Industrial security agent platform

What is claimed is: 1. A system comprising: an industrial control network; two or more controller devices, each controller device operable to control one or more operational devices connected to the industrial control network; two or more emulators, each emulator configured to communicate with a respective controller device, and each emulator configured to reference a respective profile that includes information about security capabilities of the respective controller device; and an encryption relay processor operable to implement each emulator and to facilitate communication to and from each emulator over the industrial control network, the encryption relay processor configured to: (i) execute a cryptographic function for a first communication between a first emulator and a first node on the industrial control network for a first controller device that is incapable of performing the cryptographic function; and (ii) not execute a cryptographic function for a second communication between a second emulator and a second node on the industrial control network for a second controller device that is capable of performing the cryptographic function. 2. The system of claim 1 , further comprising a security server operable to maintain the respective profile for the respective controller device and to implement, for each emulator implemented by the encryption relay processor, a corresponding instance of the emulator. 3. The system of claim 2 , wherein the security server is operable to reference specification information for the respective controller device and to generate the profile based on the specification information. 4. The system of claim 2 , wherein the security server is operable to create the emulator based on its respective profile. 5. The system of claim 2 , wherein the security server and the encryption relay processor are each operable to maintain a list of controller devices that are incapable of performing the cryptographic function. 6. The system of claim 2 , wherein the security server and the encryption relay processor are each operable to maintain a shared encryption key and to perform key negotiation protocols, and wherein the communication is encrypted or decrypted using the shared encryption key. 7. The system of claim 1 , further comprising a firewall between the two or more emulators and the encryption relay processor. 8. The system of claim 1 , wherein each emulator is a virtual security entity that is implemented by one or more software components executed by the encryption relay processor. 9. A computer-implemented method for facilitating communication in an industrial control network, the method being executed by one or more processors and comprising: receiving, from a site security server, an encrypted first query for a first controller device; after determining that the first controller device is incapable of performing a cryptographic operation, decrypting the first query for the first controller device and providing the decrypted first query to the first controller device; in response to receiving an unencrypted first query response from the first controller device, encrypting the first query response and providing the encrypted first query response to the site security server; receiving, from the site security server, an encrypted second query for a second controller device; after determining that the second controller device is capable of performing a cryptographic operation, providing the received encrypted second query to the second controller device; and in response to receiving an encrypted second query response from the second controller device, providing the encrypted second query response to the site security server. 10. The computer-implemented method of claim 9 , further comprising referencing specification information for the first controller device and generating a profile for the first controller device that includes information about its security capabilities, based on the specification information. 11. The computer-implemented method of claim 10 , further comprising creating an emulator for the first controller device based on the profile for the first controller device, wherein the emulator handles cryptographic operations for its corresponding controller device. 12. The computer-implemented method of claim 10 , wherein determining that the first controller device is incapable of performing the cryptographic operation includes referencing the profile for the first controller device. 13. The computer-implemented method of claim 9 , further comprising maintaining a list of controller devices that are incapable of performing the cryptographic operation, wherein determining that the first controller device is incapable of performing the cryptographic operation and determining that the second controller device is capable of performing the cryptographic operation includes referencing the list. 14. The computer-implemented method of claim 9 , wherein the encrypted first query for the first controller device and the encrypted second query for the second controller device are received from the site security server through a firewall, and the encrypted first query response and the encrypted second query response are provided to the site security server through the firewall. 15. A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for facilitating communication in an industrial control network, the operations comprising: receiving, from a site security server, an encrypted first query for a first controller device; after determining that the first controller device is incapable of performing a cryptographic operation, decrypting the first query for the first controller device and providing the decrypted first query to the first controller device; in response to receiving an unencrypted first query response from the first controller device, encrypting the first query response and providing the encrypted query response to the site security server; receiving, from the site security server, an encrypted second query for a second controller device; after determining that the second controller device is capable of performing a cryptographic operation, providing the received encrypted second query to the second controller device; and in response to receiving an encrypted second query response from the second controller device, providing the encrypted second query response to the site security server. 16. The non-transitory computer-readable storage medium of claim 15 , the operations further comprising referencing specification information for the first controller device and generating a profile for the first controller device that includes information about its security capabilities, based on the specification information. 17. The non-transitory computer-readable storage medium of claim 16 , the operations further comprising creating an emulator for the first controller device based on the profile for the first controller device, wherein the emulator handles cryptographic operations for its corresponding controller device. 18. The non-transitory computer-readable storage medium of claim 16 , wherein determining that the first controller device is incapable of performing the cryptographic operation includes referencing the profile for the first controller device. 19. The non-transitory computer-readable storage medium of claim 15