may be refined and confirmed.
  • the asset discovery agents and discovery methods are assigned to collect asset and process information from an industrial control system with minimal impact to the production process.
  • specific hardware or software discovery agents may have a greater or lesser impact on the production process, and are selected accordingly.
  • a discovery agent employing a passive discovery method e.g., passively monitoring network communications, etc.
  • an active discovery method e.g., actively sending a command to an asset, etc.
  • a discovery agent employing a non- intrusive discovery method will likewise impact a process more than an intrusive discovery method (e.g., actively scanning an asset resulting in a fault state of the asset).
  • an intrusive discovery method e.g., actively scanning an asset resulting in a fault state of the asset.
  • asset discovery may use different types of agents, the agent with the lesser impact is selected.
  • the planning act may designate a schedule for the incremental asset discovery.
  • an active and/or intrusive discovery agent may be scheduled to perform asset discovery during idle phases of the production process.
  • the inventory process may also be scheduled for different zones according to the production schedule, maintenance schedule, planned outages, etc.
  • asset discovery agents are specified as customized intelligent discovery agents. For example, in addition to being customized to a specific process or network zone, some discovery agents monitor the process to minimize computational overhead of the discovery agent during a computationally intensive phase of the process. Intelligent discovery agents are equipped with real-time, heart-beat monitoring functionality to quickly detect a disruption or other impact on any asset during incremental asset discovery. For example, some performance indicators for monitoring asset disruption include processor queue length, percent CPU process time, throughput, memory load, log size, overall CPU load, cache size, etc. Other performance indicators may be selected and used. Intelligent discovery agents are configured with upper limits of allowed system and/or network overhead for asset discovery, and may prevent the asset discovery from disrupting or negatively impacting the production process.
  • the automated asset inventory process performs an execute act.
  • the automatic data collection hardware or software asset discovery agents are deployed.
  • the asset discovery agents are deployed based on the planned discovery methods assigned based on the process map.
  • the discovery agents are deployed to collect asset and process information for the different process and network zones of the industrial control system. Assets of the industrial control system and assets of the underlying automation network topology are identified and baselined, suggesting asset categories, semantic relationships and associated criticality for each identified assed.
  • the asset discovery agents utilize existing networks to upload asset information to a central server.
  • Some asset discovery agents are manually deployed isolated and segregated assets, such as by deploying a hardware agent establishing a temporary overlay network for air-gapped assets.
  • the plurality of asset discovery agents are configured to monitor the computational overhead of the asset discovery agents to minimize disruption or other impacts on the assets during the production process.
  • the asset discovery agents are configured with self-modifying behavior.
  • the asset discovery agents may be configured with upper limits (e.g., thresholds) of allowed system and/or network overhead for the asset discovery.
  • the asset discovery agents may be configured with real-time, heart-beat monitoring functionality to quickly detect any availability disruptions or other impacts on the asset (e.g., such as monitoring rata rate, throughput, memory load, log size, CPU load, cache size, etc.). Based on heart-beat monitoring, the asset discovery agents may be modified to prevent disruption of the process, such as by reducing computational bandwidth utilization, pausing asset discovery, etc. An accurate industrial asset inventory is performed without risking disruption of the production process.
  • the execute act may also display and coordinate user activities during the automated asset inventory process.
  • the system may provide a display allowing the user to confirm correlations, inferences and asset criticalities automatically suggested by the system to confirm semantic relationships between industrial and network assets, and between different production zones.
  • Supervised and semi- supervised machine learning may also be performed based on user input to confirm assumptions and inferences of semantic relationships between assets. Correlations, inferences and asset criticalities are automatically suggested utilizing data analytics.
  • inferences are made including categorizing and grouping assets, inferring connections between assets and determining which assets are used in each production step.
  • asset criticality in a process may also be inferred utilizing data analytics based on frequency of use count in an entropy analysis from system access.
  • the entropy analysis may plot binary and other data acquired from an asset (e.g., binary data from a SCADA server, PLC, etc.). The data may not be designed to be plotted.
  • Hidden keys such as increased and/or abnormal activity or other abnormalities in the data, are reflected in plotted binary data. Using the hidden keys, inferences are made as to the criticality and/or relationship of an asset to other assets of a production process. Alternatively, the hidden keys may identify a time frame of activity to inquire additional information from a user to characterize assets of the industrial control system.
  • the automated asset inventory platform may also utilize data from outside production processes (e.g., from disparate client facilities) within the same industry to generate ontology packets based on patterns in communications between the facilities. For example, patterns arise regarding communications for particular vendors, for particular types of assets and/or for particular production processes. Inferences drawn from different facilities may be used to characterize communications and activities of assets within an industry. The patterns are recognized and utilized in providing standardized ontology packets for use by a user in a particular industry, leveraging platform experience from the disparate client facilities.
  • outside production processes e.g., from disparate client facilities
  • ontology packets based on patterns in communications between the facilities. For example, patterns arise regarding communications for particular vendors, for particular types of assets and/or for particular production processes. Inferences drawn from different facilities may be used to characterize communications and activities of assets within an industry. The patterns are recognized and utilized in providing standardized ontology packets for use by a user in a particular industry, leveraging platform experience from the disparate client facilities.
  • the automated asset inventory process performs a report act.
  • the automatic and manually collected asset information from individual production zones is assembled and combined to infer, generate and/or confirm the overall communication topology (e.g., a map and/or graph).
  • networked discovery assets relay information to a central server and offline discovery assets are connected to a network for uploading to the central server.
  • the asset information may also be uploaded to a cloud-based server accessible by a cloud-based software platform.
  • Figure 5 illustrates an embodiment of a process map for reporting an asset inventory.
  • the process map may be presented as an asset inventory operation control dashboard.
  • the process map presents a network topology mapping, including segregated, isolated and firewalled assets and networks of assets, to a user.
  • the reassembling and combining asset information supports additional analytics using the available semantic and mapped asset characteristics and a zone-data-matrix generated from collected process data at different network points.
  • the additional analytics provides data paths throughout the different network subnets and tracking (e.g., based on the observation of repeated data streams in different networks or zones).
  • Inferred semantic relationships between assets of the industrial control system may be presented to a user and confirmed via a user input. For example, physical connections and dependency relationships are inferred based on collected data and network traffic. The semantic relationships are displayed for confirmation by a user (user assisted).
  • the reporting act may also provide an attack tree for the assets of the industrial control system.
  • the reporting act may compute and display an attack tree depicting points of entry and vulnerable assets in the event of a cyber-attack.
  • the attack-tree is derived from the asset inventory information utilizing data analytics.
  • the attack-tree and asset baselines are provided to aid future risk assessments.
  • FIG. 6 illustrates system an embodiment of a system for asset discovery for an industrial control system.
  • system 600 includes a plurality of networked, segregated, isolated and/or firewalled hardware and software components for performing incremental asset discovery according to the methods of figure 1, figure 2, figure 3 or another method.
