Search

CN-116015757-B - Enhanced intelligent process control switch port locking

CN116015757BCN 116015757 BCN116015757 BCN 116015757BCN-116015757-B

Abstract

The smart process control switch may implement a lock routine to lock its communication port that is dedicated for use with devices having known physical addresses, enabling the smart process control switch to prevent new, possibly malicious, devices from communicating with other devices to which the smart process control switch is connected. In addition, the intelligent process control switch may implement an address mapping routine to identify a "known pair" of physical and network addresses for each device that communicates via the ports of the intelligent process control switch. Thus, even if a new malicious device can spoof a known physical address in an attempt to bypass a locked port, the intelligent process control switch can detect the malicious device by checking its network address against the expected network address of the "known pair".

Inventors

  • A. Da Silva Peshoto
  • P. Glenniesen
  • N.J. Peterson

Assignees

  • 费希尔-罗斯蒙特系统公司

Dates

Publication Date
20260508
Application Date
20180929
Priority Date
20180410

Claims (9)

  1. 1. A method for locking a process control switch, comprising: Detecting a lock on a process control switch; detecting a second switch connected to a port of the process control switch; Detecting whether the second switch is lockable; in response to detecting that the second switch is non-lockable by (i) receiving from the second switch a set of addresses of a set of known devices that have been transmitted by the second switch, and (ii) converting the process control switch to a locked state in which the port is locked such that traffic at the port is limited to messages received from or addressed to an address included in the set of addresses received from the second switch, and In response to detecting that the second switch is lockable by transitioning the process control switch to a locked state in which the port has not been locked, wherein, Detecting that the second switch is lockable includes performing a handshake operation between the process control switch and the second switch.
  2. 2. The method of claim 1, wherein the addresses in the set of addresses are physical addresses or network addresses.
  3. 3. The method of claim 1 or 2, wherein leaving the port in an unlocked state comprises not checking an address of a message received via the port.
  4. 4. The method of claim 1 or 2, wherein leaving the port in an unlocked state comprises checking an address of a message received via the port and not discarding the message received via the port.
  5. 5. The method of claim 1 or 2, wherein the set of addresses comprises physical addresses, and the method further comprises: Tracking network addresses of addresses included in the set of addresses; detecting that the physical address of the message does not match the tracked physical address, and An alert is issued or the transmission information from the device sending the message is discarded.
  6. 6. The method of claim 1 or 2, further comprising: Monitoring messages transmitted via the second switch, and Addresses associated with the monitored messages are recorded to compile the set of addresses.
  7. 7. The method of claim 1 or 2, further comprising initiating locking of the process control switch by detection of a malicious device connected to the network.
  8. 8. The method of claim 1 or 2, further comprising providing a user interface configured to receive a user indication of the process control switch and to initiate locking of the process control switch.
  9. 9. The method of claim 1 or 2, further comprising changing the state of the process control switch to an unlocked state for a predetermined period of time before returning the state of the process control switch to the locked state.

Description

Enhanced intelligent process control switch port locking The present application is a divisional application of the application patent application filed on 2018, 9, 29, with application number 201811148322.5 entitled "enhanced intelligent process control switch port locking". Technical Field The present disclosure relates generally to process control systems, and more particularly, to techniques for locking ports of intelligent process control switches. Background Process control systems, such as distributed or scalable process control systems, as are commonly used in power generation, chemical, petroleum or other processes, typically include one or more process controllers communicatively coupled to each other, to at least one host or operator workstation and to one or more field devices via analog, digital, combined analog/digital buses. The field devices may be, for example, valves, valve positioners, switches, transmitters (e.g., temperature, pressure and flow rate sensors), perform functions within the process or plant such as opening or closing valves, switching devices and measuring process parameters. A process controller, which is typically located within a process plant environment, receives signals indicative of process measurements or process variables generated by or associated with the field devices and/or other information related to the field devices and executes controller applications or routines. Each controller uses the received information to implement a control routine and generate control signals that are sent over the bus to the field devices to control the operation of the process or plant. One or more controller routines implement control modules that make process control decisions, generate control signals based on received information, and coordinate with control modules or blocks in field devices (e.g., HART and fieldbus field devices). Control modules in the process controllers send control signals to the field devices via communication lines or signal paths to control the operation of the process. Information from field devices and process controllers is typically available via a process control network to one or more other hardware devices such as operator workstations, maintenance workstations, personal computers, hand-held devices, data historians, report generators, centralized databases, and the like. The information transmitted over the network enables an operator or maintenance personnel to perform the desired functions with respect to the process. For example, the information allows an operator to alter the settings of the process control routine, modify the operation of control modules within the process controller or smart field devices, view the current state of a process or condition of a particular device within the process plant, view alarms generated by field devices and process controllers, simulate the operation of a process in order to train personnel or test process control software, diagnose problems or hardware faults within the process plant, and the like. The field devices typically communicate with the hardware devices through a process control network, which may be an Ethernet configured LAN. The network relays process parameters, network information, and other process control data to various entities in the process control system through various network devices. Network devices typically facilitate data flow through a network by controlling their routing, frame rates, timeouts, and other network parameters, but do not alter the process data itself. Some typical network devices include, for example, layer 2 network switches, layer 3 network switches, routers, and/or hubs. The layers mentioned thereby relate to the OSI model layers. In general, a layer 2 network switch receives a message and forwards the received message via one of its ports associated with the MAC address (identified by the message) of a destination device within the LAN. Layer 2 network switches typically store a table that establishes a relationship between MAC addresses and corresponding switch ports. When a layer 2 network switch receives a message, it identifies the destination MAC address of the message, identifies the switch port corresponding to the MAC address from the table, and forwards the message via that port. If the destination MAC address of a message received by a layer 2 network switch is not stored in the table, it will broadcast the message to all ports of the switch, which may be repeated until the message reaches the destination device and the destination device replies, informing the switch of the appropriate port "mapped" to the destination MAC address. Notably, the layer 2 switch does not perform routing, does not make forwarding decisions using IP addresses, and does not track intermediate nodes between the switch and the destination device. Instead, the layer 2 switch simply refers to the table to determine which switch port should be used to forward the mess