• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    The invention relates to a method for checking the integrity of safety-relevant data stored in two or more automation stations (AS1, AS2, AS3, AS4, AS5) networked with one another. In a commissioning phase, a hash code (HC-1, HC-2, HC-3, HC-4, HC-5) is generated and stored for each of the automation stations involved using a cryptographic scatter value function method, with the calculation of the hash codes the security-relevant static data of the automation station in question and the hash code of another of the automation stations involved or a start hash code (HC-0) are received, so that the hash codes of the automation stations involved are linked to one another. In subsequent test runs, a new hash code is generated in the same way for each of the automation stations involved using the same cryptographic spread value function method. The integrity check of the safety-relevant data of the automation stations involved is carried out by comparing the hash codes stored in the commissioning phase with the new hash codes generated in the respective test run.
    公开号:CH715961B1
    申请号:CH01097/19
    申请日:2019-08-30
    公开日:2020-09-30
    发明作者:Gassmann Felix
    申请人:Sauter Ag;
    IPC主号:
    专利说明:

    The present invention relates to a method for checking the integrity of security-relevant data stored in two or more networked automation stations.
    [0002] Automated control systems often have a plurality of networked but autonomous control modules, referred to below as automation stations, which are equipped with their own operating system and control programs running on them. The automation stations usually have inputs for various sensors and outputs for various actuators. Typical sensors are e.g. Temperature sensors or motion detectors, typical actuators are e.g. Actuators for e.g. Heating valves or alarm devices. In the automation stations, operating parameters such as Network parameters saved. All non-dynamic data stored in the automation stations are collectively referred to as static data in the following. Dynamic data are e.g. variable sensor readings or communication data.
    For the operational safety of the control system, the integrity of the static data stored in the individual automation stations is of the greatest importance, i. that this static data cannot be manipulated from the outside or that an integrity violation can be recognized immediately and appropriate measures can be taken. In the following, safety-relevant data is understood to mean all static data stored in the automation stations, the integrity of which is to be checked or ensured. This can be the entirety of all static data or parts thereof, for example only program data or only operating parameters or only operating system data or combinations of these parts.
    The present invention is intended to provide a method with which the integrity of static data or security-relevant parts thereof stored in networked automation stations can be checked in a relatively simple manner. This goal is achieved by the features of the method according to the invention listed in the characterizing part of independent patent claim 1. Advantageous embodiments and further developments are the subject of the dependent claims.
    Claims 8 and 13 define methods according to the invention for checking the intensity of security-relevant data stored in two or more networked automation stations and for restoring the data in the event of an integrity violation.
    The essence of the invention is as follows: In a method for checking the integrity of security-relevant data stored in two or more networked automation stations, a hash code is generated and stored in a commissioning phase for each of the automation stations involved according to a cryptographic scatter value function method, The calculation of the hash codes includes the security-relevant static data of the automation station in question and the hash code of another of the automation stations involved or a start hash code so that the hash codes of the automation stations involved are linked to one another. In subsequent test runs, a new hash code is generated in the same way for each of the automation stations involved using the same cryptographic spread value function method. The integrity check of the safety-relevant data of the automation stations involved is carried out by comparing the hash codes stored in the commissioning phase with the new hash codes generated in the respective test run, with an integrity violation being recognized if the hash codes compared with one another do not match.
    By chaining the hash codes of the automation stations involved, checking the data integrity is possible with relatively little effort.
    In an advantageous embodiment, the integrity of the security-relevant data stored in the networked automation stations is checked together, with the hash code being generated and stored in a predetermined order in the commissioning phase for each of the automation stations involved, and the static security-relevant data in the calculation Data from the automation station in question and the hash code of the automation station preceding in the sequence or the start hash code are received, so that the automation stations involved are linked to one another via their hash codes. In subsequent test runs, the new hash code is generated in the same way for each of the automation stations involved in the same predetermined order. The integrity check is carried out by comparing the stored hash code of the last automation station in the sequence with the new hash code of the last automation station in the sequence, with an integrity violation being recognized if the hash codes compared with one another do not match. This variant of the method is particularly simple because the integrity check only requires a single comparison of hash codes.
    [0009] The start hash code is advantageously changed from time to time, preferably randomly. This increases the security of the process.
    [0010] The sequence established for the chaining of the automation stations is advantageously changed from time to time, preferably randomly. This also helps to increase the security of the procedure.
