Invented by Michael A. Bush, Robert Brandt, Rockwell Automation Technologies Inc
The integration of both these systems has become increasingly popular in recent years, as businesses look for ways to improve their security and efficiency. Access control systems can be used to restrict access to certain areas of a facility, such as server rooms or storage areas. Automation systems can be used to control the flow of people and resources within a facility, reducing the need for manual labor and improving efficiency.
One of the key drivers of the market for automation system access control system and method is the increasing demand for security solutions. With the rise of cyber threats and physical security risks, businesses are looking for ways to protect their assets and employees. Access control systems provide a way to restrict access to sensitive areas, while automation systems can help to monitor and control the flow of people and resources within a facility.
Another driver of the market is the increasing adoption of cloud-based solutions. Cloud-based access control and automation systems offer a number of benefits, including scalability, flexibility, and cost-effectiveness. These systems can be easily integrated with other cloud-based solutions, such as video surveillance and alarm systems, to provide a comprehensive security solution.
The market for automation system access control system and method is also being driven by the increasing adoption of smart building technologies. Smart buildings use a variety of sensors and devices to monitor and control various aspects of the building, including lighting, temperature, and security. Access control and automation systems can be integrated with these smart building technologies to provide a seamless and efficient solution.
In conclusion, the market for automation system access control system and method is rapidly growing as businesses and organizations seek to improve their security and efficiency. The integration of access control and automation systems offers a number of benefits, including improved security, reduced labor costs, and increased efficiency. With the increasing adoption of cloud-based solutions and smart building technologies, the market is expected to continue to grow in the coming years.
The Rockwell Automation Technologies Inc invention works as follows
An improved method and system for controlling the access of components to resources of an industrial automation system by reference to various operational states of the system.” A central access system comprises a processing circuitry and interface circuitry that receives information about the operational state an automation system. It also includes memory circuitry and a display/user interface. Access to automation components is either granted or denied in operation based on a designation of the operational state of an automated system.
Background for Automation System Access Control System and Method
The invention is generally related to automation control systems. “More specifically, embodiments of this disclosure relate to a method and system for controlling components’ access to automation system resources using the unique characteristics industrial automation systems.
Industrial Automation System Components have been traditionally interconnected using specialized networks that use standard industrial protocols to access and exchange data. The unique industrial environment and the material handling process has made it difficult to adopt conventional technologies that are used in other fields. The challenge of managing permissions for individual systems, components and users to access an automation system or resource is a particular problem with traditional industrial automation. In industrial automation environments, there are often many components that need to be able to locate one another and communicate in order to function normally. An access control system that is properly implemented for an industrial automation system will allow essential interactions but not unwanted ones. Access control systems become more complex as the number of interactions increases exponentially. These access control systems can be underutilized or even neglected. This leaves industrial automation systems open to uncontrolled access or locked down, which may reduce the effectiveness of the systems or tax administrative staff who must review and allow access when necessary.
There is a need to improve techniques for controlling the access to automation systems resources.
The present invention is an improved method and system for controlling the access of components to resources of industrial automation systems by referring to the different operational states of industrial automation systems. According to aspects of the invention, a central control system for accessing resources includes a processing and interface circuitry as well as memory and display circuitry. The system also includes a collection of records containing information about elements who have tried to access the automation system or will attempt to do so in the future. This system allows or denies access to automation components based on a designation of the operational state of an automated system, in addition to predetermined criteria. The additional criteria in certain embodiments can be more restrictive or less restrictive, depending on the state of operation of the industrial automation systems.
The following detailed description will help you better understand the features, aspects and advantages of this invention when read in conjunction with the accompanying drawings. In the drawings, like characters are used to represent similar parts.
FIG. “FIG. “Figure 1 in a state of commissioning or maintenance;
FIG. “FIG. “Figure 1 in an operational state
FIG. “FIG. “Figure 1 shows a view of the records used to access components.
