Security System for Industrial Control Infrastructure

We claim: 1 . An industrial control device for use in an industrial control system providing coordinated control of multiple industrial control devices according to a control program, the industrial control device comprising: a network port for communicating with other elements of the industrial control system; electrical connectors for accepting electrical conductors communicating with industrial equipment to receive or transmit electrical signals from or to that industrial equipment for the control of an industrial process; at least one processor communicating with the network port and. electrical connectors; and an electronic memory system accessible by the processor and holding: operating software describing operation of the control device and executable by the processor, configuration data defining a configuration of the control device, and environmental data describing an operating environment of the control device, wherein the operating software, configuration data, and environmental data together define a control device state; wherein the operating software is executable by the processor to: (1) read at least a portion of the control device state to generate a state thumbprint of the control device state using a lossy compression system; (2) encrypt the state thumbprint; and (3) transmit the encrypted state thumbprint over the network port to the industrial control system. 2 . The industrial control device of claim 1 wherein the operating software is further executable by the processor to append at least one of a timestamp and sequence number to the state thumbprint, the timestamp and sequence number indicating, respectively, a time of transmission of the state thumbprint and a sequence of transmission of the state thumbprint over the network port. 3 . The industrial control device of claim 1 wherein the state thumbprint provides a compressed representation of the operating software adapted to reveal modification of the operating software when compared with a benchmark state thumbprint. 4 . The industrial control device of claim 3 wherein the operating software includes a revision number. 5 . The industrial control device of claim 3 wherein the operating software includes a control program and at least one of a security and safety monitoring program. 6 . The industrial control device of claim 1 wherein the state thumbprint provides a compressed representation of the configuration data of the control device. 7 . The industrial control device of claim 1 wherein the configuration data is selected from the group consisting of a serial number of the control device, a functional type of the control device, a manufacturer of the control device and a date of manufacture of a control device. 8 . The industrial control device of claim 6 wherein the state thumbprint provides a compressed representation of the configuration data including an encrypted certification code indicating authenticity of hardware of the control device. 9 . The industrial control device of claim 6 wherein the state thumbprint provides a compressed representation of configuration data representing an output of a diagnostic program being part of the operating program. 10 . The industrial control device of claim 1 wherein the state thumbprint provides a compressed representation of the environmental data and wherein the environmental data includes data indicating a connection or disconnection of conductors from the electrical connectors , broken wiring or stuck at faults. 11 . The industrial control device of claim 1 wherein the state thumbprint provides a compressed representation of the environmental data and wherein the environmental data is data selected from the group consisting of a spatial location of the control device and a temperature of the control device. 12 . The industrial control device of claim 1 wherein the generation of the state thumbprint reads multiple portions of the control device state and independently compresses those portions using the lossy compression system and concatenates the independently compressed portions to produce the state thumbprint 13 . The industrial control device of claim 12 wherein the operating software responds to instructions received over the network port to change at least one of a number of the multiple portions and particular portions of the control device state contained in the multiple portions according to those instructions. 14 . The industrial control device of claim 1 wherein the operating software responds to instructions received over the network port to transmit the state thumbprint. 15 . The industrial control device of claim 1 wherein the operating software provides program instructions for operating the control device as at least one of an I/O module providing an interface for communication with two state electrical actuators which are sensors using a digital signal, an I/O module providing an interface for communications with multi-state actuators and sensors using an analog signal; and a motor drive for synthesizing voltage waveforms for controlling a motor. 16 . The industrial control device of claim 1 wherein the electronic memory includes multiple memory subsystem selected from the group consisting of volatile memory, nonvolatile memory, input output registers, and program memory. 17 . An industrial control system comprising: I. multiple intercommunicating control devices each providing: (a) a network port for communicating with other control devices of the industrial control system; (b) electrical connectors for accepting electrical conductors communicating with industrial equipment to receive or transmit electrical signals from or to that industrial equipment for the control of an industrial process; (c) at least one processor communicating with the network port and electrical connectors; and (d) an electronic memory system accessible by the processor and holding: operating software describing operation of control device, configuration data defining a configuration of the control device, and environmental data defining the operating environment device, the operating software, configuration data, and environmental data together defining a control device state; wherein the operating software is executable by the processor to (1) read at least a portion of the control device state to generate a state thumbprint of the control device state using a lossy compression system; (2) encrypt the state thumbprint; and (3) transmit the state thumbprint over the network port; II. a state monitor providing: (a) a network port for communicating with control devices; (b) at least one processor communicating with the network port; (c) an electronic memory system accessible by the processor and holding: a state monitoring program and at least one benchmark state thumbprint representing a state thumbprint of a properly operating control device identified to a control device; wherein the state-monitoring program is executable by the processor to: (1) receive state thumbprints from a given control device through the network port and decrypt the state thumbprint; (2) identify a benchmark state thumbprint corresponding to the given control device; (3) compare the received state thumbprint to the corresponding benchmark state thumbprint; and (4) provide an output indicating whether the received state thumbprint matches the benchmark state thumbprint. 18 . The industrial control system of claim 17 wherein the state-monitoring program further outputs an indication when