    In a further advantageous embodiment, the integrity of the security-relevant static data stored in the networked automation stations is checked together, with a digital copy of all automation stations being stored in an encrypted database, which digital copies each contain the security-relevant static data of the individual automation station. For each of the digital copies involved, a hash code is generated in a predetermined order and stored in the database, with the data content of the respective digital copy and the hash code of the preceding digital copy or the preceding digital copy in the calculation of the hash codes The start hash code are received, so that the digital copies involved are linked to one another via their hash codes. For each of the automation stations involved, the hash code is generated in the same predetermined sequence, the calculation of which includes the security-relevant static data of the automation station in question and the hash code of the automation station preceding in the sequence or the start hash code, so that the automation stations involved are linked to one another using their hash codes. The integrity check is carried out by comparing the stored hash code of the last digital copy in the sequence with the hash code of the last automation station in the sequence, an integrity violation being recognized if the hash codes compared with one another do not match. This process variant enables the restoration (self-healing) of corrupt data in the automation stations by means of the digital copies.
    Advantageously, the sequence established for the chaining of the automation stations and their digital copies is changed from time to time, preferably randomly. This increases the security of the process.
    Advantageously, the start hash code is (also) changed from time to time, preferably randomly. This measure also increases the security of the process.
    In the event of a detected integrity violation, the affected automation station is particularly advantageously determined by comparing the hash codes of the digital copies stored in the database with the hash codes calculated by the automation stations and the data content of the digital copy of the affected automation station is transferred to the affected one Automation station written back. In this way, the data content of the automation station concerned is restored to its original state (self-healing).
    In a further advantageous embodiment, the hash code is generated in the commissioning phase for each of the automation stations involved in a predetermined cyclic sequence of the same according to a cryptographic scatter value function method and stored in the automation station preceding in the cyclic sequence, with the calculation of the hash code Codes each include the security-relevant static data of the automation station in question and the hash code of the automation station preceding in the cyclic sequence or the start hash code. In subsequent test runs, the new hash code is generated in the same way for each of the automation stations involved in the same predefined cyclical sequence using the same cryptographic scatter value function method and transferred to the preceding automation station in the cyclical sequence. In each of the automation stations involved, the integrity check of the safety-relevant data of the automation station following in the cyclical sequence is carried out by comparing the hash code stored in the commissioning phase of the automation station following in the cyclic sequence with the hash transferred in the respective test run by the automation station following in the cyclic sequence Code, whereby an integrity violation is recognized if the hash codes compared with one another do not match. In this variant of the method, the integrity check is carried out decentrally in the automation stations, with all automation stations involved having equal rights. This has the advantage that no central computer is required and none of the automation stations involved have to assume the role of a central computer (and have to be designed accordingly).
    For each of the automation stations involved, the safety-relevant static data of the automation station in question are advantageously stored in at least one other of the automation stations involved. This enables data to be recovered in the event of an integrity violation.
    Advantageously, in the event of an integrity violation of the security-relevant static data of the automation station following in the sequence, the security-relevant static data of the automation station concerned stored in at least one other of the automation stations involved are written back to the automation station concerned. In this way, the data content of the automation station can be easily reset to the original state before the integrity violation occurred.
    The safety-relevant static data of the automation station in question are expediently stored in the preceding automation station in the cyclic sequence for each of the automation stations involved. Advantageously, for each of the automation stations involved, the safety-relevant static data of the automation station in question are additionally stored in at least one other of the automation stations involved. The multiple redundancy of the security-relevant static data achieved in this way increases the security of the data recovery.
    The invention is explained in more detail below with reference to the exemplary embodiments shown in the drawing. Each block diagram shows:<tb> Fig. 1 - <SEP> a preparatory step of a first exemplary embodiment of the method according to the invention;<tb> Fig. 2 - <SEP> the procedure in error-free operation;<tb> Fig. 3 - <SEP> the procedure in the event of a data integrity failure;<tb> Fig. 4 - <SEP> a method step for isolating the fault;<tb> Fig. 5 - <SEP> a further procedural step for error handling;<tb> Fig. 6 - <SEP> a procedural step for troubleshooting;<tb> Fig. 7 - <SEP> a simplified second exemplary embodiment of the method according to the invention;<tb> Fig. 8-10 - <SEP> block diagrams of procedural details;<tb> Fig. 11 - <SEP> a preparatory step of a third exemplary embodiment of the method according to the invention;<tb> Fig. 12 - <SEP> the method of the third exemplary embodiment in error-free operation;<tb> Fig. 13 - <SEP> the procedure in the event of a data integrity error in an automation station; and<tb> Fig. 14 - <SEP> a procedural step for restoring the data integrity.