FIG. The diagrammatic view 1 shows an example embodiment of an Access Control System 10 that controls access to an Industrial Automation System 12. The access control 10 in the embodiment shown is connected to the industrial automation 12 and is configured for granting or denying access to resources of the system depending on the characteristics of its operational state at the time. The access control system can reside on one system (e.g. a computer, server, etc.). As illustrated in the embodiment currently being considered, or on multiple systems (e.g. a network computer and/or server). The access control system can be configured to control the access to only a subset of an automaton system, for example, a single process or group of processes. It may also control an entire automation system at an automated facility or multiple automation systems in multiple locations working together to provide control on a global level. The access control system can be located locally or at a remote site, such as an enterprise headquarters or secured data center. The industrial automation system can include internal accessing component 14 and external accessing component 16. The internal accessing components can be processes, applications or devices within an industrial automation facility or system. These internal components can interface with human actors 16 in processes that are run manually or monitored, for example, in response to inputs from the actor via computer workstations, personal computers, portable or handheld devices, dedicated human machine interfaces, or similar. Accessing components can be used without human interaction. Examples include devices controlled by motor controllers, automation software routines, input/output systems, supervisory system, etc. There may also be 18 external accessing elements that are separate from the automation system. These components include all processes, applications and devices that interact with an industrial control system. These components may also or may not interact with human actors. Within the embodiment currently considered, other components 22 may also attempt to gain entry to the industrial automation systems. These components can be classified as other types, like systems that access the system periodically for system evaluation, troubleshooting and maintenance.
The automation components 24 are resources of the industrial system to which accessing components 14, 18 and 22 can seek access. You will understand that automation components 24 can also be internal accessing component 14 and internal accesing component 14 can also be automation components 24 of an industrial automation system. Access to these components is controlled by access control system 10. A communication network 26 connects the automation components 24. This network includes the actual connection between the accessing components but also may include a range hardware, software and firmware which use the connection to send and receive data with external elements like other networks, controllers, actuators, etc. This network can be physical (wired, wireless), virtual, or follow any number of communication protocols, such as CIP.
The networked component is part of the automation system 28 within an automation facility 30.” One access control system can control the access to one or more automation facilities 32 or systems 28. The access control system can reside on one central server or multiple servers. The central server can host the access system exclusively, such as on dedicated servers or share resources with other processes and systems. In the embodiment currently contemplated, the central computer directs one of more control components 36 which are external to the server central 34. However, such control components can also be integrated into the server central. Directly connected to the Access Control System can be a directory 38 of automation system components. This directory can contain identification information for all or a subset of automation system components. This directory may also contain data identifying human actors, accessing components and other automation system components. Location information, such as a physical location or a location on an internal or external network (e.g. Internet), as well as other information, such as type or role (e.g. sensor, actuator or process), can be included in the identifying data.
In the current embodiment, each attempt to access by an accessing element 14, 16 is recorded in a database 40 of records, along with unique information about the attempted access, and an indicator as to whether or not the access was permitted. An administrator 42 can access these records 40, or a subset thereof, where they can be viewed or modified. The administrator can change the authorization indicator on the record to either change access to allow or to deny.
Processing Circuitry 44″ is located in the central server, which is the embodiment of the present invention where authorization is determined. In some embodiments, an administrator can add a record to the database without making a previous attempt to access it. This is done to allow access to components who have never attempted to access it before. Memory circuitry 46, which is part of the processing circuitry, allows the storage of access control software and parameters (as well as any other code used by the processing circuitry to carry out processes). Memory 46 may not be part of the memory that stores the information about access records in a currently contemplated embodiment. However, it may be integrated into certain embodiments. An administrator can interact with a display/user interface 48 that shows graphical representations for the processes in the access control system. This may involve monitoring the activity of access attempts and making manual changes to records. “Interface circuitry 50 can be found on the central server to receive and send data from the accessing components 14, 18 and 22, the control component 36 and/or one or more automated facilities 30, 32.
Criteria” 52 is a set of attributes that are associated with the entities requesting access (e.g. components or human actors), and may be used to grant or deny access to automation system components 24. In some embodiments, the criteria include process name, software, application version, publisher and identifying data for accessing components. Criteria may also include data identifying the user (e.g. for humans). The target data 54 are the information the component 14, 18, 22, or the component 14 of interest wishes to send or receive.
FIG. “FIG. According to an exemplary embodiment, FIG. 1 shows the system in a state of operation during commissioning or maintenance. If the component that is attempting to access the data interacts with a human actor (16, 20), then user data 56 may be associated with the attempt. These user data can be used or not as a criterion for granting access. Component data (58) associated with an attempted access is unique to the component 14, 18, 22, which was attempting the access. In some embodiments, trusted access 60 can be permitted in the state of commissioning or maintenance. This trusted access can be granted during periods where the industrial automation system has not been in an operational state, and security risks are therefore low. When industrial automation systems are under maintenance, for example, many or all systems and processes have been suspended, and the vulnerability is minimal or nonexistent. This trusted access 60 can be controlled by the central computer 34, or it may be a direct connection from the component accessing the automation system 24 to the component. In the currently envisaged embodiments, access to all components is allowed during these stages, but all accesses are logged. This stage can be viewed as a “learning” phase. The commissioning stage of operation may be considered a?learning?
Click here to view the patent on Google Patents.