Crypto proxy for cloud storage services
US-9137222-B2 · Sep 15, 2015 · US
Industrial security agent platform
US10824736B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10824736-B2 |
| Application number | US-201715822824-A |
| Country | US |
| Kind code | B2 |
| Filing date | Nov 27, 2017 |
| Priority date | Sep 23, 2014 |
| Publication date | Nov 3, 2020 |
| Grant date | Nov 3, 2020 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to the industrial control network. Each emulator can be configured to communicate with a respective controller device, and each emulator can be configured to reference a respective profile that includes information about security capabilities of the respective controller device. The encryption relay processor can be operable to facilitate communication to and from each emulator over the industrial control network. The encryption relay processor can execute a cryptographic function for a communication between the emulator and a node on the industrial control network when the respective controller device is incapable of performing the cryptographic function.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method, the method being executed by one or more processors and comprising: for each controller device of a plurality of controller devices in a control zone of an operational technology network: determining a security capability of the controller device that is indicative of whether the controller device is capable of performing a security operation within the operational technology network, and based on the security capability of the controller device, generating a security profile for the controller device; receiving, by a security relay in the control zone of the operational technology network, and from a requester device that is outside of the control zone of the operational technology network, a first request to communicate with a first controller device in the operational technology network; determining, by the security relay, that the first controller device is incapable of handling secure communication with respect to the first request to communicate, based on a first security profile that corresponds to the first controller device; and in response to determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, providing, by the security relay, a first emulator that emulates the first controller device and executes within the security relay to provide security services for communication between the first controller device and the requester device that is outside of the operational technology network, the first emulator included in a plurality of emulators executed within the security relay, each emulator being specific to a respective controller device and providing security services for the respective controller device that is incapable of handling secure communications, communications between the security relay and the first controller device within the control zone being insecure, and communications between the security relay and the requester device being secure. 2. The computer-implemented method of claim 1 , wherein a security capability of at least one controller device is determined based on specifications for the controller device. 3. The computer-implemented method of claim 1 , further comprising monitoring network communications of at least one controller device, wherein a security capability of the at least one controller device is based on whether the monitored network communications are encrypted. 4. The computer-implemented method of claim 1 , further comprising attempting to establish a network connection with at least one controller device, wherein a security capability of the at least one controller device is based on whether the at least one controller device requests credentials. 5. The computer-implemented method of claim 1 , further comprising: receiving, by the security relay in the operational technology network, and from the requester device that is outside of the operational technology network, a second request to communicate with a second controller device in the operational technology network; determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, based on a second security profile that corresponds to the second controller device; after determining that the second controller device is capable of handling secure communication with respect to the second request to communicate, not providing, by the security relay, security services for communication between the second controller device and the requester device that is outside of the operational technology network. 6. The computer-implemented method of claim 1 , further comprising creating the first emulator for the first controller device based on the first security profile, wherein the security relay uses the first emulator to handle security services for the first controller device. 7. The computer-implemented method of claim 1 , further comprising, for each controller device of the plurality of controller devices in the operational technology network, adding the security profile for the controller device to a library of security profiles. 8. The computer-implemented method of claim 1 , wherein the security services include one or more of cryptographic services and authentication services. 9. A system comprising: one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: for each controller device of a plurality of controller devices in a control zone of an operational technology network: determining a security capability of the controller device that is indicative of whether the controller device is capable of performing a security operation within the operational technology network, and based on the determined security capability of the controller device, generating a security profile for the controller device; receiving, by a security relay in the control zone of the operational technology network, and from a requester device that is outside of the control zone of the operational technology network, a first request to communicate with a first controller device in the operational technology network; determining, by the security relay, that the first controller device is incapable of handling secure communication with respect to the first request to communicate, based on a first security profile that corresponds to the first controller device; and in response to determining that the first controller device is incapable of handling secure communication with respect to the first request to communicate, providing, by the security relay, a first emulator that emulates the first controller device and executes within the security relay to provide security services for communication between the first controller device and the requester device that is outside of the operational technology network, the first emulator included in a plurality of emulators executed within the security relay, each emulator being specific to a respective controller device and providing security services for the respective controller device that is incapable of handling secure communications, communications between the security relay and the first controller device within the control zone being insecure, and communications between the security relay and the requester device being secure. 10. The system of claim 9 , wherein a security capability of at least one controller device is determined based on specifications for the controller device. 11. The system of claim 9 , the operations further comprising monitoring network communications of at least one controller device, wherein a security capability of the at least one controller device is based on whether the monitored network communications are encrypted. 12. The system of claim 9 , the operations further comprising attempting to establish a network connection with at least one controller device, wherein a security capability of the at least one controller device is based on whether the at least one controller device requests credentials. 13. The system of claim 9 , the operations further comprising: receiving, by the security relay in the operational technology network, and from the requester device that is outside of the operational technology network, a second request to communicate with a second controller device in the operational technology network; determining that the second controller device is capable of handling secure communication with respect to the second request to commun
Assignees
Inventors
Classifications
Architectural arrangements, e.g. perimeter networks or demilitarized zones · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
- G06F21/602Primary
Providing cryptographic facilities or services · CPC title
Proxy, i.e. using intermediary entity to perform cryptographic operations · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10824736B2 cover?
- Systems, methods, and apparatus, including computer programs encoded on computer storage media, for facilitating communication in an industrial control network. A system includes an industrial control network, one or more controller devices, one or more emulators, and an encryption relay processor. Each controller device can be operable to control one or more operational devices connected to th…
- Who is the assignee on this patent?
- Accenture Global Services Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/602. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Nov 03 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).