Network security policy configuration based on predetermined command groups
US-10462187-B2 · Oct 29, 2019 · US
Whitelisting for HART communications in a process control system
US12160406B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12160406-B2 |
| Application number | US-202017022888-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 16, 2020 |
| Priority date | Sep 23, 2019 |
| Publication date | Dec 3, 2024 |
| Grant date | Dec 3, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A cybersecurity system for use in a process plant provides whitelisting of device specific and common practice HART read commands in process controllers and safety controllers to perform communications in a process plant that are very secure, but that still enable the implementation of advanced functionality provided in HART devices. A whitelist implementation application applies one or more whitelists in a security gateway device to determine if messages, such as HART messages, should be allowed or processed. A whitelist learning application automatically creates and configures whitelists, and a whitelist configuration application discovers Device Specific and Common Practice HART commands by issuing device description requests to specific devices, parsing the response, and communicating the whitelist configuration information with the parsed command types to the relevant process controllers and safety controllers for use in the whitelists. A user interface enables users to interact with and guide the configuration process.
First claim
Opening claim text (preview).
The invention claimed is: 1. A computer-implemented method of providing security in a process plant, the method executed by one or more processors contained in a device associated with the process plant and programmed to perform the method, the method comprising: storing a whitelist of command types for a process control communication protocol, the whitelist of command types being stored based upon an identification of one or more of device specific commands and common practice commands supported by one or more process control field devices, such that the whitelist of command types includes one or more of device specific commands and common practice commands, and the identification being performed via a learn state of the device, wherein the device in the learn state observes incoming commands to the one or more process control field devices to identify command types of the device specific commands or common practice commands respectively supported by each of the one or more process control field devices; receiving a message at the device via a communication interface, wherein the message conforms to the process control communication protocol and is intended for or addressed to a particular field device from among the one or more process control field devices, extracting a command type from the message, checking the extracted command type against the stored whitelist of command types for the process control communication protocol, and allowing the message when the extracted command type is contained in the whitelist of the command types for the process control communication protocol and not allowing the message when the extracted command type is not contained in the whitelist of command types for the process control communication protocol. 2. The method of claim 1 , wherein receiving the message includes receiving the message at a process controller associated with a process control system within the process plant, wherein the process controller is communicatively coupled to the one or more process control field devices and performs control functions with respect to the process plant. 3. The method of claim 2 , wherein allowing the message comprises enabling the process controller to forward the message to the particular field device over a communication link. 4. The method of claim 2 , wherein allowing the message comprises enabling one or more logic modules within the process controller to process the message. 5. The method of claim 1 , wherein receiving the message includes receiving the message at a safety logic solver associated with a process control system in the process plant, wherein the safety logic solver is communicatively coupled to one or more safety field devices and performs safety control functions with respect to the process plant. 6. The method of claim 5 , wherein allowing the message comprises enabling the safety logic solver to forward the message to one or more of the safety field devices over a communication link. 7. The method of claim 5 , wherein allowing the message comprises enabling one or more logic modules within the safety logic solver to process the message. 8. The method of claim 1 , wherein not allowing the message comprises not forwarding the message over a communication network to another device to which the message is addressed. 9. The method of claim 1 , wherein not allowing the message comprises sending a notification over a communication network that the message was not allowed. 10. The method of claim 9 , wherein sending the notification includes notifying one or more of a plant operator, a maintenance personnel, and a configuration engineer that the message was not allowed. 11. The method of claim 1 , wherein the process control communication protocol is a highway addressable remote transmitter (HART) communication protocol, wherein receiving the message at the device via a communication interface includes receiving a HART protocol message at the communication interface, wherein storing the whitelist of command types includes storing a whitelist of command types associated with the HART communication protocol, and wherein checking the extracted command type against the whitelist of command types includes checking the extracted command type against the whitelist of HART communication protocol command types. 12. The method of claim 1 , further including storing a plurality of whitelists of command types for the process control communication protocol, and wherein checking the extracted command type against a whitelist of command types for the process control communication protocol includes selecting one of the stored whitelists of command types for the process control communication protocol as the whitelist of command types for use in comparing the extracted command type. 13. The method of claim 12 , wherein selecting one of the stored whitelists includes selecting the one of the stored whitelists based on a security level associated with the device associated with the process plant. 14. The method of claim 13 , further including determining the security level associated with the device associated with the process plant by determining a hardware security setting of the device associated with the process plant. 15. The method of claim 13 , further including determining the security level associated with the device associated with the process plant by determining a software stored security setting of the device associated with the process plant. 16. The method of claim 1 , wherein receiving the message includes receiving the message at a gateway device associated with a process control system, storing the whitelist of command types for a process control communication protocol includes storing the whitelist of command types for the process control communication protocol in the gateway device, and wherein allowing the message when the extracted command type is contained in the whitelist of the command types for the process control communication protocol includes allowing the gateway device to process and act on the message and wherein not allowing the message when the extracted command type is not contained in the whitelist of command types for the process control communication protocol includes not allowing the gateway device to process and act on the message. 17. The method of claim 1 , wherein receiving the message includes receiving the message at an input/output device coupled between a process controller device and one or more of the field devices associated with a process control system within the process plant, wherein storing the whitelist of command types for a process control communication protocol includes storing the whitelist of command types for the process control communication protocol in the input/output device, and wherein allowing the message when the extracted command type is contained in the whitelist of the command types for the process control communication protocol includes forwarding the message to another device to which the message is addressed and wherein not allowing the message when the extracted command type is not contained in the whitelist of command types for the process control communication protocol includes not forwarding the message to another device to which the message is addressed. 18. A process control device, comprising: a memory; a whitelist of command types for a process control communication protocol stored in the memory, the whitelist of command types being stored based upon an identification of one or more of device specific commands and common practice commands supported by one or more p
Assignees
Inventors
Classifications
Architectural arrangements, e.g. perimeter networks or demilitarized zones · CPC title
using digital processors (G05B19/05 takes precedence) · CPC title
Transmission of signals, medium, ultrasonic, radio · CPC title
Safety, monitoring (G05B19/0423 takes precedence) · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12160406B2 cover?
- A cybersecurity system for use in a process plant provides whitelisting of device specific and common practice HART read commands in process controllers and safety controllers to perform communications in a process plant that are very secure, but that still enable the implementation of advanced functionality provided in HART devices. A whitelist implementation application applies one or more wh…
- Who is the assignee on this patent?
- Fisher Rosemount Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0245. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 03 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).