阅读说明：本技术 自动化系统中的完整性监控 (Integrity monitoring in an automation system ) 是由 R.法尔克 S.弗里斯 于 2018-06-07 设计创作，主要内容包括：本发明的任务是监控工业自动化系统的完整性。例如,应识别由于非法访问对完整性的损害。这通过比较描述自动化系统的运行状态的状态数据(181)与描述自动化系统的环境影响的传感器数据(183)来进行。(The task of the invention is to monitor the integrity of an industrial automation system. For example, damage to integrity due to illegal access should be identified. This is done by comparing state data (181) describing the operating state of the automation system with sensor data (183) describing the environmental impact of the automation system.)

1. A method, the method comprising:

-obtaining status data (181) of an industrial automation system (100), wherein the status data (181) describes an operational status (301) of the automation system (100),

-obtaining sensor data (183) describing an environmental impact (306) of the automation system (100),

-performing a comparison between the status data (181) and the sensor data (183), and

-based on the comparison: monitoring the integrity of the automation system (100).

2. The method of claim 1, wherein the first and second light sources are selected from the group consisting of,

wherein the status data (181) comprises a status of operating software of the automation system (100).

3. The method according to claim 1 or 2,

wherein the status data (181) comprises at least one element of the following group:

-component registration of a plurality of active components (101) of the automation system (100) 106, 111, 112, 118, 119);

-component activities of a plurality of components (101) of the automation system (100) 106, 111, 112, 118, 119);

-an error state of operating software of the automation system (100);

-parameters of a communication interface of the automation system (100); and

-resource allocation of computer hardware of the automation system (100).

4. The method of any of the preceding claims, further comprising:

-obtaining control data (182) for one or more actuators (101-106) of the automation system (100), the actuators causing the environmental impact (306),

wherein a comparison between the status data (181), the sensor data (183) and the control data (182) is performed.

5. The method according to any one of the preceding claims,

wherein the comparison takes into account a deviation of the environmental impact (306) from a reference (310).

6. The method of claim 5, further comprising:

-determining the reference (310) on the basis of a predefined deterministic model (250) and from the state data (181).

7. The method of claim 6, wherein the first and second light sources are selected from the group consisting of,

wherein the predefined model (250) indicates a plausibility range (311) of the sensor data (183) as a function of the state data (181).

8. The method of any of claims 5 to 7, further comprising:

-obtaining reference status data (181A, 181B) of the automation system (100) in a learning phase (192, 193), wherein the reference status data (181A, 181B) describes an operating status (301) of the automation system (100),

-obtaining reference sensor data (183A, 183B) in the learning phase (192, 193), wherein the reference sensor data (183A, 183B) describes an environmental impact (306) of the automation system (100),

-determining an empirical model (250) of the environmental impact (306) based on performing a comparison between the reference state data (181A, 181B) and the reference sensor data (183A, 183B), and

-determining the reference (310) based on the empirical model (250).

9. The method of claim 8, wherein the first and second light sources are selected from the group consisting of,

wherein the determination of the empirical model (250) is made by means of a machine-learned technique.

10. The method according to any one of claims 5 to 9, further comprising:

-monitoring the operation of another industrial automation system (100'),

-determining the reference (310) based on monitoring the operation of the further industrial automation system (100').

11. The method according to any one of the preceding claims,

wherein performing the comparison comprises performing anomaly detection of sensor data (183) related to the status data.

12. The method of any of the preceding claims, further comprising:

-in accordance with the monitoring v: creating a log file that relates the monitored status to a serial number of a product of the automation system (100).

13. The method of any of the preceding claims, further comprising:

-upon monitoring: outputting a warning via a user interface and/or switching operation of the automation system (100) into a protection state.

14. A control unit (120, 160) comprising at least one processor configured for carrying out the steps of:

-obtaining status data (181) of an industrial automation system (100), wherein the status data (181) describes an operational status (301) of the automation system (100),

-obtaining sensor data (183) describing an environmental impact (306) of the automation system (100),

-performing a comparison between the status data (181) and the sensor data (183), and

-based on the comparison: monitoring the integrity of the automation system (100).

15. The control unit (120, 160) according to claim 14,

wherein the at least one processor is configured to implement the method of any one of claims 1 to 13.

