The present invention relates generally to industrial controllers for controlling machines and industrial processes, and, in particular, to a security module allowing greater security for industrial control devices interconnected using common Ethernet networks.
Industrial controllers are used to control and monitor industrial processes and machinery. A typical industrial controller includes a special-purpose computer that executes a stored control program to read inputs from and provide outputs to the controlled process, based on the logic of the control program.
Industrial controllers differ from conventional computers in three respects. First, industrial controllers are highly customizable to fit the demands of the particular industrial process being controlled. Typically, this customization is made possible by a modular construction which provides different components that may be added to the industrial controller to expand it for a particular application. Most typically, these additional components will be I/O (input/output) modules that provide analog or digital signals to actuators or that receive analog or digital signals from sensors. Other common components include displays and motor drives.
The second difference between industrial controllers and conventional computers is that the components of the industrial controller can be separated by considerable distances, for example, as distributed over a network communicating throughout a factory. A number of proprietary high-speed control networks are used for this purpose including, for example, ControlNet and DeviceNet, open standards managed by a multi-industry consortium ODVA (www.odva.org).
Third, industrial controllers, unlike conventional computers, must provide highly predictable and reliable control outputs that may safely control physical equipment. In this regard, it is imperative both that the outputs and inputs be delivered rapidly and that there be assurance that the outputs and inputs have, in fact, been communicated. Corruption of the data communication or spurious messages cannot be allowed.
Recently there has been considerable interest in control networks that use the Ethernet protocol. Such networks make use of readily available and low-cost Ethernet hardware and add an additional protocol to provide for the other requirements of the control network. Such control network protocols include EtherNet/IP, (Ethernet Industrial Protocol), an open standard also managed by ODVA, and Modbus/TCP and others.
The use of an Ethernet compatible network allows the control system to use a network that is also connected to other non-control computers and even to the Internet. Such connections raise the risk of familiar Internet security problems arising from malicious traffic. Such malicious traffic can wreak greater damage in an industrial control environment than in a standard computing environment where equipment is not being controlled. Accordingly such malicious traffic must be prevented.
A standard method of limiting the effects of malicious network traffic is the use of a firewall and/or a security protocol. A simple firewall examines packets moving over the Ethernet to reject certain packets based on state-less data gleaned from individual packets, for example, data indicating the source of the packet or the port to which the packet is directed. More sophisticated firewalls, however, extract state data from multiple packets to better characterize the packets (for example in the context of the communications protocol) and reject those packets deemed harmful. These more advanced firewalls employ an electronic computer executing software to logically process the state information developed from the multiple packets and to assess whether the packet should be forwarded or blocked at the firewall.
As an alternative, or in addition to a firewall, a security protocol may be executed by devices communicating on the network, with the devices exchanging information so as to establish, for example, the authenticity of the transmitting device. An example security protocol is that used to implement a secure HTTP (https).
Desirably, in the industrial control environment, each control device would have a firewall and/or security protocol blocking harmful traffic from a connected Ethernet network. This may, however, be impractical for legacy devices or simple devices that cannot support the cost or processing power needed for implementation of these functions. Further, sophisticated Internet firewalls or security protocols may introduce a communication delay and variations in delay (jitter) that are unacceptable for high-speed control signals in a control environment.