  • the system 600 includes a computing platform 601 coupled to a server 605 and workstation 607 via the internet 603.
  • Computing platform 601 may be implemented as a cloud computing platform, with a cloud server 601A in addition to or in place of server 605.
  • computing platform 601 may be implemented locally as part of server 605 and workstation 607.
  • the computing platform 601 is configured to store asset characterizations (e.g., signatures) to cloud server 601 for use in classifying other assets in the same or similar industrial control systems.
  • asset characterizations e.g., signatures
  • the system 600 includes a plurality of asset discovery agents 611, 613, 615, 617 and 621.
  • the plurality of asset discovery agents are configured to collect asset and process information from an industrial control system.
  • the asset discovery agents may be hardware agents 613, software agents 611, or combination hardware and software agents (e.g., combining PC agent 615 with SW agent 611).
  • the software asset discovery agents 611 are configured for installation on a process device or a networking device, such as using software or firmware running on the device.
  • the software asset discovery agents 611 may also be pre-loaded on the process device or networking device.
  • the asset discovery agents may include PC agents 615 implemented as an industrial computing environment (e.g., industrial personal computer (IPC), ruggedized person computer (PC), industrial server computer, industrial controller, etc.).
  • the PC agents 615 may include software agents 611 deployed on the industrial computing environment.
  • Each of the asset discovery agents are coupled to or executed by an asset (e.g., a process device or a networking device) to collect asset information
  • the asset discovery agents may be configured as relay agents.
  • relay agents are configured to upload asset and process information to one or more central servers, such as server 605 via intranet 609, overlay network 619 or another network.
  • the networks, such as intranet 609 and overlay network 619, may be provided with known or future networking technology (e.g., Ethernet, wireless, cellular, optical, NFC, etc.).
  • the asset discovery agent may be a standalone agent 617 (e.g., not connected to networks 609, 619, etc.) configured to capture and store information for manual upload to server 605.
  • FIG. 7 illustrates and example of an asset discovery agent configured as a relay agent.
  • specially configured asset discovery agents e.g., software, hardware or firmware based
  • software asset discovery agent 611 installed on SCADA server 711 is implemented on a SCADA server connected to one or more assets, such as PLC device 723.
  • the software relay agent 611 installed on SCADA server 711 is configured to retrieve information from one type of network (e.g., a layer 1/2 network card) and to transmit the information over another type of network (e.g., a layer 2/3 network).
  • the software relay agent 611 installed on SCADA server 711 captures PLC information and utilizes switch 709 to transmit the information to central server 705.
  • the relay agents allow for various networks (e.g., complex mesh network topologies) to reach the central asset inventory consolidating node (e.g., server 705) via the secure connection (e.g., switch 709 and intranet 609).
  • Relay agents are used for instrumenting non-routable control devices have to be discovered. For example, non-routable control devices cannot be reached directly from the central server via a network, requiring a relay device between two disparate networks.
  • Using relay agents may reduce or minimize the number of deployed agents necessary. For example, local relay agents discover devices in a network segment and retransmit the device information to the main server.
  • the software agent 611 is executed as an autonomous installing software agent.
  • the software agent 611 is autonomously installed on the SCADA server 711.
  • the autonomous installing software agent executes self-replicating code configured to analyze a process or networking device for code installation as software agent 611. Based on the analysis, the software agent code is customized and installed on the device.
  • the software agent code is executed to gather asset and process information, then the code is uninstalled returning the device to an uninstalled state.
  • the asset discovery autonomous installing agent e.g., a melting agent
  • the executable software has characteristics and actions often found in self-replicating code or malware, without the detrimental effects of malware code, in order to achieve silent, seamless, and zero-downtime installation, execution, and removal of the agent code.
  • the code may include features for delaying the inclusion of the code, executing the code, run-time loading and/or generating additional code at a time when the device is not performing critical actions and/or has computational bandwidth free for the code operations.
  • the self-mutating and/or replicating code may install the agent code on neighbor peer devices.
  • the executable software code includes performance control that is configured to avoid undesired performance effects on the target devices, including constant monitoring OS interactions and critical system variables and including sleep calls intertwined with execution operations.
  • the executable software includes secure unpacking and encryption, generating and transmitted data encrypted at the source.
  • the executable software also includes clean and self-software removal. For example, after the data is collected, the agent optionally self-removes the installed program code automatically.
  • some asset discovery relay agents are provided as hardware agents. For example, some assets of the industrial control system are identified and baselined by installing and deploying a hardware agent to gather asset information.
  • the hardware agents may be customized intelligent discovery agents for a specific production or network zone.
  • a temporary overlay asset inventory network may be deployed. Using a temporary overlay asset inventory network, a temporary secure wireless network allows for quick and seamless asset inventory without changing the target network topology.
  • FIG. 8 illustrates a passive industrial perimeter assessment (PIPA) secure device configured to provide a temporary overlay asset inventory network.
  • a PIPA secure device 821 is configured as a passive scanner and collector of network and process data.
  • the PIPA passive scanning device is configured to provide a network connection to a central server, such as using Zigbee wireless communication, facilitating the asset inventory temporary overlay network.
  • the PIPA passive scanning device is provided with an embedded opto-coupler 825 to create the short- term, temporary overlay asset inventory network (e.g., using wireless, ZigBee, a personal area network (PAN) wireless communication standard, etc.) for use only during the incremental asset discovery and inventory.
  • PAN personal area network
  • Deployed PIPA secure devices 821 at different points throughout the facility collect asset inventory relevant information and communicate in a wireless mesh network topology via network 619.
  • An internal, unidirectional communication device of the PIPA secure device 821 avoids potential contamination in case malware is present.
  • the PIPA secure device 821 may be toggled as "read-only” or “write-only,” depending on the desired functionality.
  • a central server 605 is configured to store the collected asset and process information received from the plurality of asset discovery agents.
  • the server 605 may receive the data according to an asset discovery and reporting protocol.
  • Communications from agent nodes 611, 613, 615, 617 to the central server 605 via Internet 609 and from agent 621 via the temporary overlay network 619 are provided using a specific protocol to facilitate the asset discovery and reporting.
  • the asset discovery and reporting protocol includes source and destination authentication and content encryption with asymmetric key encryption.
  • Authentication and encryption provide for secure communication of asset information to the server 605 and/or the computing platform 601.
  • Each agent may self-select a transmission mode (e.g., connection oriented or user datagram protocol (UDP)).
  • UDP user datagram protocol
  • agents may self- select available paths and/or ports of the network, based on locally collected
  • smart agents change communication ports and transmission modes in a hop-to-hop discovery mode.
  • the workstation 807 is coupled to server 605 and/or computing platform 601 and is configured to display a portal interface to the user.
  • the computing platform 601 is configured to classify the assets of the industrial control system. For example, a classifier 601C classifies assets based on the collected asset and process information received from the server 605.
  • An analyzer 601D infers semantic dependency between the assets of the industrial control system based on the collected asset and process information received from the server 605 and the classifications provided by the classifier 601C.
  • the classifications and semantic dependencies may be stored on server 601A and/or 605, and are displayed to a user via workstation 607.