16. A computer program comprising program code that is implementable by at least one processor and that causes: the at least one processor implementing the method of any one of claims 1-13.

Technical Field

Various examples of the invention relate generally to monitoring the integrity of an industrial automation system. Various examples of the invention relate to monitoring based on a comparison between status data of an automation system and sensor data describing an environmental impact of the automation system, among other things. Various examples of the invention relate to monitoring integrity to determine a compromise in integrity due to illegal access (Fremdzugriff).

Background

With increasing automation, the popularity of implementing industrial automation systems has increased. For example, automated systems are used in the manufacture of machines or workpieces. An automation system may implement a process engineering plant. Industrial automation systems are also used in the field of traffic monitoring or traffic control, for example in connection with traffic control systems in towns, in building automation, rail traffic or air traffic. Industrial automation systems can also be used in energy production, for example in power stations or substations, and in energy transmission and distribution (smart grid).

Modern automation systems exhibit a high degree of connectivity. For example, an automation system typically comprises a plurality of components, such as sensors, actuators, computing units or control units. These components of the automation system are typically connected to one another via a network and are therefore in communicative connection. It is also often possible to access the automation system from outside (for example via the internet), or the automation system transmits data, for example diagnostic data for predictive maintenance, via the internet.

Therefore, in connection with automated systems, there is often a risk of unauthorized illegal access (hacking in english). Such unauthorized access can lead to malfunctions, data losses, functional limitations, and even to complete failure of the respective automation system.

Therefore, protecting the integrity of an automation system is a necessary goal to ensure reliable operation. In addition to protecting the individual partial functions of the automation system, there is a need in particular to protect the integrity of the industrial automation system as a whole.

In a reference implementation, integrity damage due to unauthorized access is monitored, for example, on the basis of status data of an IT system of the automation system, which describes an operating state of the automation system. Based on the evaluation of such status data, an attack on the integrity of IT components of the automation system may be determined. For example, irregularities in the status data may be identified. The automation of the recognition of such irregularities is described in connection with an attack recognition tool (intrusion detection system, english). The attack detection tool searches for known attack patterns in a targeted manner, for example in the operating software of the automation system or in connection with a communication interface of the automation system.

However, such a reference implementation has certain limitations and disadvantages. For example, such a reference implementation may have limited accuracy. Often, such attack recognition tools are only capable of recognizing IT-related attacks or manipulations.

Disclosure of Invention

Accordingly, there is a need for improved techniques for monitoring the integrity of automation systems. In particular, there is a need for techniques for identifying illegitimate accesses to automated systems. There is a need for such a technique that obviates or mitigates at least some of the disadvantages and limitations noted above.

This object is achieved by the features of the independent patent claims. The features of the dependent patent claims define embodiments.

An exemplary method comprises: status data of the industrial automation system is obtained. The status data describes an operating status of the automation system. The method further comprises: sensor data describing an environmental impact of an automation system is obtained. The method further comprises: a comparison between the status data and the sensor data is performed, and the integrity of the automation system is monitored based on the comparison.

For example, it would be possible to identify an illegal access to the automation system and monitor the effect on the integrity associated with the illegal access. Unauthorized illegal access can be identified.

For example, an industrial automation system may implement a power plant, an energy distribution network, a substation, a production line of workpieces or machines, a refinery, a pipeline, a sewage treatment plant, a traffic control system, a medical device, and so forth. Sometimes, such automation systems are also referred to as Cyber Physical Systems (CPS). Examples of automated systems include: industrial equipment; a production workshop; a transformer substation; a robot; a ground transport vehicle; an autonomous transport system; a machine tool; milling machine; printing presses, process engineering equipment; and a 3D printer.

The state data may include, for example, a self-test result of the operating software of the automation system, a checksum, a memory dump (Speicherabz ü ge), and so forth.

Sensor data may be obtained from one or more sensors. The sensor may be part of the automation system, i.e., in communicative connection with other components of the automation system, for example, via a common communication interface. However, in other examples, it would also be possible that the sensors are not part of the automation system, but remain available separately, so that simultaneous access not only to the automation system but also to the sensors cannot simply be obtained.

