The subject matter disclosed herein relates to generally to a system and method for providing secure provisioning of modules in an industrial control system and, more specifically, to a system for providing a signed certificate to a module for connecting to a network to securely configure the module.
An industrial control system typically includes at least one industrial controller configured to execute a control program and multiple modules distributed about the controlled machine or process. Industrial controllers are specialized computer systems used for the control of industrial processes or machinery, for example, in a factory environment. Generally, an industrial controller executes a stored control program that reads inputs from a variety of sensors associated with the controlled process and machine and, sensing the conditions of the process or machine and based on those inputs and a stored control program, calculates a set of outputs used to control actuators controlling the process or machine.
Industrial controllers differ from conventional computers in a number of ways. Physically, they are constructed to be substantially more robust against shock and damage and to better resist extreme environmental conditions than conventional computers. The processors and operating systems are optimized for real-time control and are programmed with languages designed to permit rapid development of control programs tailored to a constantly varying set of machine control or process control applications.
Generally, the industrial control systems have a highly modular architecture, for example, that allows different numbers and types of input and output modules to be used to connect the industrial controller to the process or machinery to be controlled. This modularity may be further facilitated through the use of intelligent, or configurable, modules, where the module may include, for example, slots for daughter boards, configurable parameters, or different types or numbers of terminals. Including different combinations of daughter boards, parameter settings, terminals and the like may allow a single module to operate in a number of different configurations according to the application requirements.
During commissioning, a module is mounted to the controlled process or machine and must be configured based on the options selected and/or installed on the module and based on the application requirements. This configuration typically requires technician interaction and may require, for example, moving jumpers within the module, adjusting dials or positioning switches. The interaction may further require a technician to interact with a user interface on the module to set parameters for the module according to the desired operation. This technician interaction, however, is time consuming and prone to error. A technician must often locate or download a copy of a user manual for the device to determine the proper settings. Further, the technician may inadvertently place one of the dials, switches, or jumpers in an incorrect position resulting in undesired operation of the module. Thus, there is a need for an improved method for commissioning modules in an industrial control system.
Industrial controllers are increasingly being connected to a network external to the controlled process or machine, whether the network is internal to the facility at which the process or machine is installed, such as an intranet, or external to the facility, such as the Internet. The industrial controller may be connected to the network via a network interface integrated in a processor module or via a separate network module. Additional modules in the industrial control system may, in turn, connect to the external network by a backplane if the modules are mounted within a rack or by an industrial network if the modules are mounted remotely from each other.
In order to reduce time and the potential for error during commissioning, a technician may connect to the industrial control system and to individual modules via the external network. Configuration software executing on a computer connected to the network may identify the modules in the industrial control system and further identify hardware options installed in each module. The module may be configured to receive electronic settings, that is parameter settings, identifying the configuration of the module rather than requiring a technician to manually set dials, switches, or jumpers. The configuration software may also provide a graphical interface to facilitate configuration and setting of other parameters to determine the desired operation of the module.
However, during this initial configuration via the network, a module is most vulnerable to interference, whether intentional or unintentional, over the network. The module may not be known to the configuration software on power up and may require auto-detection routines to identify the module. While the first step in the detection process may be to generate and validate security certificates for each module, this initial detection and security certificate generation process is executed without secure connections. Thus, it would be desirable to provide a secure method for establishing communications to provision modules in the industrial control system.