    The following definition applies to the following description: If reference numerals are given in a figure for the purpose of clarity of the drawing, but not mentioned in the directly associated part of the description, reference is made to their explanation in the preceding or following parts of the description. Conversely, in order to avoid overloading the drawings, less relevant reference symbols are not entered in all figures for immediate understanding. Reference is made to the other figures in each case.
    The method according to the invention is suitable for any type of system with, in particular, a plurality of memory-programmed control modules or automation stations, for example in automated production or logistics processes or in banking.
    [0022] The method according to the invention is explained below using the example of a building automation system. For example, five automation stations AS1, AS2, AS3, AS4 and AS5 are provided here, each having at least one input for a sensor and at least one output for an actuator. All automation stations are networked and an operating system, at least one program running on it, and operating parameters, in particular network parameters, are stored as static data in each automation station. The programs control the actuators connected to the automation stations, if necessary in accordance with the connected sensors, and also carry out calculations, which will be discussed further below. Sensors and actuators are not shown for the sake of simplicity. The automation stations are networked with one another and with a higher-level control center via a network (not shown). The method according to the invention is intended to check or ensure the integrity of the static data stored in the automation stations (operating system, programs, parameters) or security-relevant parts thereof (e.g. only programs, only operating parameters, only operating system or combinations of these parts).
    In a first preparatory step of the inventive method (FIG. 1), digital copies TAS1, TAS2, TAS3, TAS4 and TAS5 are generated from all automation stations AS1, AS2, AS3, AS4 and AS5 and stored in an encrypted database DB. The numbering of the automation stations is random and is independent of the physical arrangement of the automation stations. Each digital copy TAS1, TAS2, TAS3, TAS4 and TAS5 contains the static data (operating system, programs, parameters or only safety-relevant parts of them) of the associated physical automation stations AS1, AS2, AS3, AS4 and AS5. The encrypted database is stored in a cloud C. In this context, Cloud C is to be understood as a cryptographically protected storage area of any computer or server, e.g. also of the computer or server that is responsible for networking the automation stations. The encrypted database can also be stored directly in one of the automation stations AS1, AS2, AS3, AS4 or AS5 or in another automation station.
    In the cloud C, a data block GB referred to as a genesis block is stored with data content that can be changed as desired (FIG. 2). From the data content of the Genesis block GB, according to a known cryptographic spread value function method, e.g. the sha256 method, a start hash code HC-0 is calculated and transferred to the first automation station AS1 in a secured (encrypted) manner. This is illustrated in detail in FIG. 8. Random data written therein in the Genesis block GB is designated with rd, and a (software-implemented) hash code generator is designated with sha256.
    The first automation station AS1 calculated from the static data stored in it (or security-relevant parts thereof) and the start hash code HC-0 according to the same cryptographic scatter value function method, a hash code HC-1, which (via the networking of the Automation stations) is transferred to the AS2 automation station. This calculates a hash code HC-2 in an analogous manner from the static data stored in it and the hash code HC-1, again using the same method. In an analogous manner, the other automation stations AS3, AS4 and AS5 each calculate hash codes HC-3, HC-4 and HC-5 from the static data stored in them and the hash codes supplied to them from the preceding automation stations. The automation stations are therefore linked to one another via their hash codes. This is illustrated in detail in FIG. 9. The number of an automation station ASn and the hash code HC-n generated by it is indexed with n, with n-1 the number of the automation station ASn-1 preceding in the calculation sequence of the automation station ASn and the hash code HC- generated by it. indexed n-1. The static data stored in the automation station ASn (or the safety-relevant parts of the same) are designated with sdn.
    In an analogous manner, a hash code HC-1T and so on hash codes HC-2T, HC- are in the cloud C from the start hash code HC-0 and the data content of the digital copy TAS1 of the automation station AS1 3T, HC-4T and HC-5T are calculated and stored in the encrypted database DB (see also FIG. 4). The digital copies TAS1, TAS2, TAS3, TAS4 and TAS5 of the automation stations AS1, AS2, AS3, AS4 and AS5 are also available via their hash codes HC-1T, HC-2T, HC-3T, HC-4T and HC-5T chained together.
    For the integrity check, referred to below as a test run, the hash code HC-5 generated by the automation station AS5 is transferred to the cloud C in a secure (encrypted) form. In the cloud C there is a comparison with the transferred hash code HC-5 and the rabbit code HC-5T calculated there from the digital copies of the automation stations. The comparison step is symbolized by box V (see FIG. 2). If the hash code HC-5 calculated by the physical automation stations (last in the calculation sequence) matches the hash code HC-5T calculated from the digital copies of the automation stations (last in the calculation sequence), the integrity is that of the physical automation stations stored data given. Otherwise, measures will be taken that will be discussed further below.