The sensor data may thus be indicative of the environmental impact of the automation system. Very different sensors can be used depending on the type or type of environmental influence. For example, environmental effects may include: heating or cooling of the surroundings of the automation system; in this case it would be possible to use a temperature sensor. In other examples, it will be possible that the environmental impact generally includes a switch of a traffic light or traffic guidance system; video data imaging the traffic guidance system can be obtained here as sensor data, for example. In connection with energy generation, for example, sensor data may be obtained which are indicative of an electrical characteristic variable, for example a voltage or a current or a phase shift.

In particular, deviations of the environmental impact from an expected reference can be identified by performing a comparison between the status data and the sensor data. Such deviations of the environmental impact may occur, for example, if the boundary conditions of the environmental impact, which are interpreted outside the automation system, change. In this case, it is not necessary to detect a compromise in integrity. However, it would also be possible for such deviations of the environmental impact from the reference to occur due to, for example, unauthorized illegal access to the integrity of the automation system. Unauthorized illegal access can then be determined by monitoring the deviation.

By comparing the status data with the sensor data, a particularly high degree of reliability in terms of integrity monitoring can be achieved. In particular, a positive confirmation of the integrity can be achieved by such a joint analysis. Furthermore, integrity may be monitored based on multiple data sources, resulting in improved reliability overall. Illegal accesses can be reliably identified. In particular, the effect of illegal access on integrity can be identified. A compromise to integrity may be identified. Unauthorized illegal access can be identified. In addition, it is also possible to detect a manipulation of a simulated manipulation of an actuator or a sensor of the automation system, for example a manipulation of a manipulation electronics. Thereby enabling a new quality of integrity monitoring.

In one example, the status data may include a status of operating software of the automation system. In this way, IT-related information about the automation system may be obtained. In particular, the state of the operating software may characterize the operating state of the automation system.

The state data may comprise at least one element of the following group: component registration of a plurality of active components of an automation system; component activities of a plurality of components of an automation system; an error state of operating software of the automation system; parameters of a communication interface of an automation system; and resource allocation of computer hardware of the automation system.

With the aid of such state data and other kinds of state data, the state of the operating software of the automation system can be mapped reliably and extensively (abgebildet). By taking into account a plurality of complementary kinds of status data, it is possible in particular to identify individual attacks on individual function blocks of an automation system. This is based on the following experience: simultaneous attacks on a plurality or a large number of functional blocks with a forged, however correlated or consistent behavior only rarely occur. Thus, a compromise of the integrity, for example due to an illegal access, can be identified particularly reliably.

Such status data and other kinds of status data may also indicate, inter alia, indirectly the activity of actuators of the automation system that cause environmental influences. It may sometimes be desirable to take into account the activities of the actuators of the automation system, in particular explicitly, when monitoring the integrity. In this case, it may be useful, in addition, to obtain control data for one or more actuators of the automation system, wherein the actuators cause environmental influences. A comparison between the status data, the sensor data and the control data may then be performed.

In this way, it is possible that the determined unexpected environmental impact is particularly well attributable, for example, to a malfunction of the actuator; the malfunction of the actuator is not necessarily caused by illegal access, but may be caused by damage or the like. Thus, the accuracy of integrity monitoring may be improved overall. In particular, in this case, the integrity of the system can also be monitored independently of illegal accesses.

In some examples, it may be possible to compare deviations from a reference that account for environmental effects. In particular, deviations from the standard behavior can thus be determined within the scope of the comparison. Such deviations from the standard behavior can be determined particularly simply, in particular in relation to a reference implementation, in which the environmental impact should be predicted comprehensively. Due to the complexity of automation systems, it may sometimes not be possible or only possible to predict the environmental impact in a limited manner in its entirety. In such a scenario, it may then be useful to consider only the deviation of the environmental impact from the reference instead of predicting the environmental impact. I.e. anomaly detection can be performed.

