The present embodiments relate to protecting a field device against tampering.
Field devices are used in a variety of areas of technology (e.g., in the form of signal installations as traffic lights, railway signals or the like). Field devices may be connected to a control device (e.g., a control station or similar apparatus) in order to control the field devices using control signals. A field device of this type may include a control computer to process the control signals. A configuration memory is connected to the control computer. The control computer and configuration memory are provided for the control of the field device. The control computer may be connected to an input/output unit of the field device, via which sensor signals of additional sensors may be transferred (e.g., sensors that monitor a rotation speed of an actuator of the field device or similar). In addition, the field device also includes a communication interface for communication with the control station.
In order to avoid manipulations on the field device and, for example, on the control computer and the configuration memory the control computer and the configuration memory are provided with a sealing compound (e.g., an epoxy resin or the like). Accessibility to the control computer and the configuration memory is thereby hindered, and a certain tamper protection is achieved.
Due to the protection of the control computer and the configuration memory against tampering, the configuration data stored in the configuration memory (e.g., cryptographic keys for the communication with the control station) are protected against manipulations, or the manipulation is at least hindered.
An integrated circuit that has a tamper protection is, for example, the ATMEL AT98. The data for the ATMEL AT98 is downloadable at http//www.datasheetarchive.com/AT98SC008CT-datasheet.html.
In addition, sensors may be located on the field device in order to detect a manipulation of the control computer or the configuration memory. These sensors may, for example, be disposed inside or outside a tamper-protected area. A wire mesh may be provided in the tamper-protected area. The wire mesh is connected to a corresponding sensor to apply electrical signals to the wire mesh. If an attacker then carries out a manipulation on the control computer or on the configuration memory of the field device (e.g., by drilling into the sealing compound) in order to achieve a contacting of the control computer and/or the configuration memory to read out data in order to be able to manipulate the configuration memory, the wire mesh will, with a certain high probability, be destroyed. In order to achieve an effective tamper protection, a continuous monitoring of the wire mesh by the corresponding sensor is provided. Otherwise, an attacker may remove the wire mesh (e.g., if a device was switched off), may analyze the wire mesh and reconstruct an electrically equivalent wire mesh before putting the field device back into operation and before the device is connected to the control station. The field device itself and also the control station may not then detect whether or to what extent the field device has been manipulated.
A continuous monitoring also uses a corresponding energy supply that incurs additional costs. The condition of the energy supply is checked continuously in order to enable a reliable protection of the field device against tampering.
U.S. Pat. No. 7,685,438 introduces magnetic particles into a protective layer of an integrated circuit. The magnetic particles may be detected by sensors, and a cryptographic key may be produced using the detected information relating to the magnetic particles. If the protective layer of the integrated circuit is removed, the information required to generate the cryptographic key is therefore also destroyed.
It is known from US Patent Application No. 2008/192240 to evaluate a characteristic property of an optical waveguide in order to detect a physical manipulation of the optical waveguide.