DE102004061344A1 - Method for the safe design of a system, associated system component and software - Google Patents

Abstract

The invention relates to a method for the safe design of a system, an associated system component and associated software and a system itself. DOLLAR A The security of a system against deliberate intervention by unauthorized third parties is often unknown. However, protection against industrial espionage and sabotage is often sought. DOLLAR A object of the invention is to make transparent the level of security of a system in a traceable manner. DOLLAR A As a solution, it is proposed to equip each system component with a feature that informs about the security class of the system component from a plurality of security classes. The security classes are preferably determined by standardization and allow a quantifiable determination of the security level of the system. Based on this, the security class of the system is determined, preferably during productive operation by means of a computer program.

Description

The The invention relates to the field of security technology and in particular the safe design of systems in such a way that they are consciously intervened unauthorized third party stay. The systems that can be safely configured may be to trade hardware and / or software systems to industrial equipment such as power plant controls and automation systems, or to controllers for the power distribution in high voltage networks.

Industrial plants, So, for example, those of automation technology, are increasing more complex systems and are increasingly interconnected systems with each other communicating system components. This development makes it unauthorized Third, increasingly easier to exchange within the system To listen to information To change data Properties of system components, system, or system To influence products. The economic consequences of such Industrial espionage and sabotage are not just short-term availability issues, but also high damage at the systems as well as threats of man and the environment. About that In addition, there are often quantifiable production losses in the millions. Also in the face of the transformation of our society into a knowledge society, where know-how represents a commodity that represents the position of each Company shapes in the market, there is an increased Need to prevent an outflow of this knowledge and to third parties to protect.

A Industrial plant, for example, an automation system exists usually from a big one Number of system components such as devices and networks. These will often purchased from different manufacturers and built. In addition there it components of the system operator itself. Depending on the security philosophy of the respective component manufacturer is the one with the component achievable safety different. This also applies to the overall system, the security achievable with the system is difficult to define is. This is all the more true as the system components frequently too be inserted into the system at different times and sometimes the idea of the respective component manufacturers the to be guaranteed Safety changes over time.

One Hazard potential in automation systems is the use of components with a radio interface, mostly using from platforms in the IT world. Additional targets for unauthorized Third, undermining the security of the system, are the multiple interfaces, interlock the automation systems with the office world. Examples are interfaces for remote maintenance of the system or interfaces to query manufacturing information so that it is embedded in representations about business processes can be.

Of the Invention is the technical problem underlying a method for safe design of a system, an associated system component and a associated Software as well as provide a system with which the security level the system is made transparent in a comprehensible way.

One Another technical problem is building on the transparent The security level has been continuously monitored.

The solution These and other technical problems are caused by the features the independent one Claims. Advantageous developments are represented by the dependent claims or can be understood from the following description and the embodiment remove.

Of the Invention is based on the idea that to solve the above technical Problems to determine the safety level objective criteria should be used to quantify the safety level make determinable.

lenses Criteria are predefined requirements for system components, which safety-relevant functionality to guarantee them to have. Defining which safety-relevant functionality a system component needs to provide, should be preferred across industries and best by a standardization be made. For example, it may be analogous to the Safety Integrity Levels (SIL) of IEC 61508.

The Safety Integrity Levels referred to above are concerned with the safety aspect, which is referred to as "safety" in English, ie the safeguarding of a system operator against malfunctions and incorrect operation of authorized third parties English with the term "security" is called, ie the foreclosure against interference of unauthorized third parties with intent to harm for the purpose of industrial espionage, the injury of a competitor etc.

The above definition of the system component to be guaranteed safety-relevant functionality leads to the emergence of safety classes with varying degrees of safety to achieve. This means that every level of security, for example, over a Specification could be defined one of several security classes is assigned. In this way Security becomes quantifiable, with recourse to universal Criteria in the form of security classes.

It is preferred if the security classes are given in numbers. So can security classes between 0 and 10 be provided, with the security class 0 for a system without protection and the security class 10 stands for a system of highest safety.