In this case, it would be possible, for example, to determine the reference on the basis of a predetermined deterministic model and on the basis of the state data. For example, the deterministic model can predetermine the reference on the basis of simple assumptions which are, for example, fixedly predetermined and stored in a memory. Such a model may predict, for example: in the case of a large number of memory accesses of the operating software of the automation system, an increased number of workpieces completed per unit time will typically be obtained. This number of finished workpieces per unit time can be inspected by suitable sensors; this allows the compromise of integrity to be determined from the deviation between the sensor data and the status data. Another example of such a model relates to the frequency of the tuning process, for example in the operation of a gas turbine; if the gas turbine is frequently adjusted between different power values, the temperature in the bearings of the gas turbine may increase. Temperature changes in the region of the bearings of the gas turbine can be monitored by temperature sensors and this predicted relationship can be checked within the scope of the model by comparison between the state data and the sensor data. In particular, if a simulation model of the automation system is present, which is also referred to as a digital twin, this simulation model can be used as a reference in continuous operation. This is particularly advantageous, since the simulation model created when designing the automation system (digital twin) can continue to be used for ongoing integrity monitoring.

In this case, it would be possible, for example, for a predefined model to indicate the plausibility range of the sensor data as a function of the state data. This means that instead of an accurate prediction of the sensor data to be expected, rather a range of acceptable sensor data is used. This can be achieved particularly well: normal operation is separated from damage to integrity, for example due to illegal access, during monitoring.

The method may also include: reference state data of the automation system are obtained in a learning phase. In this case, the operating state of the automation system can be described with reference to the state data. The method may further comprise: reference sensor data is obtained in a learning phase. The reference sensor data may also describe the environmental impact of the automation system. An empirical model of the environmental impact may then be determined based on the performance of the comparison between the reference state data and the reference sensor data. It is then possible to determine the reference based on an empirical model.

In such an approach, it may be possible to flexibly relate a large number of sources of state data and sensor data to one another by means of a model. It is possible in particular to link such sources, for which deterministic models cannot be derived in a simple manner, to one another in particular modular systems can be supported thereby. Furthermore, this may be the case, for example, when the data is weakly correlated (so etws). Furthermore, the situation may be similar when there are different data of large dimensions. Furthermore, the situation may be similar when the sensor data is, for example, strongly noisy and the signal-to-noise ratio of the sensor data is low.

The determination of the empirical model may be performed, for example, by means of machine learning techniques. For example, an artificial neural network may be trained, e.g., via back propagation. A kalman filter may also be used. This allows a reliable determination of the model or reference without great effort and also flexibly in coordination with individual situations (for example of a modular system which is frequently expanded or modified).

The learning phase may be performed, for example, in association with a monitored operation. For example, it would be possible that access to the automation system by external devices during the learning phase is not possible. This ensures that: the reference status data or the reference sensor data has not been falsified. It will be possible that the learning phase is continuously repeated during operation of the automation system. This allows sudden deviations from the reference, for example due to illegal accesses, to be identified. Furthermore, it is proposed that the reference model is updated in the event of authorized access to one or more components of the automation system, for example a change to a project plan (configuration data), in the event of a reconfiguration of the production plant (plug and play), or in the event of an update to the plant firmware. It is also proposed that the method according to the invention for integrity monitoring of an automation system be temporarily stopped during such authorized access. In a further variant, the method according to the invention monitors during such authorized access according to a second reference model. The selection or temporary stopping of the reference model can be performed automatically by evaluating the operating mode (e.g., active operating mode, maintenance mode, failure mode) of the automation system.

In various examples, it will also be possible to monitor the operation of another industrial automation system. The reference may then be determined based on monitoring of operation of another industrial automation system. For example, it is also possible to obtain corresponding status data and sensor data for another industrial automation system and to perform a comparison between the status data and the sensor data of the other industrial automation system.

By means of this technique, a networking between different automation systems can be utilized, so that damage from a single automation system of the set of automation systems can be identified by comparison with the remaining automation systems.

Performing the comparison between the status data and the sensor data may further comprise performing an anomaly detection of the sensor data in relation to the status data. This means that deviations of the expected pattern of sensor data can be recognized on the basis of the state data within the scope of anomaly detection, for example of machine training.

If a compromise to the integrity is determined and/or if an illegal access to the integrity of the automation system is determined, various measures may be taken. For example, a signal, such as a switch signal or an alarm signal, may be output via the user interface. The automation system or at least components of the automation system can be transferred into the safety state or the protection state automatically or after confirmation by an operator. A log file may also be created based on the monitoring. Here, the log file may relate the monitored status to a serial number of a product of the automation system. This also makes it possible to check the product afterwards: whether the integrity of the production machine is satisfied during the manufacture of the product.

