阅读说明：本技术 安全相关的诊断消息 (Safety-relevant diagnostic messages ) 是由 本杰明·卢茨 安娜·帕尔明 于 2020-03-16 设计创作，主要内容包括：本发明提出一种方法,其包括：a)接收由技术设备的技术对象(7)产生的诊断消息；b)分析诊断消息,从而借助于比较数据记录鉴别与技术设备的运行的安全性相关的诊断消息,其中在分析诊断消息的范畴内,为了评估诊断消息的安全相关性而使用机器学习网络,预先通过技术设备的操作员的特定输入训练该机器学习网络,操作员对过去的诊断消息在其安全相关性方面进行评估；c)在必要情况下,将预先鉴别的诊断消息适配于技术设备的以计算机实施的安全模块(15)的要求；d)将预先鉴别的以及必要时适配过的诊断消息传输至技术设备的以计算机实施的安全模块(15)。(The invention provides a method, which comprises the following steps: a) receiving a diagnostic message generated by a technical object (7) of a technical installation; b) analyzing the diagnostic messages in order to identify diagnostic messages which are relevant to the safety of the operation of the technical installation by means of the comparison data records, wherein within the scope of the analysis of the diagnostic messages, a machine learning network is used for the evaluation of the safety relevance of the diagnostic messages, which is trained beforehand by means of specific inputs of an operator of the technical installation, who evaluates past diagnostic messages with regard to their safety relevance; c) if necessary, the pre-authenticated diagnostic message is adapted to the requirements of a computer-implemented security module (15) of the technical installation; d) the pre-authenticated and, if appropriate, adapted diagnostic messages are transmitted to a computer-implemented security module (15) of the technical device.)

1. A method, comprising:

a) receiving a diagnostic message generated by a technical object (7) of a technical installation, in particular a manufacturing or process installation;

b) analyzing the diagnostic messages in order to identify diagnostic messages relating to the safety of the operation of the technical installation by means of a comparison data record, wherein, within the scope of the analysis of the diagnostic messages, a machine learning network, in particular a neural network, is used for the evaluation of the safety relevance of the diagnostic messages, which machine learning network is trained beforehand by means of specific inputs of an operator of the technical installation, who evaluates past diagnostic messages with respect to the safety relevance of the past diagnostic messages;

c) if necessary, the diagnostic messages that are pre-authenticated are adapted to the requirements of a computer-implemented security module (15) of the technical installation;

d) the pre-authenticated and, if appropriate, adapted diagnostic message is transmitted to the computer-implemented security module (15) of the technical device.

2. The method according to claim 1, wherein the diagnostic message transmitted to the computer-implemented safety module (15) is graphically presented to an operator of the technical installation.

3. The method according to any of the preceding claims, wherein a message category and/or a message type of a diagnostic message is taken into account during automatic evaluation of the security relevance of the diagnostic message.

4. Method according to any of the preceding claims, wherein the diagnostic messages previously identified as relevant are adapted to a standard data format, preferably to a common event format, before being transmitted to the computer-implemented security module (15) of the technical device.

5. A control system (1) for a technical installation, in particular a manufacturing or process installation, comprising an operator station server (2), a computer-implemented analysis module (11), a computer-implemented adaptation module (12) and a computer-implemented security module (15), wherein the analysis module (11) and the adaptation module (12) are implemented on the operator station server (2),

wherein the computer-implemented analysis module (11) is designed and arranged to,

receiving a diagnostic message generated by a technical object (7) of a technical installation, in particular a manufacturing or process installation, and analyzing the diagnostic message in order to identify a diagnostic message which is relevant to the safety of the operation of the technical installation,

wherein the computer-implemented analysis module (11) is designed and provided for using a machine learning network, in particular a neural network, for evaluating the safety relevance of the diagnostic messages within the scope of the analysis of the diagnostic messages, the machine learning network being trained beforehand by means of specific inputs of an operator of the technical installation, who evaluates past diagnostic messages with respect to their safety relevance;