The inventive method looks first before that the respective security class of the system components is determined by all security components. For this must be the system component over have a feature, the above the security class of the system component from a plurality of Safety classes informed. This feature is an identification feature that on diverse Way can be retrieved. For example, it can be provided that the respective system component has an optical feature which is optically interrogatable. So a barcode can be chosen the outside is readable. An inductive query of the identification means would be conceivable if in the system component a coil would be integrated and the Safety class of the component can be queried inductively. Also possible is a query by radio. For example, the component may be RFID (Radio Frequency Identification Device), which it up a simple way allows to query the characteristics of the system component. Is it the case of System components around electrical or electronic components, so lets the means of identification also interrogate electronically, if it over one has appropriate component with this information, such as an ASIC or an EPROM. Insofar the information resides in the hardware or the firmware of the respective electronic component. Here is a direct query of the security class via a communication interface of the System component possible.

The Deposit of information about the respective security class is expediently carried out by means of a descriptive Technology, z. B. in the form of an EDD (Electronic Device Description) by means of the description language EDDL (Electronic Device Description Language) according to IEC 61804. In this case, the EDD information about the Communication interface are read out.

Partially system operators have a different need for security for different System areas. For example, there are production plants highly secure plant parts and plant parts, where the system security less critical. In order to meet this it is preferred that in a system composed of several system areas with each system area a safety class of a plurality from security classes leaves or that each security area is assigned a security class is. In this case, you can the efforts to guarantee a security for the respective field of activity custom and the cost of the warranty of system security.

It is preferred if the determination of the respective safety class while running the system and can be done online. This provides a transparent overview of the current version Security level of the system in productive operation and thus under realistic environmental conditions possible.

• A) Im einfachsten Fall wird die gleiche Funktionalität zweimal eingesetzt. In einem Beispiel sind zwei Türen mit einem normalen Schloss hintereinander angeordnet. Durch das Vorsehen zweier derartiger Türen erhöht sich die Sicherheitsklasse des Gesamtsystems im Wesentlichen nicht. Lediglich der Zeitaufwand zur Überwindung der Barriere steigt.
• B) Werden Systemkomponenten mit unterschiedlicher sicherheitstechnischer Funktionalität kombiniert, so addieren sich in der Regel diese Funktionalitäten. Dies führt dazu, dass das Sicherheitsniveau insgesamt gesteigert und demgemäß eine höhere Sicherheitsklasse erreicht wird. Ein Beispiel wäre die Anordnung zweier Türen hintereinander, bei der die erste Tür ein mechanisches Schloss aufweist und die zweite Tür nur mit einer Ausweiskarte geöffnet werden kann. Die Kombination dieser beiden Türen führt bei einem Gesamtsystem dazu, dass die Sicherheitsklasse höher ausfällt als die Sicherheitsklasse jeder der beiden Einzeltüren.

In a second step of the method according to the invention, it is determined which security class the system has in view of the security classes of the system components. It should be noted that the system components interact differently depending on the configuration of the system. Depending on how system components with their safety-related functionality are combined with each other, this leads to more or less security, which is reflected accordingly in the safety class of the system. There are two main differences:

• A) In the simplest case, the same functionality is used twice. In one example, two doors are arranged one behind the other with a normal lock. By providing two such doors, the security class of the overall system is essentially not increased. Only the time required to overcome the barrier increases.
• B) If system components with different safety-related functionality are combined, these functionalities usually add up. As a result, the security level as a whole is increased and accordingly a higher security class is achieved. An example would be the arrangement of two doors in succession, in which the first door has a mechanical lock and the second door can only be opened with an identification card. The combination of these two doors leads to a Ge overall safety class is higher than the safety class of each of the two individual doors.

When determining the security class of the system, it must also be considered that the security class is state-dependent. For example, has a door a security class 3 , this only applies to the locked state. If the door is open, there is no protection and the security class would thus z. Eg 0.

Of the The latter circumstance makes it possible for the safety class of system components during on-going, and therefore online, especially valuable. Only in this way can the detected states of the System components are found in productive operation, which Security class owns the system.

