Technical Field
The present disclosure generally relates to data and communications security for networks that enable connectivity among industrial assets, and between an industrial automation network and a general purpose network.
Description of the Related Art
Industrial equipment, such as manufacturing equipment used to build or assemble products, is typically supported by an industrial automation system and an associated industrial communications network. In an industrial automation system, operation of each machine that handles a product can be controlled by a dedicated operations device such as a workstation computer. In addition to supervising and controlling operation of a particular machine, the workstation computer can collect data from the machine for purposes of monitoring a manufacturing or assembly process, monitoring and improving operational efficiency and throughput, quality control, and the like.
A workstation computer tied to an industrial machine can be separate from the machine or built into the machine. Furthermore, the machine can be stationary or mobile. Mobile manufacturing machines may be used, for example, in the automotive, shipbuilding, and aerospace industries, to assemble vehicle products which can be much larger than the equipment used to build them. In such cases, it can be more efficient to move processing equipment to a stationary product rather than attempting to move the product from one stationary piece of equipment to another.
If a manufacturing machine is mobile and its associated workstation computer is separate from the machine, it may be desirable for the workstation computer to support wireless communication with the machine. Furthermore, it can be beneficial for certain personnel, such as authorized operators, service technicians, engineers, production managers, and the like, to gain remote access to the manufacturing computing environment, and possibly to specific workstation computers. In addition, there may be advantages to providing wireless connectivity so that workstation controllers can access the Internet. However, such increased connectivity exposes factory automation systems to a higher level of operational risk, and generally makes the manufacturing environment more vulnerable to breaches of information security. Therefore, it is important that proper network security is in place to effectively limit the remote access, and/or certain levels of access, to designated users.
Workstation computers are typically coupled to a database server and an operations database via an industrial automation communications network so that data collected from various operational machines can be made available for statistical analysis, debugging, failure analysis, and the like. The operations database may be integrated with a corporate-wide business system (e.g., enterprise business network) that aggregates data from various arms of a business organization, for example, development, operations, marketing, and accounting. Alternatively, the industrial automation communications network may be integrated directly with a business network.
In general, the coupling of computer networks is dynamic, such that computers may enter or exit a network frequently, on a random basis. Such dynamic network connections are typically administered using a network protocol such as the dynamic host configuration protocol (DHCP) which is set up to configure networked devices and assign internet protocol (IP addresses) each time the device requests connection to the network. Typically, DHCP is implemented on a DHCP server which maintains a database of available IP addresses and configuration information in accordance with agreed-upon industry standards.
Often, the protocols used for industrial automation communications networks differ from, or are incompatible with, standard DHCP protocols used for business networks, making connectivity relationships between the two types of networks challenging. In addition, many industrial automation systems were not designed with information security in mind, but now require secure connectivity to be compatible with business network security protocols, or to be compliant with regulatory standards. Even when security measures are put in place, a network having a DHCP server is inherently vulnerable to attack. For example, a rogue DHCP server could intrude and take control of managing network connectivity.