    The check of the data integrity (test run) described above is repeated continuously, for example every 5 minutes. The data content of the Genesis block GB can be changed every time or from time to time (e.g. after a specified number of test runs) so that all hash codes change accordingly. The data content of the Genesis block GB can, for example, be a newly generated random number. It is also possible to use HC-0 as the start hash code directly, i.e. to use a random number of the appropriate format without going through the Genesis block GB.
    It is also possible to change the order of the automation stations AS 1-AS5 and, accordingly, of their digital copies TAS1-TAS5 in the calculation sequence for each test run or from time to time (e.g. after a specified number of test runs). Both measures, the change in the Genesis block GB or the start hash code HC-0 and the change in the sequence of the automation stations, lead to a further increase in the security of integrity.
    In Fig. 3, a situation is shown in which an error has occurred in the automation station AS3. This error can be caused by failure of the automation station itself or by (unauthorized) manipulation (change) of the static data stored in the automation station AS3. The error inevitably leads to the fact that the hash code HC-3k calculated by the automation station AS3 or not calculated at all due to the failure of the automation station AS3, i.e. missing hash code HC-3k and, as a result, the two following hash codes HC-4k and HC-5k are no longer correct, ie do not match the corresponding hash codes HC-3T, HC-4T and HC-5T of the digital copies of the automation stations. The appendix k in the designation of the hash codes in FIG. 3 indicates an incorrect value. The fact that a data integrity error has occurred can be seen immediately by comparing the two (last in the calculation sequence) hash codes HC-5k and HC-5T. It is then e.g. an alarm A is triggered and determines which automation station is the cause. This is explained below with reference to FIG.
    When a breach of data integrity is determined, all automation stations are prompted to send their hash codes to the cloud C. There the hash codes are compared with the hash codes of the digital copies of the automation stations stored there, and on the basis of these comparisons it can be determined in which of the automation stations the error occurred. In this example it was the AS3 automation station.
    In the sequence (Fig. 5) the faulty automation station (here AS3) and the associated digital copy TAS3 are excluded from the next calculation sequence, so that then the (last in the sequence) hash codes HC-5 and HC- 5T match again.
    The faulty automation station AS3 is then replaced and the entire system is restarted, as described with reference to FIGS. 1 and 2. If the system is supplemented by additional automation stations or if individual automation stations are removed from the network, the same procedure is followed. If an automation station is removed from the system, the associated digital copy is also removed from the database DB. If an additional automation station is inserted into the system, a corresponding digital copy of the same is created in the database DB.
    In Fig. 6 it is shown how a faulty automation station, here for example AS3, can be reset to the original state. With the automation station AS3 initially excluded, the data content of the corresponding digital copy TAS3 of the automation station AS3 is downloaded from the cloud C and written to the automation station AS3, the data present there being overwritten. To a certain extent, the affected automation station heals itself. The automation station AS3 restored in this way is then reintegrated into the system in a new start-up run, so that the conditions again correspond to those shown in FIG.
    As already mentioned, the cloud C can run on any computer or server to which the automation stations have (secured) access. If at least one of the automation stations involved in the system is equipped with sufficient memory resources and appropriate software, this automation station can also implement the cloud C and the elements contained therein, in particular the encrypted database DB and the self-healing function.
    In FIG. 7 and the associated detailed illustration of FIG. 10, a simplified embodiment of the method according to the invention is shown. The cloud and the database stored in it with digital copies of the physical automation stations AS1, AS2, AS3, AS4 and AS5 are missing. Instead, one of the automation stations, in this example the automation station AS1, takes on the leading role (master automation station) and generates a first hash code from a start hash code HC-0 and the static data sdl or security-relevant parts thereof stored in it HC-1, which it transfers to the second automation station AS2 (via the automation station network). This and the other automation stations AS2-AS5 generate further hash codes HC-2, HC-3, HC-4 and from the static data or security-relevant parts thereof stored in them and the hash codes supplied to them by the respective preceding automation station HC-5. During the commissioning phase, all (here for example five) hash codes are stored in the first (master) automation station AS1 in the sequence. This is indicated in FIG. 7 by the dashed lines. In the subsequent integrity check runs (see FIG. 10), only the last hash code HC-5 in the sequence is returned to the first automation station AS1 and there compared with the hash code HC-5 already stored in the commissioning phase. If the hash codes match, there is no integrity violation. Otherwise, an alarm A is triggered, for example.