Therefore it is especially desirable if the respective security class of the system component continuously be true. However, depending on the specifics of the system, it may as well be sufficient if this determination at predetermined time intervals is made.

are the security classes of the system components are determined so it will Building on the safety class of the system is determined and can in case of deviations from the previous state or when falling below a predetermined Security levels issued a warning to the system operator become.

Especially the realization that the security class of a system component to a great extent state-dependent is, does, as stated above, a continuous determination of the respective safety classes the components and thus the overall system desirable. This is especially true easily realizable if this determination is made automatically can. In this respect, the condition is taken into account that security not only a static matter but also in time vary and from the respective condition of the entire plant or of the May depend on individual components.

The Determination of the safety class of the respective system components and / or the system is preferably by means of a computer program carried out. The computer program can be stored in the internal memory of a digital Computers are loaded and includes software code sections, with which the automatic query of the security class is performed. As usual, The computer program may be replaced by a data carrier, such as a CD or a DVD, embodied be resident in a computer memory or by means of a transmitted electrical carrier signal become.

The Computer program is best based on a plant specific Security model. After the model is first the system configuration known, which may be extracted from the engineering data of the plant is. The model is the influence of a single system component on the security of other system components or on entire system areas deposited. Based on the security model, the program calculates in a modification of a single system component, the new one Safety class of the entire system. The modification can hereby in an exchange of the system component by one with a higher security class consist. The computer program can be part of a system design program or by engineering software.

• 1. Es kann ein Austausch mindestens einer Systemkomponente durch eine andere Systemkomponente vorgenommen werden, wobei die andere Systemkomponente den Anforderungen einer Sicherheitsklasse entspricht, die mit einer höheren Sicherheit einhergeht bzw. eine höhere Sicherheitsklasse besitzt, und/oder
• 2. es kann eine Rekonfiguration der Systemkomponenten vorgenommen werden,

bis die gewünschte Sicherheitsklasse erreicht ist. Der erstgenannte Fall wäre beispielsweise dann einschlägig, wenn bei einer Tür ein Schloss gewählt würde, das eine höhere Sicherheit verspricht. Der zweitgenannte Fall setzt eine bauliche Änderung des Systems derart voraus, dass ein potenzieller Angreifer nunmehr ein schwierigeres Hindernis zu überwinden hätte. Dieser Fall ist anlagenspezifisch.The transparent determination of the security level of the system based on objective criteria makes it possible to configure the system from a security point of view. Here, in a first step, a desired safety level or a desired safety class is specified. In a second step, the target safety class is compared with the actual safety class. In the event that the target safety class of the system does not correspond to the previously determined actual safety class of the system, two measures can be provided:

• 1. An exchange of at least one system component may be performed by another system component, the other system component meeting the requirements of a security class associated with a higher security or having a higher security class, and / or
• 2. a reconfiguration of the system components can be carried out

until the desired safety class is reached. The former case would be relevant, for example, if a lock was chosen for a door, which promises greater security. The second case requires a structural change of the system in such a way that a potential attacker would now have to overcome a more difficult obstacle. This case is plant specific.

The Configuration of the system mentioned in the last paragraph may be the configuration to be a new system. In this case, the configuration is already done in the development phase of the system and z. B. using known Engineering systems. The engineering systems are then for the appropriate safety-related warranty modified.

Also an already existing system can be new in terms of its security configured and thus retrofitted. To do this all Additional components equipped with the said feature that exceeds the safety class of System component informed. This feature feature can be included in electronic components by updating the firmware respectively.

following the present invention is based on an embodiment in conjunction with closer to the figures explained become. Hereby shows:

1 a complete system composed of different system components,

2 a system component.

1 shows a system composed of various system components. The system is an industrial plant, namely an automation system 1 , However, the system can also be a networked computer system, in particular a WLAN 1' , act.

