skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Policy-based secure communication with automatic key management for industrial control and automation systems

Abstract

A method includes generating at least one access vector associated with a specified device in an industrial process control and automation system. The specified device has one of multiple device roles. The at least one access vector is generated based on one or more communication policies defining communications between one or more pairs of devices roles in the industrial process control and automation system, where each pair of device roles includes the device role of the specified device. The method also includes providing the at least one access vector to at least one of the specified device and one or more other devices in the industrial process control and automation system in order to control communications to or from the specified device.

Inventors:
; ;
Publication Date:
Research Org.:
Honeywell International Inc. Morris Plains, NJ (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1333212
Patent Number(s):
9,503,478
Application Number:
14/309,251
Assignee:
Honeywell International Inc. (Morris Plains, NJ) NETL
DOE Contract Number:
OE0000544
Resource Type:
Patent
Resource Relation:
Patent File Date: 2014 Jun 19
Country of Publication:
United States
Language:
English
Subject:
47 OTHER INSTRUMENTATION; 99 GENERAL AND MISCELLANEOUS

Citation Formats

Chernoguzov, Alexander, Markham, Thomas R., and Haridas, Harshal S. Policy-based secure communication with automatic key management for industrial control and automation systems. United States: N. p., 2016. Web.
Chernoguzov, Alexander, Markham, Thomas R., & Haridas, Harshal S. Policy-based secure communication with automatic key management for industrial control and automation systems. United States.
Chernoguzov, Alexander, Markham, Thomas R., and Haridas, Harshal S. 2016. "Policy-based secure communication with automatic key management for industrial control and automation systems". United States. doi:. https://www.osti.gov/servlets/purl/1333212.
@article{osti_1333212,
title = {Policy-based secure communication with automatic key management for industrial control and automation systems},
author = {Chernoguzov, Alexander and Markham, Thomas R. and Haridas, Harshal S.},
abstractNote = {A method includes generating at least one access vector associated with a specified device in an industrial process control and automation system. The specified device has one of multiple device roles. The at least one access vector is generated based on one or more communication policies defining communications between one or more pairs of devices roles in the industrial process control and automation system, where each pair of device roles includes the device role of the specified device. The method also includes providing the at least one access vector to at least one of the specified device and one or more other devices in the industrial process control and automation system in order to control communications to or from the specified device.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = 2016,
month =
}

Patent:

Save / Share:
  • A method includes receiving a message at a first wireless node. The first wireless node is associated with a first wired network, and the first wired network is associated with a first security layer. The method also includes transmitting the message over the first wired network when at least one destination of the message is located in the first security layer. The method further includes wirelessly transmitting the message for delivery to a second wireless node when at least one destination of the message is located in a second security layer. The second wireless node is associated with a secondmore » wired network, and the second wired network is associated with the second security layer. The first and second security layers may be associated with different security paradigms and/or different security domains. Also, the message could be associated with destinations in the first and second security layers.« less
  • A system is described for hydraulically controlling an automatic transmission equipped with a gear mechanism having elements and friction engaging means therefor for attaining a shift ranges by locking and releasing at least one of the elements of the gear mechanism. It is disposed between an input shaft and an output shaft, to and from a case, by bringing the elements into and out of engagement with one of the input shaft, the output shaft, and each other. The system comprises: a first and a second friction engaging means which take part in achieving at least two speed ranges comprisingmore » a higher speed range and a lower speed range; the first friction engaging means taking part in achieving a gear train of the higher speed range between the input and output shafts, and the second friction engaging means taking part in achieving a gear train of the lower speed range; a first and a second hydraulic servo means for actuating the first and the second friction engaging means, respectively; a third hydraulic servo means which is disposed to act opposing to the second hydraulic servo means and is communicated with the first hydraulic servo means; a hydraulic pressure source for generating a hydraulic pressure; a regulator valve for regulating the hydraulic pressure from the hydraulic pressure source into a given pressure; and a first signal hydraulic pressure valve for generating a first signal pressure related with the operation conditions of an engine for driving the input shaft, the conditions including at least output of the engine.« less
  • The Electric Power Research Institute and the U.S. Department of Energy have completed a jointly sponsored program to develop and test communication systems for distribution automation and load management. The program included three powerline-carrier projects, an ultra-high-frequency radio project, and a telephone project. For each project, a two-way (half-duplex) digital communication system was developed to perform such functions as fault location and isolation, distribution feeder switching, load control, time-of-day metering, remote meter reading, and equipment monitoring. The results of this research indicate that communication systems in all three technologies (power line carrier, radio, and telephone) have advanced closer to satisfyingmore » utility requirements for distribution automation and load control. Research will continue to determine whether these technologies will be cost-effective.« less
  • This document was developed to provide guidance for the implementation of secure data transfer in a complex computational infrastructure representative of the electric power and oil and natural gas enterprises and the control systems they implement. For the past 20 years the cyber security community has focused on preventative measures intended to keep systems secure by providing a hard outer shell that is difficult to penetrate. Over time, the hard exterior, soft interior focus changed to focus on defense-in-depth adding multiple layers of protection, introducing intrusion detection systems, more effective incident response and cleanup, and many other security measures. Despitemore » much larger expenditures and more layers of defense, successful attacks have only increased in number and severity. Consequently, it is time to re-focus the conventional approach to cyber security. While it is still important to implement measures to keep intruders out, a new protection paradigm is warranted that is aimed at discovering attempted or real compromises as early as possible. Put simply, organizations should take as fact that they have been, are now, or will be compromised. These compromises may be intended to steal information for financial gain as in the theft of intellectual property or credentials that lead to the theft of financial resources, or to lie silent until instructed to cause physical or electronic damage and/or denial of services. This change in outlook has been recently confirmed by the National Security Agency [19]. The discovery of attempted and actual compromises requires an increased focus on monitoring events by manual and/or automated log monitoring, detecting unauthorized changes to a system's hardware and/or software, detecting intrusions, and/or discovering the exfiltration of sensitive information and/or attempts to send inappropriate commands to ICS/SCADA (Industrial Control System/Supervisory Control And Data Acquisition) systems.« less
  • This patent describes a well testing system adapted to be disposed in a borehole. It comprises: stimulus generating means for generating an initial kickoff stimulus; a plurality of valves; a plurality of control system means connected respectively to the plurality of valves for operating the valves; and control means interconnected between the plurality of control systems means and the stimulus generating means for automatically controlling the operation of one or more of the plurality of control system means and thereby one or more of the plurality of valves in a predetermined manner in response to the initial kick off stimulus.more » Also described is a method of automatically controlling a plurality of valves disposed in a multi-valve well testing system when the system is disposed in a borehole.« less