The present invention relates to a method of providing data access in an industrial automation system, a computer program product, and to an industrial automation system.
Due to a steadily increasing impact of information technology on industrial automation systems, methods of safeguarding components of an industrial automation system, such as monitoring devices, open-loop and closed-loop control devices, sensors and actuators, against unauthorised access are becoming a crucial factor. Compared to other fields of technology, data integrity is extremely important for a stable and reliable operation of industrial automation systems. Especially when collecting, evaluating and transmitting measured data and control commands, care has to be taken to ensure that measured data and control commands are transmitted completely and without any manipulation. Therefore, intentional and unintentional modifications of control messages in industrial automation systems are to be avoided, especially in system or component failure scenarios.
Moreover, communication in industrial automations systems is characterised by a large amount of relatively short messages. This requires high efforts to ensure data integrity and consistent system operation. Further efforts result from real-time requirements in industrial automation systems when collecting and processing measured data and control messages pertaining to time-critical technical processes, e.g., in factory or building automation.
Industrial automation systems that are based on service-oriented architectures often require the application of fine-granular and high-sophisticated access control policies. Usually, such access control policies do not just have to be applied to users in an industrial automation system, but also to services provided in industrial automation systems increasing the complexity of defining and managing access control policies. Usually, additional measures must be taken to avoid negative side-effects on system performance.
Additionally, in many scenarios a clear separation of configuration data and runtime data is required to realize consistent and safety-relevant access in an industrial automation system. In accordance with prior known solutions, stable data has been compiled and thereby made static. Alternatively, configuration data has been pre-defined at design time. Therefore, configuration data and runtime data has been stored separately in different data repositories. Accordingly, access control in conventional systems has been made by convention or programming. This usually results in making access control less flexible with regard to modifying access control policies and more error-prone.