    The role of the master automation station is assigned to one of the automation stations involved at random and according to any number of cycles (integrity test runs). Here, too, the order of the automation stations for the calculation process can be changed as required, and the start hash code HC-0 can also be changed, whereby the individual hash codes must be saved again in the master automation station.
    In the event of an integrity violation, the procedure is analogous to that described with reference to FIG. the individual hash codes of the automation stations involved are compared with the hash codes stored in the master automation station, and the faulty automation station is determined from the comparison result. With regard to the replacement of a faulty automation station, the removal of an automation station from the system or the addition of a further automation station, the procedure is analogous to that already described in connection with the first exemplary embodiment. "Self-healing" is of course not possible due to the lack of digital copies of the automation stations.
    It has been explained above that the integrity check is carried out with regard to all static data stored in the automation stations or only with regard to parts thereof that are relevant to safety. It is of course also possible to carry out the integrity check in separate runs with regard to safety-relevant parts of the static data, e.g. in one run only program data, in another run only operating parameters and so on.
    In FIGS. 11-14, a further exemplary embodiment of the method according to the invention is shown, which also manages without a cloud and in which the data integrity is checked locally, directly in the automation stations involved.
    All here e.g. five participating automation stations AS1, AS2, AS3, AS4 and AS5 are linked (in terms of software via their networking) in a closed chain or a cyclical sequence, whereby the numbering of the automation stations is again arbitrary and independent of the physical arrangement of the automation stations. With regard to the automation station AS5, the automation station AS 1 follows in the cyclic order and with regard to the automation station AS1, the automation station AS5 precedes in the cyclic order.
    In a commissioning phase shown in FIG. 11, a data exchange between the automation stations involved takes place in steps 1-9 (here nine in the example). The individual steps are symbolized in FIG. 11 by dashed circles with corresponding step numbers.
    The automation station AS1 transfers the hash code HC-1 generated by it from the security-related data D1 contained in it and a start hash code HC-0 to the automation station AS2 following in the cyclical sequence (step 1). This calculates the hash code HC-2 from this and from the safety-related data D2 it contains and transfers this together with the safety-related data D2 to the automation station AS1 preceding in the cyclical sequence, where they are stored (step 2). The automation station AS2 also transfers its hash code HC-2 to the automation station AS3 following in the cyclical sequence (step 3). In an analogous manner, the automation station AS3 calculates the hash code HC-3 from this and from the safety-relevant data D3 it contains and transfers this together with the safety-relevant data D3 to the automation station AS2 preceding in the cyclical sequence, where they are stored (step 4 ). The automation station AS3 also transfers its hash code HC-3 to the automation station AS4 following in the cyclical sequence (step 5). In an analogous manner, the automation station AS4 calculates the hash code HC-4 from this and from the safety-relevant data D4 it contains and transfers this together with the safety-relevant data D4 to the automation station AS3 preceding in the cyclical sequence, where they are stored (step 6 ). Furthermore, the automation station AS4 transfers its hash code HC-4 to the automation station AS5 following in the cyclical sequence (step 7). In an analogous manner, the automation station AS5 calculates the hash code HC-5 from this and from the safety-relevant data D5 it contains and transfers this together with the safety-relevant data D5 to the automation station AS4 preceding in the cyclical sequence, where they are stored (step 8 ). Finally, the automation station AS1 transfers its hash code HC-1 and the safety-relevant data D1 contained in it to the automation station AS5 preceding in the cyclical sequence, where these are stored (step 9). Thus, after completion of the commissioning phase, each automation station involved now contains not only its own safety-relevant data, but also the safety-relevant data and the hash code of the automation station following in the cyclical sequence.
    FIG. 12 shows the method in an integrity test run without a violation of the integrity of the data in the automation stations. The individual method steps are again symbolized in FIG. 12 by dashed circles with corresponding step numbers.