and wherein the computer-implemented analysis module (11) is designed and arranged for forwarding the diagnostic messages which have been previously identified as being relevant to the computer-implemented adaptation module (12),

and wherein the computer-implemented adaptation module (12) is designed and provided for adapting, if necessary, the diagnostic messages previously identified as relevant by the computer-implemented analysis module (11) to the requirements of the computer-implemented security module (15),

and wherein the computer-implemented adaptation module (12) is designed and arranged for forwarding the diagnostic messages previously received by the computer-implemented analysis module (11) to the computer-implemented security module (15).

6. A control system (1) according to claim 5, further having an operator station client (3) designed and arranged to receive diagnostic messages from the operator station server (2) and to present the diagnostic messages to an operator of the technical installation.

Technical Field

The invention relates to a method having the features of claim 1. The invention also relates to a control system for a technical installation, in particular a manufacturing or process installation, according to claim 5.

Background

Given the increasing potential threat of technical installations, it is important to actively identify possible attacks, anomalies and signs of policy violations and to store security-relevant information for a long time with the aid of suitable tools. This positive identification and traceability based on long-term storage of safety-related information is more important than before for operators of critical equipment infrastructure.

So-called Security Information Event Management (SIEM) tools for detecting, correlating and storing so-called security events over a long period of time and for generating alarms based on the correlation results significantly increase the level of protection of components, systems and facilities and help meet the requirements of relevant standards. Corresponding requirements are established, for example, in the standard IEC 62443-3-3.

Important prerequisites for effective and successful use of such tools are: components and systems used in industrial facilities can detect and provide various security events via standardized interfaces.

For example, the Siemens industrial controller SIMATIC S7410 supports the safety events set forth in the standard IEC 62443-3-3. In this case, the security events can be sent by the CPU of the controller in so-called system log messages to up to four external SIEM servers.

Another important prerequisite is an association rule tailored to the respective technical installation, which is used to identify various attack scenarios and indications of violation of mandatory guidelines. Such rules may be classified into general, standard-specific, industry-specific, IT-specific, manufacturer-specific, and facility-specific categories.

In recent years, the following findings have been obtained in testing of various SIEM tools and anomaly identification tools in an industrial environment:

although important, security events and detected network anomalies may be insufficient for the overall detection of attacks (in particular so-called "complex attacks" which make targeted use of weak points in a specific environment) and deviations. In the case of security events, the problem is in particular that the security events are defined by the device/software or system manufacturer in the design phase, wherein not all scenarios that subsequently prove to be possible when using the technical device are known or foreseeable in the design phase.

In the case of an anomaly recognition tool, this is because: it either identifies already known network attacks (e.g. IP spoofing) or has to learn the normal behavior of the system during a longer period and can then estimate that there may be a deviation from the normal behavior, where the anomaly identification tool completely ignores information from the device (e.g. security events).

In order to carry out a comprehensive and as good as possible safety diagnosis and attack recognition tailored to the respective system installation, further information should also be taken into account, in particular the information of the various installation components, but also of the operator station servers, automation devices and field devices, detected system and installation diagnosis messages, which although not safety-relevant by definition can prove safety-relevant in the specific installation scenario.

For example, all device diagnostic messages of the automation and field level of the technical device, of the devices at the base level along the automation pyramid level and of the operator station server are aggregated in the operator station server.

The field devices report their diagnostic data as device diagnostic messages to the associated automation device. The network device reports its diagnostic data as a device diagnostic message to the associated automation device. The automation device aggregates its own device diagnostic messages along with the device diagnostic messages for the field devices and the network devices and reports them to the operator station server. The operator station server aggregates its diagnostic data with its equipment diagnostic messages and aggregated equipment diagnostic messages of the automation device and reports them to the maintenance station.