The system 1 respectively. 1' has system components 2 respectively. 2 ' , In an automation system 1 These system components are, for example, control computers, field buses, actuators, sensors, etc. In the case of a WLAN, these are essentially computers, routers, interfaces, etc.

Each of these system components has ASICs 4 or EPROMs 4 ' , At the ASICs 4 the information about the security class is implemented in the hardware. The EPROMs 4 ' own this information in their firmware in the memory area. For this purpose, only four bits must be provided for recording this information in a binary coding. The security classes of the system components are numbers between 0 (no protection) and 10 (highest security level).

The system components are via data lines 6 with each other and with a computer 3 connected. The computer 3 reads the security classes of the system components 2 . 2 ' over the data lines 6 electronically and determines the safety level of the entire system 1 respectively. 1' , This is done by reading the EDD information of each system component via an Ethernet interface. This is done on the computer 3 a customized computer program for the system under the operating system Windows ^TM . The query is automatic. From the information about the security class of each individual system component, the computer program calculates the security class of the entire system 1 respectively. 1' ,

The computer program used for this purpose is based on a tailor-made security model for the system, in which the system configuration is stored. The security model allows to calculate the influence of individual system components on the safety of the entire system. The creation of the security model is integrated as an additional level in the engineering tools for planning the system. For the demand-dependent or current calculation of the security class of the entire system, an executable code for the model is generated, which is in the computer 3 is brought to expiration. The computer program runs permanently in the background of the computer 3 and continuously determines the safety class of the overall system 1 respectively. 1' , If the security class changes, a warning is issued to the system administrator.

2 shows a system component 2 in the form of a fieldbus device that has a feature 5 that informs about the security class. In the feature 5 It is a barcode that can be read by a barcode reader.

Claims (17)

Method for determining the security level of one of a plurality of system components ( 2 . 2 ' ) existing system ( 1 ) against deliberate interference by unauthorized third parties in the system where a security level is linked to a security class consisting of a plurality of security classes, comprising the following steps: a) determining the respective security class of the system components ( 2 . 2 ' b) Determine which security class the system achieves with the security classes of the system components. Method according to claim 1, characterized in that that in a system composed of several system areas with each system area a safety class of a plurality linked by security classes is. Method according to claim 1 or 2, characterized that the determination of the respective safety class of the system components and / or the system is done automatically. Method according to one of claims 1 to 3, characterized that the determination of the respective safety class of the system components done by means of a remote sensing. Method according to one of claims 1 to 4, characterized that the respective security class of the system components electronically queried becomes. Method according to one of claims 1 to 5, characterized that the respective safety class of the system components in given Time intervals or continuously determined and based on it the security class of the system is redetermined. Method according to one of claims 1 to 6, characterized that for the case that the desired Security class of the system not the previously determined security class corresponds to the system, c1) an exchange of a system component through a system component that meets the requirements of a security class matches, with a higher one Safety is accompanied, made and / or c2) a reconfiguration the system components is made, until the desired security class is reached. Method according to claim 7, characterized in that that a new system is configured or that an existing one System re its security is reconfigured. Method according to one of claims 1 to 8, characterized that the determination of the safety class of the respective system components and / or of the system by means of a computer program. Method according to one of claims 1 to 9, characterized by its use in an industrial plant ( 1 ) and in particular in an automation system. Method according to one of Claims 1 to 10, characterized by its use in a networked computer system ( 1' ) and in particular with a WLAN. Method according to one of claims 1 to 10, characterized through its use in a power plant or in a system for Power distribution in high voltage networks. System component, characterized in that it has a feature ( 5 ) that informs about the security class of the system component from a plurality of security classes. System component according to claim 13, characterized in that it comprises an electrical component ( 4 . 4 ' ), which contains the feature electronically readable. System with at least one system component according to claim 13 or 14. Computer program that directly into the internal memory a digital computer can be loaded and includes software code sections, with which the steps according to a of claims 1 to 12 executed when the product is running on a computer. Computer program according to claim 16, embodied in a disk, stored in a computer memory or transmitted by means of an electrical Carrier signal.