Many electronic devices in modern control systems are arranged with some kind of built-in intelligence. Such devices are often a part of or referred to as embedded devices. Control systems for industrial process control and systems for control in generation, distribution and transmission of electricity are often connected to the industrial equipment that the control system monitors and controls via one or more data communication networks that use industry standard such as Ethernet based protocols. This has standardised and simplified industrial data communication for the purposes of monitoring and control. Electronic devices that may be connected to a control system using an industrial Ethernet standard are included in many and various devices, for example instruments such as sensors or transducers, actuators such as valves, motors, pumps, switches, as well as controls on major equipment such as generators, transformers, breakers, power trains and so on.
An example of deliberate creation of excessive traffic is a so called Denial of Service attack, wherein an attacker tries to create traffic to exceed the capacity of the network, or capacity of a device to handle the traffic while being able to communicate as specified. For example, by broadcasts that leads to excessive traffic when responded to by all, or many, of the electronic devices in the network.
Known methods for network traffic filtering is using software for providing the filtering, or an external firewall, or a combination of those. In such firewalls or software filters, the filtering of network traffic takes place after the packet is received by the filtering system.
US2006/0168273A1 document 1 (D1) discuss protection against hostile and other unwanted data on computer networks, and describes methods and apparatuses for removing data frames or data packets from data communication links. The background section of D1 discusses two systems of protection against unwanted data, with reference to FIGS. 2a and 2b. D1 uses the OSI model as a framework for describing a communication link, wherein a transmitting node sends data segments in the form of frames or packets to a receiving node that receives the frames or packets. These packets are subsequently moved up from layer to layer in the receiving node until they reach their destination. In the two data network examples of the background, each data segment is transmitted from one communication node to another communication node via a communication link arranged between the nodes, and each transmitted data segment reaches the receiving node and is processed by the receiving node. FIG. 2a illustrates a system, wherein a firewall (26 in D1, see also §17) is utilised for removing data frames or packets from a communication link (22). The firewall (26) is inserted in the communication link (22), in the form of an intermediate node, between the transmitter (25) and the receiver (27). The firewall (26) processes the data segments (28) and deletes unwanted data segments (28). FIG. 2b illustrates another system (see §21), wherein a firewall (25) implements the OSI seven layer mechanism to buffer data sent from a transmitter (21) through a communication link (22). The firewall (25) processes the data received via the communication link (22), deletes unwanted data, and only resends allowed data through another communication link (26) to the receiving node (24). In D1 some drawbacks of these systems are considered; a firewall in the form of an intermediate node (26 in FIG. 2a) employing a plurality of the OSI layers has to be inserted in the link in the first system (FIG. 2a), and the firewall (25 in FIG. 2b) buffers the data and an additional link (26 in FIG. 2b) has to be employed.
The invention of D1 avoids these drawbacks by presenting a non-intrusive protection against unwanted data segments that are transmitted through a data communication link. D1 describes a method and apparatus (see §26-27) for removing data frames or data packets from data communication links, wherein a detector detects unwanted data segments and an invalidator, which is associated with the detector, invalidates the unwanted data segment. The detection and invalidation does not interfere with the data flow through the communication link. The system of D1 utilises a control mechanism already present in the communication system, for example (§60), an error control mechanism in Layer 2 of the OSI model, so that unwanted data segments are deleted by the receiver. Typically, the invalidating includes inserting a detectable error (see §29). The method and apparatus generally utilises an error detecting mechanism present in the communication system, which error detecting mechanism discards erroneous packets (§62). The mechanism of D1 can be provided by adding an apparatus, including detector and invalidator, to a communication link between two nodes, which apparatus invalidates unwanted packets (FIG. 4, and §68) by adding an error to the frame. The error can be added without delaying the traffic. The receiving node will then reject the erroneous packet in its normal operation (§69). This provides a simplified firewall, and provides filtering without delaying normal traffic.
Embodiments of the method and apparatus in D1 are illustrated in more detail with reference to FIG. 3 (see §63-65), which illustrates deletion or discarding of an unwanted frame/packet at a receiver node according to the seven layer OSI model. An allowed data segment (31) traverses the communication link (35) alongside an unwanted data segment, which contains an error or an impurity (32). At the receiver node (36), the erroneous data segment is discarded as it is tested by the communication layers implemented in the receiver node, according to the OSI 7 layers model implementation. The allowed or error free data segments are passed by the communication layers on the receiver node to the upper layers and are validly processed by the application at the receiver node.
FIG. 4, of D1, is a block diagram of an apparatus for non-intrusive protection against unwanted data segments. The apparatus (40) comprises a detector (41). The detector (41) is used to detect data frames flowing through a communication link (45). The detector (41) is associated with an invalidator (42) which is configured to invalidate the detected data segment upon the data segment being deemed unwanted. The apparatus further includes a decision logic module (43), associated with the detector (41) and the invalidator (42), configured for deciding if the detected data segment is an unwanted one.
D1 provides an apparatus for protection against a hostile or any other unwanted frame or packet and prevents it from reaching the destination application, by invalidating it, thus destining it for removal from the communication chain. The apparatus is non-intrusive to the communication link. The apparatus can be positioned or deployed anywhere on the physical communication link that connects two communication nodes. Unlike prior Firewalls, the apparatus marks the packet/frame by invalidating the packet/frame, without terminating, interfering or blocking the flow of the packet/frame towards a recipient.
Thus D1 illustrates non-intrusive protection against unwanted data segments, wherein a transmitter node sends various frames or packets to a destination receiver. A physical link conveys these frames or packets from the transmitter to the receiver. The protective apparatus, according to D1, is deployed in the link and this apparatus allows all packets/frames to flow on to their respective recipients but intercepts and invalidates unwanted packets/frames. The unwanted packets/frames, invalidated by the protective apparatus, are rejected by regularly operated applications at the recipient node.
A drawback with this method is that such an apparatus, like a firewall, still has to be added to the communication link (see §72). Moreover, the unwanted data are still transmitted on the link from transmitter to receiver, and therefore the traffic on the link includes transmission of the unwanted data.