    The automation station AS1 transfers the hash code HC-1 generated by it from the security-related data D1 contained in it and the start hash code HC-0 to the automation station AS2 following in the cyclic sequence (step 11). This calculates the hash code HC-2 from this and from the safety-relevant data D2 contained in it and transfers it to the automation station AS1 preceding in the cyclical sequence, where it is compared with the hash code HC-2 stored in the commissioning phase (step 12). In an analogous manner, the automation station AS2 transfers the hash code HC-2 generated by it to the automation station AS3 following in the cyclic sequence (step 13). This calculates the hash code HC-3 from this and from the security-relevant data D3 contained in it and transfers it to the automation station AS2 preceding in the cyclical sequence, where it is compared with the hash code HC-3 stored in the commissioning phase (step 14). In an analogous manner, the automation station AS3 transfers the hash code HC-3 it has generated to the automation station AS4 following in the cyclical sequence (step 15). This calculates the hash code HC-4 from this and from the safety-relevant data D4 it contains and transfers it to the automation station AS3 preceding in the cyclical sequence, where it is compared with the hash code HC-4 stored in the commissioning phase (step 16). In an analogous manner, the automation station AS4 transfers the hash code HC-4 generated by it to the automation station AS5 following in the cyclic sequence (step 17). This calculates the hash code HC-5 from this and from the safety-relevant data D5 contained in it and transfers it to the preceding automation station AS4 in the cyclical sequence, where it is compared with the hash code HC-5 stored in the commissioning phase (step 18). The automation station AS1 transfers the hash code HC-1 it has generated to the preceding automation station AS5 in the cyclical sequence, where it is compared with the hash code HC-1 stored in the commissioning phase (step 19).
    The test run described is repeated at predetermined time intervals until an integrity violation occurs in one of the automation stations AS1-AS5. FIG. 13 shows such a situation, where the automation station AS2 has determined that the hash code HC-3 of the subsequent automation station AS3 stored in the commissioning phase with the hash generated by the automation station AS3 in the test run, here designated HC-3k Code does not match and there is therefore an integrity violation in the AS3 automation station.
    In the event of an integrity violation, e.g. an alarm can be triggered. However, since the security-relevant data of the automation stations are stored in a different automation station, these stored security-relevant data can be used to restore the corrupt automation station to its original state, as shown in simplified form in FIG.
    In the event that the automation station AS3 is corrupted, the safety-relevant data D3 of the automation station AS3 stored in the automation station AS2 are written back into it in a step 31. The automation station AS3 then calculates a new hash code, here designated HC-3r, and transfers this in a step 32 to the automation station AS2 preceding in the cyclical sequence. There, the stored hash code HC-3 and the new hash code HC-3r are compared. If the compared hash codes match, the test run is continued normally.
    In the embodiment described above, the safety-relevant data of the automation stations are simply available redundantly, i.e. the data from the individual automation stations are only stored in one of the other automation stations, apart from in themselves. In order to improve data security, the method can also be designed with multiple redundancy, in which case the security-relevant data of each automation station is additionally stored in one or more of the other automation stations.
    With regard to the replacement of a faulty automation station, the removal of an automation station from the system or the addition of a further automation station, the procedure is analogous to that already described in connection with the first exemplary embodiment.
    权利要求:
    Claims (13)
    [1]
    1. A method for checking the integrity of security-relevant data (D1, D2, D3, D4, D5) stored in two or more networked automation stations (AS1, AS2, AS3, AS4, AS5), characterized in that in a commissioning phase for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) a hash code (HC-1, HC-2, HC-3, HC-4, HC-5) is generated and stored using a cryptographic scatter value function method, whereby in the calculation of the hash codes, the safety-relevant static data (D1, D2, D3, D4, D5) of the automation station concerned (AS1, AS2, AS3, AS4, AS5) and the hash code (HC-1, HC-2, HC-3, HC-4, HC-5) from another of the automation stations involved or a start hash code (HC-0) are received so that the hash codes of the automation stations involved are linked to one another so that subsequent test runs on the same way for each of the automation stations involved according to the same kryptografisc hen the scatter value function method, a new hash code (HC-1, HC-2, HC-3, HC-4, HC-5) is generated, and that the integrity check of the safety-relevant data (D1, D2, D3, D4, D5) of the automation stations involved is carried out by comparing the hash codes stored in the commissioning phase with the new hash codes generated in the respective test run, an integrity violation being detected if the hash codes compared with one another do not match.
    [2]
    2. The method according to claim 1, characterized in that the integrity of the security-related data stored in the networked automation stations (AS1, AS2, AS3, AS4, AS5) is checked together, with the commissioning phase for each of the automation stations involved in a predetermined order Hash code (HC-1, HC-2, HC-3, HC-4, HC-5) is generated and stored, in the calculation of which the safety-relevant static data of the automation station concerned and the hash code (HC-1, HC-2, HC-3, HC-4) of the preceding automation station or the start hash code (HC-0) are received, so that the automation stations involved can use their hash codes (HC-1, HC- 2, HC-3, HC-4, HC-5) are chained together so that in subsequent test runs the new hash code (HC-1, HC-2, HC -3, HC-4, HC-5) is generated, and that the Int The integrity check is carried out by comparing the stored hash code (HC-5) of the last automation station in the sequence (AS5) with the new hash code (HC-5) of the last automation station in the sequence (AS5), whereby the violation of the integrity is recognized, if the hash codes compared with one another do not match.