In one example, a computer program product includes program code, which may be implemented by at least one processor. The implementation of the program code causes: at least one processor implements a method. The method comprises the following steps: status data of the industrial automation system is obtained. The status data describes an operating status of the automation system. The method further comprises: sensor data describing an environmental impact of an automation system is obtained. The method further comprises: a comparison between the status data and the sensor data is performed and the integrity of the automation system is monitored based on the comparison.

In one example, a computer program comprises program code, which may be implemented by at least one processor. The implementation of the program code causes: at least one processor implements a method. The method comprises the following steps: status data of the industrial automation system is obtained. The status data describes an operating status of the automation system. The method further comprises: sensor data describing an environmental impact of an automation system is obtained. The method further comprises: a comparison between the status data and the sensor data is performed and the integrity of the automation system is monitored based on the comparison.

In one example, the control unit comprises at least one processor configured to perform the steps of: obtaining status data of the industrial automation system, wherein the status data describes an operational status of the automation system; and obtaining sensor data describing an environmental impact of the automation system; and performing a comparison between the status data and the sensor data; and based on the comparison, monitoring the integrity of the automation system.

The examples described above may be combined with each other in other examples.

Drawings

Fig. 1 schematically illustrates an automation system according to various examples.

Fig. 2 schematically illustrates a control unit of an automation system according to various examples.

Fig. 3 schematically illustrates a control unit according to various examples.

FIG. 4 is a flow chart of an exemplary method.

Fig. 5 schematically illustrates the obtaining of status data, control data, and sensor data according to various examples.

Fig. 6 schematically illustrates comparison of state data, control data, and sensor data by means of a model according to various examples.

Fig. 7 illustrates exemplary temporal changes of component activities described by exemplary state data of a component of an automation system and environmental influences of the automation system related to the component activities.

Fig. 8 schematically illustrates reference state data, reference control data, and reference sensor data, in accordance with various examples.

Fig. 9 schematically illustrates state data, control data, and sensor data for a plurality of automation systems, in accordance with various examples.

Detailed Description

The above described features, characteristics and advantages of the present invention, and the manner and method of attaining them, will become more apparent and the invention will be better understood by reference to the following description of embodiments, which are explained in greater detail in conjunction with the accompanying drawings.

The invention is explained in more detail in the following according to preferred embodiments with reference to the drawings. In the drawings, like reference characters designate the same or similar elements. The figures are schematic representations of various embodiments of the present invention. Elements shown in the figures are not necessarily shown to scale. Rather, the various elements shown in the figures are depicted such that their function and general purpose become readily apparent to those skilled in the art. The connections and couplings shown in the figures between functional units and elements may also be implemented as indirect connections or couplings. The connection or coupling may be achieved in a wired or wireless manner. The functional units may be implemented as hardware, software, or a combination of hardware and software.

Techniques for monitoring the integrity of an industrial automation system are described subsequently. There may be different causes of compromise that cause integrity. An exemplary cause of the impairment of the integrity is illegal access to the respective automation system, i.e. in particular unauthorized illegal access.

The technology described herein is based on the combined monitoring of status data describing the operating state of an automation system and sensor data describing the environmental impact of the automation system. For example, the environmental impact expected under normal circumstances can be derived from the status data. This modeling information may then be used to enable a comparison of actual behavior with expected behavior and thereby determine integrity changes.

In various examples, the techniques described herein are based on jointly considering and evaluating sensor data and status data, which relate to IT, for example. Consistency or rationality may be checked based on a comparison of sensor data with status data. This results in a new quality of the integrity monitoring, since, for example, manipulation of the sensor or actuator can also be detected. Furthermore, a high robustness is achieved, since for an undetected attack multiple integrity data on different systems would have to be handled simultaneously and consistently. Furthermore, different types of integrity compromise, such as manipulation of sensors or actuators, manipulation of wiring, manipulation of configuration data, manipulation of firmware, manipulation of control communications, etc., may be detected and processed collectively. In this way, impairment of the integrity of different types of automation systems can be identified. In particular, the techniques described herein for monitoring integrity do not relate only to specific IT-part functions of components of an automation system, but rather to an integrated solution.

