Industrial automation is used to control machines and processes in manufacturing. Automated machines commonly control the handling of components, sub-components, and raw materials, perform fabrication processes, testing, product handling, packaging, and shipping. Industrial automation enables precise control of industrial processes, achievement of smaller tolerances and better quality products, higher production outputs, and increased worker safety and productivity.
Industrial automation installations comprise multiple computerized devices that control industrial machines and industrial processes. The components of an industrial automation installation must work together in a coordinated fashion, performing operations such as exchanging data, controlling the timing and scheduling of processes, providing information to operators or technicians, and receiving operator inputs.
Because of the large number of system variables that must be monitored and controlled, industrial automation systems often generate vast amounts of data. In addition to production statistics, data relating to machine health, alarm status, operator feedback, electrical or mechanical load, and the like are often monitored. The data is generated by the many industrial devices that can make up a given automation system, including industrial controllers and associated I/O, telemetry devices, motion control devices, valves, conveyors, raw material handling systems, product handling systems, visualization applications, traceability systems, and the like. Moreover, such industrial facilities can operate on a twenty-four hour basis, wherein automation systems can generate a vast amount of data.
In addition, industrial automation monitoring has evolved from monitoring devices in an industrial plant to include monitoring devices at remote sites, such as mobile or temporary facilities. Industrial automation monitoring can be used for drilling, mining, and other resource extraction operations. Industrial automation monitoring can be used in monitoring water treatment facilities or in monitoring of environmental conditions. Industrial automation monitoring can be used to monitor the health and operation of industrial automation devices including field equipment.
Industrial automation devices can generate industrial automation data at multiple, geographically disparate locations. The industrial automation data can be collected via the cloud, wherein industrial automation data can be accumulated and made available to a user or users via the cloud. Where the industrial automation devices are distributed geographically, the cloud advantageously provides a facility for accessing data from multiple, distributed industrial automation devices.
While good solutions exist today for securing communications across industrial automation devices across a factory floor, it is critical that secure, private, trusted communications are maintained from these on-premises industrial automation devices up to these cloud-hosted services.
Overview
In an embodiment, an industrial automation gateway providing an extended web of trust is provided. The industrial automation gateway includes a cloud communication interface coupled with, and configured for communication with, a cloud automation facility, a hardware memory, and a processor coupled with the cloud communication interface and the hardware memory. The cloud automation facility includes a cloud hardware memory storing a cloud root certificate from a first root certificate authority and a subordinate certificate. The hardware memory stores a gateway root certificate from a second root certificate authority and the subordinate certificate. The processor is configured to determine if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority. The processor is also configured to transfer automation data to the cloud automation facility using the subordinate certificate only if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority.
In another embodiment, a method for providing an extended web of trust within an industrial automation gateway is provided. The method includes receiving a gateway root certificate from a first root certificate authority, and storing the gateway root certificate in a gateway hardware memory along with a subordinate certificate. The method also includes receiving a command from a cloud automation facility, the cloud automation facility comprising a cloud hardware memory storing a cloud root certificate from a second root certificate authority and the subordinate certificate.
The method further includes determining if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority, and executing the command from the cloud automation facility only if the subordinate certificate has been certified by both the first root certificate authority and the second root certificate authority.
In a further embodiment, one or more non-transitory computer-readable media having stored thereon program instructions to facilitate an extended web of trust within an industrial automation gateway is provided. The program instructions, when executed by a computing system, direct the computing system to at least receive a gateway root certificate from a first root certificate authority, and store the gateway root certificate in a gateway hardware memory along with a subordinate certificate. The instructions also direct the computing system to receive a command from a cloud automation facility, the cloud automation facility comprising a cloud hardware memory storing a cloud root certificate from a second root certificate authority and the subordinate certificate.
The instructions further direct the computing system to determine if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority, and execute the command from the cloud automation facility only if the subordinate certificate has been certified by both the first root certificate authority and the second root certificate authority.
This Overview is provided to introduce a selection of concepts in a simplified form that are further described below in the Technical Disclosure. It should be understood that this Overview is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.