    [3]
    3. The method according to claim 2, characterized in that the start hash code (HC-0) is changed from time to time, preferably randomly.
    [4]
    4. The method according to claim 2 or 3, characterized in that the sequence established for the chaining of the automation stations (AS1, AS2, AS3, AS4, AS5) is changed from time to time, preferably randomly.
    [5]
    5. The method according to claim 1, characterized in that the integrity of the security-relevant static data stored in the networked automation stations (AS1, AS2, AS3, AS4, AS5) is checked jointly, with one digital copy each in an encrypted database (DB) ( TAS1, TAS2, TAS3, TAS4, TAS5) of all automation stations (AS1, AS2, AS3, AS4, AS5) is saved, which digital copies contain the security-relevant static data of the individual automation station (AS1, AS2, AS3, AS4, AS5), whereby a hash code (HC-1T, HC-2T, HC-3T, HC-4T, HC-5T) is generated in a predetermined order for each of the digital copies involved (TAS1, TAS2, TAS3, TAS4, TAS5) and in of the database (DB), whereby the data content of the respective digital copy (TAS1, TAS2, TAS3, TAS4, TAS5) and the hash code (HC-1T, HC-2T, HC- 3T, HC-4T) of the preceding digital copy or the start hash C ode (HC-0) are received so that the digital copies involved (TAS1, TAS2, TAS3, TAS4, TAS5) can use their hash codes (HC-1T, HC-2T, HC-3T, HC-4T, HC-5T ) are chained together so that for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) the hash code (HC-1, HC-2, HC-3, HC-4, HC-5 ) is generated, in the calculation of which the safety-relevant static data of the automation station concerned and the hash code (HC-1, HC-2, HC-3, HC-4) of the automation station preceding in the sequence or the start hash code Code (HC-0) are received so that the automation stations involved are linked to one another via their hash codes (HC-1, HC-2, HC-3, HC-4, HC-5), and that the integrity check is carried out by comparing the stored hash codes (HC-5T) of the last digital copy (TAS5) in the sequence with the hash code (HC-5) of the last automation station (AS5) in the sequence, the integrity violation being recognized if the hash codes compared do not match.
    [6]
    6. The method according to claim 5, characterized in that the sequence specified for the chaining of the automation stations (AS 1, AS2, AS3, AS4, AS5) and their digital copies (TAS1, TAS2, TAS3, TAS4, TAS5) from time to time is changed, preferably randomly.
    [7]
    7. The method according to claim 5 or 6, characterized in that the start hash code (HC-0) is changed from time to time, preferably randomly.
    [8]
    8. Procedure for checking the integrity of safety-relevant data (D1, D2, D3, D4, D5) stored in two or more networked automation stations (AS1, AS2, AS3, AS4, AS4) and for restoring the data in the event of an integrity violation, characterized in that the integrity check is carried out according to the method according to one of claims 5-7 and, in the event of a recognized violation of the integrity, the affected automation station (AS3) by comparing the hash codes (HC-1T, HC) stored in the database (DB) -2T, HC-3T, HC-4T, HC-5T) of the digital copies (TAS1, TAS2, TAS3, TAS4, TAS5) with the hash codes calculated by the automation stations (AS1, AS2, AS3, AS4, AS5) ( HC-1, HC-2, HC-3, HC4, HC-5) is determined, and that the data content of the digital copy (TAS3) of the automation station (AS3) concerned is written back to the automation station (AS3) concerned.
    [9]
    9. The method according to claim 1, characterized in that in the commissioning phase for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) in a predetermined cyclic sequence of the same according to a cryptographic scatter value function method, the hash code (HC-1, HC -2, HC-3, HC-4, HC-5) is generated and stored in the automation station preceding in the cyclic sequence, with the static data (D1, D2, D3, D4, D1, D2, D3, D4, D5) of the automation station concerned (AS1, AS2, AS3, AS4, AS5) and the hash code (HC-1, HC-2, HC-3, HC-4, IIC-5) of the automation station or the preceding in the cyclical order . the start hash code (IIC-0) are received, so that in subsequent test runs the new hash code (HC-1, HC-2.) is received in the same way for each of the automation stations involved in the same predetermined cyclical order using the same cryptographic scatter value function method , HC-3, HC-4, HC-5) is generated and transferred to the preceding automation station in the cyclic sequence, and that the integrity check of the safety-relevant data (D1, D1, AS5) is performed in each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) D2, D3, D4, D5) of the automation station following in the cyclic sequence is carried out by comparing the hash code stored in the commissioning phase of the automation station following in the cyclic sequence with the hash code transferred in the respective test run from the automation station following in the cyclic sequence , the integrity violation being recognized if the hash codes compared with one another do not match.