Thus, for each sub-facility, all of the plant diagnostic messages are already provided at the level of the operator station server, and the plant diagnostic messages may have a correlation to "safety analysis".

Here, the device diagnostic message is a message (for example, a process alarm) that contains a large amount of accompanying values in addition to the message text, and is designed mainly for maintenance tasks. Since a large number of devices are involved in the control system of a technical installation and there are a large number of diagnostic messages for each device, each operator station server has a large number of diagnostic messages. Although it is also technically possible to evaluate the entire detected device diagnostic message by the SIEM system, this is not target-oriented, since not every diagnostic message is safety-relevant in a specific installation scenario. Furthermore, not every diagnostic message is suitable for security analysis.

IT professionals are usually responsible for installing SIEM systems in technical facilities on site. Such professionals are typically unaware (or not detailed) of the automation components installed in the facility and their diagnostic messages and security events. The IT professional can therefore only inadequately (or without the support of the facility staff or automation professionals) create the association rules required for anomaly recognition and adapt them optimally to the respective technical installation.

However, the facility personnel are usually primarily engaged in maintenance tasks for the availability and operation of the facility, so that the joint development of the required association rules is either only carried out to a small extent or not at all. As a result, an inordinate amount of a variety of information (including various device diagnostic messages) enters the SIEM system.

By evaluating this information in real time fully automatically according to specific IT-oriented or network-oriented, partly very generic association or identification rules, although standard attacks (e.g. server denial, IP spoofing) can be identified, targeted, facility-specific attacks cannot be identified. In the context of fully automatic evaluation, it has hitherto been known that, when evaluating specific facility diagnosis messages with regard to their safety relevance, it is not possible to introduce corresponding automation and facility professionals if necessary.

Disclosure of Invention

The basic objects of the present invention are: a more effective way of handling alarms is given from a safety point of view by the control system of the technical installation.

This object is achieved by a method having the features of claim 1. The object is also achieved by a control system for a technical installation, in particular a manufacturing or process installation, according to claim 5. Advantageous developments emerge from the dependent claims.

According to the invention, a method of the type described in the opening paragraph comprises the following steps:

a) receiving a diagnostic message generated by an object of a technical installation, in particular a manufacturing or process installation;

b) analyzing the diagnostic messages in order to identify diagnostic messages that are relevant to the safety of the operation of the technical installation, wherein within the scope of the analysis of the diagnostic messages, a machine learning network, in particular a neural network, is used for the evaluation of the safety relevance of the diagnostic messages, which is trained beforehand by means of specific inputs of an operator of the technical installation, who evaluates past diagnostic messages with regard to their safety relevance;

c) if necessary, the pre-authenticated diagnostic messages are adapted to the requirements of a computer-implemented security module of the technical installation;

d) the pre-authenticated and, if appropriate, adapted diagnostic message is transmitted to a computer-implemented security module of the technical device.

The technical installation can be an installation originating from the processing industry (for example chemical, pharmaceutical, petrochemical) or from the food and beverage industry. Thereby it also includes equipment originating from the manufacturing industry, in plants producing all types of cars or goods. The technical equipment suitable for carrying out the method according to the invention can also come from the field of energy production. Wind turbines, solar plants or power plants for generating electricity also belong to this technical installation.

The device has a control system or at least one computer-aided module, respectively, for controlling and regulating the working or production being carried out. In the present context, a control system is understood to be a computer-aided engineering system comprising functions for displaying, operating and controlling an engineering system, such as a manufacturing or production facility. In the present case, the control system comprises sensors for the vehicle measurement values and various actuators. Furthermore, the control system comprises so-called process-or production-related components for actuating the actuators or sensors. The control system also has means for visualization of technical equipment and for engineering. A control system is also understood to be a further computing unit for more complex rules and a system for data storage and processing.

The technical object can generally be a respective sensor or actuator of the technical installation. However, the technical object may also be a combination of a plurality of sensors and/or actuators (e.g. motors, reactors, pumps or valve systems).

