The subject matter disclosed herein relates generally to a firewall for an industrial network and, more specifically, to a firewall in which rules may be specified at an application level.
Industrial controllers are specialized computer systems used for the control of industrial processes or machinery, for example, in a factory environment. Generally, an industrial controller executes a stored control program that reads inputs from a variety of sensors associated with the controlled process or machine. Sensing the conditions of the process or machine and based on those inputs and the stored control program the industrial controller determines a set of outputs used to control actuators for the process or machine.
Industrial controllers differ from conventional computers in a number of ways. Physically, they are constructed to be substantially more robust against shock and damage and to better resist extreme environmental conditions than conventional computers. The processors and operating systems are optimized for real-time control and are programmed with languages designed to permit rapid development of control programs tailored to a constantly varying set of machine control or process control applications.
Generally, the industrial controllers have a highly modular architecture that allows, for example, different numbers and types of input and output modules to be used to connect the controller to the process or machinery to be controlled. This modularity is facilitated through the use of special “control networks” suitable for highly reliable and available real-time communication. Such control networks (for example, ControlNet, EtherNet/IP, or DeviceNet) differ from standard communication networks (e.g. Ethernet) by guaranteeing maximum communication delays by pre-scheduling the communication capacity of the network and/or providing redundant communication capabilities for high-availability. In addition, packets transmitted on the control network are formatted according to a protocol defined for the particular network, such as the Common Industrial Protocol (CIP).
Over time, the complexity and/or size of the machine or process controlled by the industrial controller has increased. For example, a process line may span the entire length of a bay in an industrial complex or an automated storage system may be distributed over an entire warehouse. As a result, it has become desirable to provide access to the control network for monitoring performance of the machine, process, and/or individual elements executing in the controlled machine or process. Similarly, it may be desirable to provide access to the control network to change the configuration or program of elements executing in the controlled machine or process.
Historically, access may have been provided to a machine operator, for example, via a dedicated terminal located proximate to the controlled machine or process. However, at certain times, such as during commissioning or for troubleshooting, it may be desirable to provide access to a user, such as a system programmer or designer located in a remote building. The control network may then be interfaced to a private intranet, allowing the designer to monitor the system. However, on occasion, it may also be desirable to permit access to a remote site such as a field installation via the Internet. Access may be established, for example, via a virtual private network (VPN) requiring user identification and verification.
However, unauthorized or inadvertent access of the controlled machine or process could result in damage and resultant downtime of the machine or process. Consequently, access to the control network must be restricted. Typically, access to a network may be limited by rules established within a network device such as a switch or a router. The rules are also referred to as a firewall, and the rules determine whether packets received by the network device are allowed to propagate onto the control network.
Certain protocols, such as CIP, provide significant flexibility to a device manufacturer. The protocol includes a framework of objects and layers that allow integration of different devices in an open network. The protocol provides, for example, communication between devices configured for different networks, such as EtherNet/IP, DeviceNet, or ControlNet. The CEP protocol is also highly extensible allowing future devices or networks to be integrated as well. The structure of the protocol, however, makes it difficult to define rules by which a firewall may operate.
The CIP protocol, for example, includes many different types of messages. Two primary types of messages are explicit messages and implicit messages. Explicit messages follow a predefined format. Explicit messages may be used to establish a connection between a sender and a receiver and are configured in a request-reply format, meaning that a first device transmits a first message packet, such as a command or a request for data, to a second device and the second device transmits a second message packet, such as an acknowledgement of the command or the requested data, in reply to the first message packet. Implicit messages are configured based on an established connection between a sender and a receiver. Because the connection is established, the request-reply format need not be used. The implicit message may also transmit in a broadcast format, meaning a device transmits the message packet and does not expect and, therefore, does not wait for a reply. The implicit message may be initiated by an external trigger, a periodic interval, or some other predefined trigger mechanism. The explicit messages are typically utilized to transmit configuration data or other informational data that is not time-sensitive and/or that may be transmitted infrequently. Implicit messages are typically utilized to transmit data, such as Input/Output (I/O) data that must be updated at fixed intervals and/or requires frequent updating. The implicit messages include very little data regarding their configuration, structure, or other data about the message itself with the bulk of the message including data arranged according to a predefined format such that the transmitting device may generate the message efficiently and the receiving device may similarly process the message efficiently.
Further, a single device may be configured to transmit multiple types of messages or even a sequence of messages with another device. A motor drive, for example, may communicate with a processor module. The motor drive may receive configuration information from the processor module via explicit messages and may transmit data such as motor configuration or operation time to the processor module via explicit messages. The motor drive may also require a command message, such as a speed or torque command, be transmitted from the processor module using an implicit message repeated at a fixed interval and may similarly transmit operating data such as motor current or motor speed back to the processor module using implicit messages at a fixed interval.
Depending on the location of the processor module and the motor drive in the control system, the communications between the two devices may pass through a firewall. Traditional firewall rules utilize, for example, a source address and/or a destination address to determine whether a message is allowed to pass through the firewall. More complicated rules may further examine message packets to determine what operation (e.g., read/write) the message is intended to perform and may further allow message packets based on the operation the message is intended to perform.
For the above-described example of the motor drive communicating with the processor module, the explicit message and the implicit message take on different formats, contain different fields, or vary in other manners that prevent a single rule from allowing communication between the motor drive and the processor module. Further, the limited information contained in implicit messages about the message packet itself may make it difficult or impossible to configure a rule in a traditional firewall to allow the implicit messages to pass through. A system designer may need extensive knowledge of the CM protocol and each device for which it is desired to create a set of rules to permit all of the desired communications between the devices. Additionally, certain messages may be sent infrequently, such as a fault message, and have still another format. Thus, establishing an effective firewall to allow desired communications between the devices may require extensive setup and may be difficult to establish all of the necessary rules.
Thus, it would be desirable to provide an improved system for establishing rules in a firewall for an industrial network.