    [10]
    10. The method according to claim 9, characterized in that for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) the safety-relevant static data (D1, D2, D3, D4, D5) of the automation station (AS1, AS2, AS3 , AS4, AS5) can be saved in at least one other of the automation stations involved.
    [11]
    11. The method according to claim 10, characterized in that for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) the safety-relevant static data (D1, D2, D3, D4, D5) of the automation station (AS1, AS2, AS3, AS4, AS5) can be saved in the previous automation station in the cyclic order.
    [12]
    12. The method according to claim 11, characterized in that for each of the automation stations involved (AS1, AS2, AS3, AS4, AS5) the safety-relevant static data (D1, D2, D3, D4, D5) of the automation station in question additionally weiteiren in at least one of the automation stations involved.
    [13]
    13. Procedure for checking the integrity of safety-related data (D1, D2, D3, D4, D5) stored in two or more networked automation stations (AS1, AS2, AS3, AS4, AS4) and for restoring the data in the event of an integrity violation, characterized in that the checking of the integrity takes place according to the method according to claim 11 or 12 and, in the event of an integrity violation of the safety-relevant static data of the automation station (AS3) following in the sequence, in at least one other of the automation stations (AS2) recognized the automation stations involved in the stored safety-relevant static data of the automation station (AS3) concerned are written back to the automation station (AS3) concerned.
    类似技术:
    公开号 | 公开日 | 专利标题
    DE2359776C2|1984-02-16|Memory module
    EP0636956B1|1999-06-02|Method of data loading
    DE102007054672A1|2009-05-20|Field device for determining or monitoring a process variable in process automation
    EP2447843B1|2013-07-03|Method for verifying an application program of an error-free memory-programmable control device and memory-programmable control device for carrying out the method
    EP3098673A1|2016-11-30|Method and device for automated validation of security features on a modular security system
    EP2067081B1|2018-02-21|Method for synchronising two control devices and redundant structured automation apparatus
    EP3709113A1|2020-09-16|Data integrity testing method
    EP3201774A1|2017-08-09|Distributed real-time computer system and time-controlled distribution unit
    DE102009047724A1|2011-06-16|Program sequence monitoring method for operating field device utilized for e.g. measuring physical parameter at defined areas in process plant, involves comparing test value with another test value to monitor program sequence
    DE3413330C2|1991-03-14|
    DE102019109353B3|2020-09-10|Dynamic anomaly detection and treatment
    EP3493000A1|2019-06-05|Method for the error-protected detection of a measured value and automation system
    DE10025085A1|2001-12-06|Module for control of safety critical cycles in the control of machines and plant has redundant hardware
    EP2246761A1|2010-11-03|Interface and method for error-proof modifying parameters of a failsafe industrial automation component
    DE102010041437A1|2012-03-29|Checking functions of a control system with components
    EP3002652B1|2019-04-17|Method for monitoring the state within an industrial automation system and control program
    DE102018214980A1|2020-03-05|Computer system and operating method therefor with improved reliability
    EP3550748A1|2019-10-09|Method for detecting data falsification in a data transfer over error-proof communication link
    EP3789832A1|2021-03-10|Device and method for performing a safety function
    DE102019125092A1|2021-03-18|System and method for manipulation-proof management of data of a field device in automation technology
    DE102019118703A1|2020-01-16|System and method for continuously verifying device health
    DE102019125120A1|2021-03-18|Self-checking system of automation technology
    WO2013016831A1|2013-02-07|Table-controlled system
    DE102017123911A1|2019-04-18|Method and apparatus for monitoring the response time of a security function provided by a security system
    EP3273352A1|2018-01-24|Computerized system
    同族专利:
    公开号 | 公开日
    CH715916A1|2020-09-15|
    EP3709113A1|2020-09-16|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US8959362B2|2012-04-30|2015-02-17|General Electric Company|Systems and methods for controlling file execution for industrial control systems|
    US10084826B1|2018-05-14|2018-09-25|Xage Security, Inc.|Protocol agnostic security by using out-of-band health check|
    法律状态:
    优先权:
    申请号 | 申请日 | 专利标题
    CH00299/19A|CH715916A1|2019-03-12|2019-03-12|Data Integrity Check Procedures.|EP20161877.4A| EP3709113A1|2019-03-12|2020-03-09|Data integrity testing method|
    [返回顶部]