A message is generally understood to mean a report of an event entering a transition from one discrete state to another within a technical installation. The diagnostic message is a specific type of message and includes additional collateral values in addition to the original message text. The diagnostic messages (also referred to as device diagnostic messages) are primarily directed to maintenance tasks that are generated in the technical installation in relation to the corresponding technical object.

An operator is understood to be an operator of a technical installation. The operator interacts with the technical installation or its control system by means of a specific user interface and controls specific technical functions of the installation. To this end, the operator may use the operating and viewing systems of the control system.

According to the invention, a diagnostic message is first received from a technical object of a technical installation and then analyzed. In this case, comparison data records are used, which enable the identification of diagnostic messages relating to the safety of the operation of the technical installation. In other words, the received diagnostic messages are classified as safety-related messages or safety-unrelated messages according to a pre-known data pattern.

Within the scope of analyzing diagnostic messages to assess the safety relevance of the diagnostic messages, machine learning networks, in particular neural networks, are employed, which are trained beforehand with the analytical data relating to early diagnostic messages. The machine learning network is trained by specific inputs of an operator of the technical installation, who evaluates past diagnostic messages with regard to their safety relevance.

If necessary, the diagnostic message is then converted in order to adapt it to the requirements of the computer-implemented security module. Such requirements may be included, for example, in the content and structure of so-called auditable events, also referred to as security events, set forth in the standard IEC 62443-3-3. If necessary, an adaptation or transformation of the diagnostic message which has previously been identified as relevant is then carried out in accordance with what is specified in the standard IEC 62443-3-3.

The previously authenticated and, if appropriate, adapted diagnostic messages are finally transmitted to a computer-implemented security module of the technical installation. Such a security module may be, for example, a SIEM system.

By filtering the diagnostic messages (and adapting if necessary), the amount of information forwarded to subsequent security analysis tools (or security modules) can be reduced on a large scale. However, the information content and use of this information in terms of technical device attack recognition is significantly improved.

In an advantageous further development of the invention, the diagnostic messages transmitted to the computer-implemented security module are graphically presented to an operator of the technical installation. The operator thereby obtains an image of an overview of the safety-relevant state of the technical installation.

It is possible to train the machine learning network even better by further evaluation by the operator, for example, in order to adapt the learning network to changing safety frame conditions.

During the automatic evaluation of the security relevance of the diagnostic message, the message category and/or the message type of the diagnostic message may be taken into account. The message categories are for example: an "automation station control technology message," operator station server control technology message, "" operator message, "or" process message. For example, the message type may be "alert" or "interference". The background is as follows: the individual diagnostic messages are usually associated with individual message classes and message types, whereby the classification set forth above can be significantly simplified.

In a preferred further development of the method, the diagnostic messages previously identified as relevant are adapted to a standard data format, preferably to a common event format, before they are transmitted to a computer-implemented security module of the technical device.

Furthermore, the above object is achieved by a control system for a technical plant, in particular a manufacturing or process plant, comprising an operator station server, a computer-implemented analysis module, a computer-implemented adaptation module and a computer-implemented security module, wherein the analysis module and the adaptation module are implemented on the operator station server. The computer-implemented evaluation module is designed and provided for receiving diagnostic messages generated by technical objects of a technical installation, in particular a manufacturing or process installation, and for evaluating the diagnostic messages in order to identify the diagnostic messages that are relevant to the safety of the operation of the technical installation. In this case, the computer-implemented evaluation module is designed and provided for using a machine learning network, in particular a neural network, for evaluating the safety relevance of the diagnostic messages within the scope of the evaluation of the diagnostic messages, the machine learning network being trained beforehand by means of specific inputs of an operator of the technical system, who evaluates past diagnostic messages with regard to their safety relevance. The computer-implemented analysis module is furthermore designed and configured to forward diagnostic messages that have been previously identified as relevant to the computer-implemented adaptation module. The computer-implemented adaptation module is designed and provided to adapt, if necessary, the diagnostic messages previously identified as relevant by the computer-implemented analysis module to the requirements of the computer-implemented security module. The computer-implemented adaptation module is furthermore designed and configured to forward the diagnostic messages received beforehand by the computer-implemented analysis module to the computer-implemented security module.

