CN-120303905-B - Monitoring method of industrial network

Abstract

The invention relates to a method for detecting a topology change of an industrial network, the network consisting of an arrangement of network nodes connected to each other, at least one network node determining a transmission time of a message in the industrial network, wherein if the determined transmission time or transmission time change exceeds a predetermined threshold, an indication of a network node subsequently added to the network topology is evaluated and a security mode is activated.

Inventors

• M. Rostan
• T. Rettig

Assignees

• 贝克霍夫自动化有限公司

Dates

Publication Date

20260508

Application Date

20231215

Priority Date

20221222

Claims (11)

1. 1. A method for detecting a topology change of an industrial network, said network consisting of an arrangement of network nodes connected to each other, Wherein a plurality of network nodes determine a transmission time of a message in the industrial network, the time between sending the message and returning the message is measured in the network nodes, wherein the number of the plurality of network nodes is determined according to an operating condition of the network, Wherein if the determined transmission time or transmission time variation exceeds a predetermined threshold, it is evaluated as having an indication that the network node is subsequently added to the network topology and a security mode is activated.
2. 2. The method according to claim 1, wherein a transmission time monitoring network node reads the determined transmission time from the network node and determines whether the read transmission time exceeds a predetermined threshold.
3. 3. The method of claim 2, wherein the transmission time monitoring network node is a control node in the industrial network, the control node determining data transfer in the industrial network.
4. 4. The method of claim 2, wherein a plurality of network nodes perform the transmission time measurements and the transmission time monitoring network node correlates the transmission time measurements of the respective network nodes with each other to create a transmission time matrix and identify whether and where one or more additional network nodes are added by evaluating the transmission time matrix.
5. 5. The method of any one of claims 1 to 4, wherein the security mode comprises a warning message that can be acknowledged to terminate the security mode.
6. 6. The method of any one of claims 1 to 4, wherein the threshold is associated with an environmental parameter.
7. 7. The method of any one of claims 1 to 4, wherein the threshold is ambient temperature.
8. 8. The method of any one of claims 1 to 4, wherein the threshold value is associated with an operating parameter.
9. 9. The method of any one of claims 1 to 4, wherein the threshold is associated with an operating time.
10. 10. The method according to any of claims 1 to 4, wherein the network node for determining the transmission time is a first network node using a precision time protocol to measure the transmission time of messages to the connected second network node.
11. 11. The method according to any of claims 1 to 4, wherein the network node measuring the time between sending a message and returning the message is the first network node after the control node in the network topology.

Description

Monitoring method of industrial network Technical Field The present invention relates to a method for detecting a change in an industrial network topology. Background In industrial networks, network nodes that are subsequently added without knowledge of network management constitute a potential cyber-security threat. For example, a subsequently added network node may tamper with or disrupt data traffic. Thus, after the network configuration is completed, it is necessary to reliably detect whether an additional network node is added. This applies both to ongoing operation and to operational interruptions during shutdown of the industrial network. Disclosure of Invention It is an object of the present invention to provide improved protection against subsequently added network nodes in an industrial network. The object is achieved by a method according to claim 1. Preferred further developments are specified in the dependent claims. In a method for detecting a topology change of an industrial network consisting of an arrangement of network nodes connected to each other, a transmission time of a message in the industrial network is determined by at least one network node. If the determined transmission time or change in transmission time exceeds a predetermined threshold, this is evaluated as an indication that the network node is subsequently added to the network topology and the security mode is activated. By means of the transmission time monitoring in the industrial network, the subsequently added network node can be reliably identified and appropriate protection measures can be initiated by activating the security mode. A transmission time monitoring network node may be provided which reads the determined transmission time from the network node and determines whether the read transmission time exceeds a predetermined threshold. The transmission time monitoring network node is preferably a control node in the industrial network, which determines the data transmission in the industrial network. Monitoring of network security threats in an industrial network may be centrally performed by a transmission time monitoring network node, thereby adapting to the respective network design. Furthermore, it may be provided that a plurality of network nodes perform the transmission time measurements and that the transmission time monitoring network node correlates the transmission time measurements of the individual network nodes with each other in order to create the transmission time matrix. By properly evaluating the transmission time matrix generated in this way, the transmission time monitoring network node can identify whether and where one or more additional network nodes are added. The secure mode may include a warning message that may be acknowledged to exit the secure mode. This may ensure that the operator knows the status of the network security threat in the industrial network and may again deactivate incorrect security mode activation, for example if a required change in network topology is considered to be a subsequent addition of a network node. The threshold value may be associated with an environmental parameter, in particular an environmental temperature. The threshold value may also be associated with an operating parameter, in particular an operating time. By correlating the threshold with an environment or operating parameter of the industrial network, reliability in monitoring network security threats in the industrial network may be improved. In particular, a reduced number of false security mode activations may be ensured. The network node for determining the transmission time may be a first network node using a precision time protocol to measure the transmission time of messages to the connected second network node. By this step, the transmission time between two neighboring network nodes can be continuously determined. The determined change in the transmission time caused by changing environmental influencing factors, in particular the ambient temperature and the component temperature, is usually kept below a threshold value, which means that reliable monitoring is achieved. To determine the transmission time, the network node may also measure the time between sending the message and returning the message. Here, the network node measuring the time between sending a message and returning the message may be the first network node after the control node in the network topology. Furthermore, a plurality of network nodes may each measure the time between sending a message and returning the message, wherein the number of the plurality of network nodes is determined according to the operating conditions of the industrial network. In an industrial network in which the transmitted messages are processed in transit by the network nodes, simplified time measurements can be made, which can be optimally matched to the respective network topology. Drawings The invention is explained in more detail below wit