The invention pertains to digital data processing and, more particularly, to process control methods and apparatus for intrusion protection and network hardening.
Today's production and other control environments (including environmental control, industrial control, and the like) rely heavily on computer-based control systems. Historically, the communications networks (the “process control networks” or “control networks”) as they are sometimes called) over which the components of those control systems communicated was separate from the other business networks, e.g., the corporate LAN.
Increasingly, however, this is not the case. Current technology advances with open systems and the demand for information is driving tighter connectivity between these networks. Devices in use on the process control network have the ability to gather real time information about the process and have the ability to adjust to commands from the business network. More and more, enterprises are leveraging this to improve efficiency and intra-organizational transparency.
Whereas it had traditionally been secured and protected from the threat of virus and worm infections by the fact of isolation, the control network is now increasingly at risk as a result of network convergence. This is because many control systems share the same underlying operating systems as are used in the business network. Compounding the problem is that many of today's control networks have been implemented in pieces. Most have no consistent security design and many were not designed for security.
As a consequence, the threats from both internal and external sources have increased significantly. Ernst & Young reported in their “Information and Security Survey” that 60% of organizations expect to experience greater vulnerability as connectivity increases.
There are, of course, numerous reasons to protect the control network and control system from threat. The technical knowledge, skills and tools required to penetrate business networks are widely available. If applied to the control network of, say, a refinery or nuclear power plant, the results could be devastating. In addition, there are increasing regulatory mandates and guidelines being issued the US Government (National Strategy to Secure Cyberspace—US Government page 32), as well as guidelines and best practices for securing plant control systems from advisory groups, such as ISA SP99 committee, NIST (Process Control Security Requirements Forum—PCSRF), NERC (North American Electric Reliability Council), among others.
An object of the invention is accordingly to provide improved methods and apparatus for digital data processing.
Another object is to provide such methods and apparatus as improve network hardening and/or provide further protection against network intrusion.
A still further object of the invention is to provide such methods and apparatus as can be implemented in the range of production environments extant today and in the future.
Yet a further object of the invention is to provide such methods and apparatus as can be utilized on a range of control networks.