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Economics (AREA)
  • Strategic Management (AREA)
  • Quality & Reliability (AREA)
  • Manufacturing & Machinery (AREA)
  • Entrepreneurship & Innovation (AREA)
  • General Business, Economics & Management (AREA)
  • Tourism & Hospitality (AREA)
  • Marketing (AREA)
  • Theoretical Computer Science (AREA)
  • Development Economics (AREA)
  • Automation & Control Theory (AREA)
  • Operations Research (AREA)
  • General Engineering & Computer Science (AREA)
  • Educational Administration (AREA)
  • Game Theory and Decision Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Environmental & Geological Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • General Factory Administration (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Les présents modes de réalisation concernent la réalisation d'un inventaire d'actifs pour un système de commande industriel. Au moyen d'une introduction, les présents modes de réalisation décrits ci-dessous comprennent des systèmes et des procédés de découverte d'actifs, de caractérisation d'actifs et d'analyse sémantique. La découverte d'actifs incrémentale dans un système de commande industriel est obtenue à l'aide d'une analyse sémantique du processus de production sous-jacent à l'aide de modèles sémantiques, d'informations de modèle et d'analyses de données (par exemple, sur la base de métadonnées, de données de réseau, de données de processus, etc.). A l'aide de l'analyse sémantique, différents procédés de découverte d'actifs sont utilisés pour cibler des actifs individuels des systèmes de commande industriels afin d'identifier et de tracer les actifs. Un inventaire d'actifs précis est fourni sans risque d'interruption du processus de production, et l'inventaire d'actifs comprend des actifs provenant de réseaux hautement segmentés et isolés par adoption d'une combinaison de procédés de découverte, d'agents intelligents et d'analyses de données.
PCT/US2017/029239 2017-04-25 2017-04-25 Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole Ceased WO2018199912A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2017/029239 WO2018199912A1 (fr) 2017-04-25 2017-04-25 Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2017/029239 WO2018199912A1 (fr) 2017-04-25 2017-04-25 Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole

Publications (1)

Publication Number Publication Date
WO2018199912A1 true WO2018199912A1 (fr) 2018-11-01

Family

ID=58701858

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2017/029239 Ceased WO2018199912A1 (fr) 2017-04-25 2017-04-25 Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole

Country Status (1)

Country Link
WO (1) WO2018199912A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110794795A (zh) * 2019-11-27 2020-02-14 上海三零卫士信息安全有限公司 一种基于集散式检查的工业控制信息安全风险评估模型
EP3792717A1 (fr) * 2019-09-12 2021-03-17 FRAUNHOFER-GESELLSCHAFT zur Förderung der angewandten Forschung e.V. Système de suivi
CN116909217A (zh) * 2023-06-15 2023-10-20 中国科学院信息工程研究所 面向工业控制系统的攻击图生成方法及系统
CN116980468A (zh) * 2023-09-20 2023-10-31 长扬科技(北京)股份有限公司 工控环境下资产的发现和管理方法、装置、设备及介质
CN121262118A (zh) * 2025-12-04 2026-01-02 本溪钢铁(集团)信息自动化有限责任公司 资产状态探测平台及资产状态探测方法、设备及存储介质
EP4718798A1 (fr) * 2024-09-25 2026-04-01 Rockwell Automation Technologies, Inc. Systèmes et procédés pour agent de dispositif de technologie opérationnelle
EP4718805A1 (fr) * 2024-09-25 2026-04-01 Rockwell Automation Technologies, Inc. Systèmes et procédés de découverte d'actifs dans un réseau de technologie opérationnelle (ot)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016126573A1 (fr) * 2015-02-06 2016-08-11 Honeywell International Inc. Outil de surveillance d'infrastructure pour collecter des données de commande de processus industriel et de risque de système d'automatisation
EP3070550A1 (fr) * 2015-03-16 2016-09-21 Rockwell Automation Technologies, Inc. Modélisation d'un environnement d'automatisation industrielle dans le cloud