The techniques described herein are flexible to scale. Giving scalability. Additional sensor data and/or status data can be flexibly taken into account as required. Critical areas of the automation system can also be monitored at a higher cost than areas that are relatively uncritical. For example, more sensor data or status data may be obtained for a critical area, e.g., per unit time.

The techniques described herein also enable retrofitting of existing automation systems. For example, additional sensors may be used to provide sensor data in a targeted manner. This enables the continued use of operating software, automation components and machine tools or production systems that are not protected at all. In general, it is possible to continue to use components of the automation system which themselves have no protection or only insufficient protection against illegal access.

Based on the present technique, it would be possible, for example, to generate a log file that records the results of the monitoring. For example, a timestamp may be used. This information can then be used to monitor the automation system for a compromise of the batch of the generated product with respect to integrity. This can then also be checked: for example, whether the integrity of individual batches of product will likely be affected due to impermissible or even unauthorized illegal access.

Unauthorized access is often characterized by impermissible modifications to the automation system. This can also be done by a user who has access to, for example, service models, to components of the system and can modify, for example, project planning data (projektierringsdaten) of the firmware or the components. The solution according to the invention improves the flexibility, since also impermissible changes of the device configuration can be recognized, which are made by the service technician or via a weakly protected or unprotected service interface.

Fig. 1 schematically illustrates aspects related to an automation system 100. The automation system 100 includes a plurality of components 101, 106, 111, 112, 18-119, 120. These components may also be referred to as so-called Internet of things (IoT) devices.

For example, the components 101-106 can implement actuators that cause environmental effects. Such environmental influences may be, for example, the operation of a production line or the control of a traffic control system.

For example, the components 111 and 112 may represent sensors that at least partially measure the environmental impact of the actuators 101 and 106.

For example, the component 118 along with 119 may implement control functionality to control one or more of the other components 101 along with 106, 111 along with 112. This means that: the components 118 and 119 can provide resources of computer hardware. A central control unit 120 is also provided.

In addition, external sensors 151, 152 are also shown in association with fig. 1; these sensors 151, 152 are not part of the automation system 100 in this respect, since they are not in communicative connection with the remaining components 101, 106, 111, 112, 118, 120. Such sensors 151, 152 may be installed, for example, in particular for the purpose of integrity monitoring, and for example be arranged in a physically protected manner. This has the following advantages: such sensors 151, 152 cannot be actuated by a damaged (kompromititert) automation component via a communication connection. In one variant, different weights can be given to the system-independent sensors in the evaluation.

In fig. 1, illegal access 90 to the integrity of an automation system 100 is shown to be possible. For example, the purpose of the illegitimate access 90 may be to compromise the operation of the automated system 100. The illegal access 90 may be impermissible or even unauthorized.

Techniques to enable identification and, if necessary, to prevent such illegal access 90 are described later.

For example, corresponding logic may be implemented in association with control unit 160. In the scenario of fig. 1, the control unit 160 is not part of the automation system 100. For example, the controller 160 may be part of a backend system. For example, cloud computing or edge computing may be used to control the operation of unit 160.

Fig. 2 illustrates aspects with respect to the central control unit 120. In some examples, the control unit 120 may also be configured to enable monitoring of integrity. The control unit 120 comprises at least one processor 121, for example a multicore processor. A memory 122 is provided. Program code may be stored in memory 122. The processor 121 may load the program code from the memory 122 and implement the program code. The implementation of the program code may cause: the central control unit 120 implements techniques associated with one or more of the following elements: obtaining and/or analyzing status data of the automation system 100; obtaining and/or analyzing sensor data describing an environmental impact of an automation system; performing a comparison between the status data and the sensor data; and monitoring the integrity of the automation system; and monitoring for illegal access to the automation system, for example for the purpose of compromising or compromising integrity.

Fig. 3 illustrates aspects with respect to the backend control unit 160. The control unit 160 comprises at least one processor 161, for example a multicore processor. A memory 162 is provided. The program code may be stored in the memory 162. The processor 161 may load the program code from the memory 162 and implement the program code. The implementation of the program code may cause: the control unit 160 implements techniques associated with one or more of the following elements: obtaining and/or analyzing status data of the automation system 100; obtaining and/or analyzing sensor data describing an environmental impact of an automation system; performing a comparison between the status data and the sensor data; and monitors the integrity of the automation system.