An "operator station server" is understood to mean a server which centrally detects data of the operating and observation system and generally alarms and measured value profiles of the process control systems of the technical installation and provides them to the user. The operator station server usually establishes a communication connection to the automation system of the technical installation and forwards the data of the technical installation to a so-called client, which is used to operate and observe the operation of the individual functional elements of the technical installation. The operator station server may be, but is not limited to, siemens industrial workstation server SIMATIC PCS 7.

Particularly preferably, the control system also has an operator station client which is designed and arranged to receive diagnostic messages from an operator station server and to present them to an operator of the technical installation.

Drawings

The above features, characteristics and advantages of the present invention, and the manner and method of accomplishing the same, will become more apparent from the following description of embodiments, which are set forth in detail in conjunction with the accompanying drawings.

Detailed Description

In the drawing, a part of a control system 1 according to the invention is shown, which is designed as a technical system of a method-technical system. The control system 1 comprises a server or operator station server 2 of the operating system and an operator station client 3 to which it belongs. The operator station server 2 and the operator station client 3 are connected to each other via a terminal bus 4 and to other components of the control system 1, which are not shown, such as an engineering system server or a process data archive.

In the operating and viewing scenario, a user or operator accesses the operator station server 2 via the terminal bus 4 by means of the operator station server 3. The terminal bus 4 may be, for example, an industrial ethernet, but is not limited thereto.

The operator station server 2 has a device interface 5 connected to a device bus 6. The operator station server 2 may communicate with an (external) facility 7 via an equipment interface. The connected facility 7 can optionally also be an application, in particular a web application. Any number of devices and/or applications may be connected to the operator station server 2 within the scope of the present invention. The device bus 6 can be, but is not limited to being, configured as an industrial ethernet, for example. The facility 7 may also be connected to any number of subsystems (not shown).

A visualization service 8 is integrated into the operator station server 2, via which (visualization) data can be transmitted to the operator station client 3. Further, the operator station server 4 has a progress image (progress map) 9 and an alarm service 10. The alert service 10 in turn comprises a computer implemented analysis module 11 and a computer implemented adaptation module 12.

The alarm service 10 accesses the process images 9 in order to obtain diagnostic messages for the respective facility 7. The received diagnostic messages are first analyzed by the computer-implemented analysis module 11 in such a way that the diagnostic messages relevant to the safety of the operation of the technical installation are identified. For this purpose, the computer-implemented evaluation module 11 accesses a database 13, in which rules are stored for classifying the individual diagnostic messages with regard to the operational safety of the technical installation.

The computer-implemented adaptation module 12 adapts the diagnostic messages previously identified as relevant to a specific preset, for example common event format, if necessary.

The diagnostic messages identified as relevant and possibly converted are then transmitted to the message sequence display (alarm control) 14 of the control system 1. The corresponding operating images of the message sequence display 14 are graphically presented on the operator station client 3 for the operator of the control system 1. Furthermore, the diagnostic messages mentioned are transmitted to a computer-implemented security module 15, which is designed as a SIEM system, for further processing.

If a new and unknown diagnostic message type is received, the alarm service 10 transmits to the operator by means of the message sequence display 14 information that new rules have to be stored in the database 13 so that the diagnostic message type can be processed correctly.

Although the invention has been illustrated and described in detail in the context of preferred embodiments, it is not limited to the disclosed examples and other variants can be derived therefrom by the person skilled in the art without departing from the scope of protection of the invention.