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016126573A1 (fr) * 2015-02-06 2016-08-11 Honeywell International Inc. Outil de surveillance d'infrastructure pour collecter des données de commande de processus industriel et de risque de système d'automatisation
EP3070550A1 (fr) * 2015-03-16 2016-09-21 Rockwell Automation Technologies, Inc. Modélisation d'un environnement d'automatisation industrielle dans le cloud

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3792717A1 (fr) * 2019-09-12 2021-03-17 FRAUNHOFER-GESELLSCHAFT zur Förderung der angewandten Forschung e.V. Système de suivi
CN110794795A (zh) * 2019-11-27 2020-02-14 上海三零卫士信息安全有限公司 一种基于集散式检查的工业控制信息安全风险评估模型
CN116909217A (zh) * 2023-06-15 2023-10-20 中国科学院信息工程研究所 面向工业控制系统的攻击图生成方法及系统
CN116980468A (zh) * 2023-09-20 2023-10-31 长扬科技(北京)股份有限公司 工控环境下资产的发现和管理方法、装置、设备及介质
CN116980468B (zh) * 2023-09-20 2023-12-19 长扬科技(北京)股份有限公司 工控环境下资产的发现和管理方法、装置、设备及介质
EP4718798A1 (fr) * 2024-09-25 2026-04-01 Rockwell Automation Technologies, Inc. Systèmes et procédés pour agent de dispositif de technologie opérationnelle
EP4718805A1 (fr) * 2024-09-25 2026-04-01 Rockwell Automation Technologies, Inc. Systèmes et procédés de découverte d'actifs dans un réseau de technologie opérationnelle (ot)
CN121262118A (zh) * 2025-12-04 2026-01-02 本溪钢铁(集团)信息自动化有限责任公司 资产状态探测平台及资产状态探测方法、设备及存储介质
CN121262118B (zh) * 2025-12-04 2026-04-17 本溪钢铁(集团)信息自动化有限责任公司 资产状态探测平台及资产状态探测方法、设备及存储介质

Similar Documents

Publication Publication Date Title
WO2018199912A1 (fr) Conception d'usine basée sur une architecture de découverte d'actifs incrémentale, procédé et protocole
JP7603687B2 (ja) 集中型知識リポジトリおよびデータマイニングシステム
US11295047B2 (en) Using cloud-based data for industrial simulation
US20210302923A1 (en) Backup of an industrial automation plant in the cloud
US10764255B2 (en) Secure command execution from a cloud monitoring system to a remote cloud agent
CN105939334B (zh) 工业通信网络中的异常检测
US10311015B2 (en) Distributed big data in a process control system
US10168691B2 (en) Data pipeline for process control system analytics
US20210194760A1 (en) Dynamic segmentation in an industrial network based on inventory tags
CN109976268B (zh) 在过程控制系统中的大数据
US12088614B2 (en) Systems and methods for detecting anomalies in network communication
US10530740B2 (en) Systems and methods for facilitating closed loop processing using machine learning
US20140337277A1 (en) Industrial device and system attestation in a cloud platform
US20170351226A1 (en) Industrial machine diagnosis and maintenance using a cloud platform
EP2801934A1 (fr) Assistance à distance par l'intermédiaire d'une plate-forme Cloud destinée à l'automatisation industrielle
US11392115B2 (en) Zero-trust architecture for industrial automation
WO2015138706A1 (fr) Mégadonnées distribuées dans un système de commande de processus
Friesen et al. Machine learning for zero-touch management in heterogeneous industrial networks-a review
Hästbacka et al. Device status information service architecture for condition monitoring using OPC UA
Malathy et al. Integrated architecture for IoTSG: internet of things (IoT) and smart grid (SG)
US20210255607A1 (en) Automation Component Configuration
KR20180029800A (ko) IoT 기기 오류 예측을 위한 인시던트 룰 조정 장치 및 방법
Padmavathy et al. Cloud-based industrial IoT infrastructure to facilitate efficient data analytics
El Rajab Intelligent Automation Solutions for Network Management and Security in 5G Networks: A Study on AutoML and Digital Twins
Kommadi AI based Adaptive Network for Smart Cities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17723190

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17723190

Country of ref document: EP

Kind code of ref document: A1