FIG. 4 is a flow chart of an exemplary method. The method according to the example of fig. 4 may be implemented, for example, by the control unit 120 or by the control unit 160.

First, in block 1001, status data is obtained. The status data describes an operating status of the automation system. For example, status data may be obtained from one or more control units of the automation system or directly from actuators or sensors of the automation system.

For example, the status data may include a status of operating software of the automation system. The state data may comprise at least one element of the following group: component registration of a plurality of active components of an automation system; component activities of a plurality of components of an automation system; an error state of operating software of the automation system; parameters of a communication interface of an automation system; and resource allocation of computer hardware of the automation system.

For example, the component registration may list all active components registered at a central control unit of the automation system. The logged-off components may be listed accordingly. Thus, the following profile can be obtained: which components of an automation system can in principle have an environmental influence.

For example, component activity may represent capacity utilization or run-time of different components. For example, the amplitude of the activity may be described in association with an actuator. This may make it possible to estimate the intensity of the environmental influence due to the actuators of the automation system.

The error status may correspond to, for example, a log file of the operating software. For example, an unexpected termination of the program software may be stored in a log file. Erroneous memory accesses may also be deposited. The denied illegitimate access may also be deposited. Or may represent all processes implemented.

The parameters of the communication interfaces of the automation system may indicate, for example, the activities and possible communication partners of the communication interfaces. For example, a collection of exchanged data may be deposited. For example, the encryption used may be indicated. For example, active communication connections and related applications may be deposited.

The resource allocation of the computer hardware may describe, for example, the capacity utilization of a memory (Auslastung) or of a fixed memory or of an available processor.

In block 1002, sensor data is obtained. For example, sensor data may be obtained from one or more sensors of an automation system. Alternatively or additionally, it would also be possible to obtain sensor data from one or more external sensors. The sensor data may quantify a physical measurement variable or observable. The measured variables may describe the environmental impact of the automation system. For example, one or more of the following physical observables may be described by sensor data: (ii) temperature; traffic flow; the resulting product; defective products; pressure; volume; speed; a location; current flow; a voltage; generated electrical energy, and the like.

Then, in block 1003, the execution of the comparison between the status data from block 1001 and the sensor data from block 1002 is performed. For example, a correlation between status data and sensor data may be performed. Fusion of sensor data with status data may be performed.

In principle, other data can also be considered within the scope of the comparison in block 1003. For example, it would be possible to also obtain control data for one or more actuators of the automation system, which actuators cause environmental influences. The control data may then also be considered in the comparison in block 1003.

Deviations of the environmental impact from the reference can be taken into account in the comparison. The reference may be determined from status data. Deterministic or empirical models can be used, for example.

Finally, in block 1005 (optionally) countermeasures and/or warnings may be triggered based on the monitoring from block 1004. For example, a log file may be created from the monitoring that correlates the monitored status with a serial number of a product of the automation system. This can then also be checked: whether individual products or product batches may be affected by a compromise in integrity. It would also be possible to output warnings via the user interface and/or to automatically switch the operation of the automation system into the protection state as a function of the monitoring. For example, it may be possible to limit the environmental impact in a protective state, so that personnel etc. are not harmed. It would also be possible to disable the communication interfaces of the automation system 100 so that possible illegal accesses cannot be performed proactively.

Fig. 5 schematically illustrates aspects of fusion of different data regarding an automation system. As can be seen in fig. 5, the status data 181 and/or the control data 182 are obtained from a subset of the actuators 101, 103, 105. The status data 181 may describe the operational status of the respective actuators 101, 103, 105. The control data 182 may describe the manner and method or intensity of the environmental impact of the respective actuators 101, 103, 105.

Further, sensor data 183 is obtained from the sensors 111, 112, 151, 152. The sensor data describes the environmental impact of the automation system 100.

In the example of fig. 5, status data 181 is furthermore acquired from the hardware resources 118, 119. Furthermore, status data 181 is acquired from the central control unit 120.

All these data 181, 182, 183 are provided to the control unit 160. The control unit may then perform a fusion of the data, i.e. a comparison between the different data 181, 182, 183. Based on the comparison, the integrity of the automation system may be monitored. This is also shown in association with fig. 6.

