1. Field of the Invention
The invention relates to a method and a system for transmitting control data between control units of a network in a manner that is secured against manipulation.
2. Description of the Related Art
FIG. 1 shows a representation of a conventional network, where control data are transmitted or exchanged between control units. In the example shown in FIG. 1, two control networks are connected to one another via a transmission network. The two control networks each have a gateway for connection to the transmission network. The two control networks each contain a plurality of control units SE that are connected, for example, via a bus to the gateway of the control network. The two control networks exchange control data SD1, SD2, SD3 . . . via the transmission network. The control units SE can be different devices, such as control computers, memory-programmable control systems, robot arms, sensors or actuators. It is also possible that a control network communicates with a control center via the transmission network, such as a SCADA system.
A transmission network can involve, for example, an Ethernet-based or an IP-based production network that connects control networks of different production cells to one another. A transmission network can also be a train network that connects networks of different train wagons to one another. Trains have, for example, data networks for performing the train control or vehicle control or other operating functions. Furthermore, the transmission network can be a network of an energy automation network.
The need for correct execution of the control monitoring functions makes it necessary for the control network and the control components or control units connected by the network to function properly. However, if the control network is manipulated, this is not assured. As a result, proper operation and possibly also the reliability of the controlled system can be impaired.
In an environment arranged spatially compact, the control network can be protected against manipulation using physical protective measures so that the control network is not accessible to a hacker. However, in the case of distributed networks that are installed, for example, in a production plant or a vehicle, for example, in a train, this is not possible. In distributed control networks of this type, control data are typically transmitted via a transmission network between separate network regions. Thus, for example, data transmission can occur between train parts (wagons). Furthermore, data transmission can occur between spatially separate regions within a train, for example, between a switchgear cabinet and a control component that are installed in a roof container or in the floor of a train wagon. Furthermore, control data are transmitted, for example, from a signal box to a trackside signaling unit or a set of points. A further example is the transmission of data between production cells that have different control networks. Furthermore, data transmission can be performed between a sensor/actuator and a control unit of a process automation system of, for example, a refinery, via a transmission network. A further example is the transmission of data between a substation controller of an energy automation system and a control center.
Control networks are therefore often physically protected against access, such as in special cable ducts, so as not to be accessible to third parties, hindering manipulation as much as possible. However, this is typically expensive and, due to the complex installation and the necessity for enabling servicing activities to be performed, not generally applicable.
It is also known to protect data during transmission by means of a checksum, for example, with a CRC checksum. This checksum is suitable only for recognizing random transmission errors. Therefore, conventionally, cryptographic checksums are employed or utilized, for example, a Message Authentication Code or a digital signature. The control data transmitted are herein enhanced with a cryptographic checksum. The cryptographic checksum is checked on receipt. Only control data for which the cryptographic checksum has been successfully checked are further processed on the side of the receiving control device. The transmitted control data are therefore protected by the cryptographic checksum. However, cryptographic protection of this type can only be integrated into existing components with difficulty because a particular computational effort, a particular memory space and a particular retrofitting effort is required. The provision of a separate upstream encryption component that encrypts the data before the transmission or provides the data with a cryptographic checksum can also only be realized with a substantial technical effort. A further disadvantage lies therein that the cryptographic computation operations performed lead to delays, which is undesirable, particularly during real-time-critical control and regulation tasks or can even impair security. Furthermore, the provision of an upstream encryption component of this type is not without effects on the relevant control system.