Fig. 6 illustrates aspects regarding comparison of different data 181, 182, 183. Fig. 6 illustrates, in particular, the manner in which control unit 160 or control unit 120 operates, for example, with regard to monitoring integrity, wherein, for example, damage to integrity due to impermissible or even unauthorized access 90 can be detected.

As can be seen in fig. 6, model 250 is used for comparison. As a result, a result signal 189 is obtained. Result signal 189 may indicate, for example, whether there is a compromise in integrity and/or illegal access 90. The result signal 189 may indicate the corresponding probability. The resulting signal may trigger a warning and/or countermeasure.

In some examples, a deterministic model 250 can be used. Deterministic model 250 may be pre-given and may be created, for example, based on the physical relationships and/or architecture of automation system 100. For example, it would be possible for the model 250 to indicate a range of rationality of the sensor data as a function of the state data 181. Within the scope of the comparison, it is then possible to check: whether the sensor data indicates an environmental impact within the rationality range; if this is not the case, a compromise in integrity may be assumed. This technique is illustrated in association with fig. 7.

Fig. 7 illustrates aspects related to a comparison of status data 181 and sensor data 183. For example, the corresponding mode of operation may be implemented by the model 250.

In the example of fig. 7, the status data 181 indicates the activity 301 of the actuator as a function of time. In the example of fig. 7, the activity 301 of the actuator fluctuates between two values (solid line).

Also shown in fig. 7 is a reference 310 (dashed line) obtained based on the activity 301 according to the model 250. The corresponding rationality range 311 is shown hatched. For example, a deviation from the rationality range 311 may be identified in association with the abnormality detection.

Fig. 7 also shows the temporal course of the environmental influence 306, for example the temperature in the surroundings of the respective actuator, as measured by the sensor data 183. It can be seen that from a certain point in time, the distance 312 between the measured environmental impact 306 on the one hand and the reference 310 on the other hand leaves the plausibility range 311; where a compromise in integrity, for example due to illegal access 90, may be assumed.

The respective model 250 can be derived not only deterministically, for example by means of a digital twin simulation model created in the design of the machine or device. Machine learning techniques may also be used. This is shown in association with fig. 8.

FIG. 8 illustrates aspects related to determining a reference 310 or a model 250. In fig. 8, data 181, 182, 183 are obtained from the system 100 or the sensors 151, 152 during an operational phase 191. The monitoring of the integrity is performed during the run phase.

The reference state data 181A, 181B and the reference sensor data 183A, 183B are obtained during two learning stages 192, 193. Optionally, reference control data 182A, 182B may also be obtained. Generally, only one learning phase is required.

For example, learning phase 193 can be defined in association with a first presentation of automated system 100. Where the monitored operation can take place. The learning phase 192 may correspond to normal operation of the automation system 100, i.e., describing the historical data 181A, 182A, 183A.

It is then possible to determine the empirical model 250 based on a comparison between these reference data 181A, 182A, 183A, 181B, 182B, 183B. The reference 310 can then be determined, in particular, as a deviation from normal operation. The complex determination of the deterministic model is cancelled. Furthermore, different sources of data can be flexibly considered, such that extensibility of model 250 is facilitated. For example, the model 250 may be determined empirically through machine-learned techniques.

Instead of or in addition to this definition of the reference data over a period of time with respect to the learning phases 192, 193, it would also be possible to derive the reference 310 from the operation of another automation system. A corresponding technique is illustrated in association with fig. 9.

FIG. 9 illustrates aspects related to determining a reference 310 or a model 250. Fig. 9 shows that, in addition to monitoring the operation of an automation system 100, the operation of a further automation system 100' can also be monitored. The respective reference status data 181', reference control data 182', and reference sensor data 183 'may be obtained from another automation system 100'. This allows reference 310 to be determined.

It goes without saying that the features of the previously described embodiments and aspects of the invention can be combined with one another. In particular, these features can be used not only in the combination described, but also in other combinations or alone without leaving the scope of the invention.

For example, the techniques described herein may also be used to monitor the integrity of other systems, such as sensor actuator systems in general, e.g., autonomous machines, etc.

Although various examples are described above in association with compromise of the integrity of an automation system due to illegitimate access, it will also be possible in some other examples to monitor compromise of integrity due to other triggering events.