Search

EP-4736370-A1 - METHODS FOR THE PROTECTION OF A PIECE OF EQUIPMENT AND FOR THE PROVISION OF DATA, AND CORRESPONDING ELECTRONIC DEVICES AND ELECTRONIC ASSEMBLY, COMPUTER PROGRAM PRODUCTS AND INFORMATION STORAGE MEDIA

EP4736370A1EP 4736370 A1EP4736370 A1EP 4736370A1EP-4736370-A1

Abstract

The invention relates to a method that is implemented in a first device in a communication network having a first portion comprising a piece of equipment as well as a second portion, the two portions being interconnected via the first device and a second device using unidirectional communication, the method comprising: • transmitting, to the second device, an address of the piece of equipment in the first portion; • during a communication between the piece of equipment and the first device, obtaining a value of a piece of data about the piece of equipment; • transmitting said value to the second device. The invention also relates in particular to a corresponding method for providing data as well as to corresponding electronic devices, a corresponding electronic assembly, and corresponding computer program products and information storage media.

Inventors

  • HAMON, Yoann
  • ESNAULT, Régis

Assignees

  • ORANGE

Dates

Publication Date
20260506
Application Date
20240626

Claims (17)

  1. 1. Method for protecting equipment of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via a first electronic device and a second electronic device in unidirectional communication, so as to only allow communications from the first device to the second device, said method comprising: • obtaining an addressing identifier for said equipment to be protected on said first portion of said communications network, said addressing identifier being obtained dynamically by scanning said first portion; • a transmission to said second device of said addressing identifier; • during communication between said equipment to be protected and said first device, obtaining the current value of at least one piece of data from said equipment; • a transmission to said second device, via said one-way communication, of the current value obtained.
  2. 2. Protection method according to claim 1 comprising obtaining a description relating to said equipment to be protected and comprising at least: • said addressing identifier of said equipment to be protected on said first portion of said communications network; • a designation of at least one communication protocol with said equipment; • said addressing information of at least one data item of said equipment accessible for reading via said equipment.
  3. 3. Protection method according to claim 2 comprising a transmission to said second device of information identifying said protocol.
  4. 4. Protection method according to claim 2 or 3 where said description is obtained dynamically by said first device by scanning said first portion.
  5. 5. Protection method according to any one of claims 1 to 4 comprising, upon updating at least one first of said at least one accessible data item, a transmission to said second device, via said one-way communication, of said updated value.
  6. 6. Protection method according to any one of claims 1 to 5 where said current value and/or update of said first data is obtained by interrogating said equipment.
  7. 7. Protection method according to claims 2 and 6 where said interrogation of said equipment is carried out several times and where a time interval between two successive interrogations of said equipment takes into account temporal information included in said description.
  8. 8. Method for providing data from at least one device of a communication network partitioned into a plurality of portions comprising at least a first portion, and at least a second portion interconnected with said first portion via a first electronic device and a second electronic device in unidirectional communication, so as to allow only communications from the first device to the second device, said method comprising: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier, on said first portion of said communication network; of at least one piece of equipment on said first portion; • upon receipt of a request having as destination address said addressing identifier and relating to at least one first data item of said equipment, a transmission of a value of said at least one first data item, previously obtained via said one-way communication, to a transmitter of said request.
  9. 9. Method for providing data according to claim 8, said method comprising: obtaining a description relating to said at least one piece of equipment of said first portion of said communication network comprising said at least one addressing identifier of said at least one piece of equipment on said first portion of said communication network.
  10. 10. A method of providing according to claim 9 wherein said description is obtained via said one-way communication.
  11. 11. A method of providing according to claim 9 or 10 wherein said description comprises: • a designation of at least one communication protocol with said equipment; • a designation of at least one item of addressing information for at least one item of data of said equipment accessible in reading mode via said equipment of said first portion of said network; and where said request is received according to said protocol and relates to said addressing information.
  12. 12. First electronic device of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising equipment to be protected, and at least a second portion interconnected with said first portion via the first device and a second device in one-way communication with the first device, so as to allow only communications from the first device to the second device, said first device comprising at least one processor configured to: • obtaining an addressing identifier for said equipment to be protected on said first portion of said communications network, said addressing identifier being obtained dynamically by scanning said first portion; • a transmission to said second device of said addressing identifier; • during communication between said equipment to be protected and said first device, obtaining the current value of at least one piece of data from said equipment; • a transmission to said second device, via said one-way communication, of the current value obtained.
  13. 13. Second electronic device of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising equipment to be protected, and at least a second portion interconnected with said first portion via a first electronic device and said second electronic device in unidirectional communication, so as to allow only communications from the first device to the second device, said second device comprising at least one processor configured to: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier, on said first portion of said communication network; of at least one piece of equipment on said first portion; • upon receipt of a request having as destination address said addressing identifier and relating to at least one first data item of said equipment, transmission of a value of said at least one first data item, previously obtained via said one-way communication, to a transmitter of said request.
  14. 14. Electronic assembly of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising equipment to be protected, and at least a second portion interconnected with said first portion via a first device of said electronic assembly and a second device of said electronic assembly in one-way communication with the first device of said electronic assembly, via one-way communication means of said electronic assembly so as to allow only communications from the first device of said electronic assembly to the second device of said electronic assembly, said at least one first device of said electronic assembly comprising at least one first processor configured to: • obtaining an addressing identifier for said at least one piece of equipment to be protected on said first portion of said communications network, said addressing identifier being obtained dynamically by scanning said first portion; • a transmission to said second device of said addressing identifier of said at least one piece of equipment to be protected; • during a connection (or communication) between said equipment to be protected and said first device, obtaining the current value of at least one data item of said equipment; • a transmission to said second device, via said one-way communication, of the current value obtained. And said at least one second electronic device comprising at least one second processor configured to: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier, on said first portion of said communications network, of at least one piece of equipment of said first portion; • upon receipt of a request having as destination address said addressing identifier and relating to at least one first data item of said equipment, a transmission of a value of said at least one first data item, previously obtained via said one-way communication, to a transmitter of said request.
  15. 15. System comprising at least one equipment to be protected and at least one electronic protection assembly, in a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment to be protected, and at least a second portion interconnected with said first portion via a first device of said electronic protection assembly and a second device of said electronic protection assembly in one-way communication with the first device of said electronic protection assembly, via one-way communication means of said electronic protection assembly so as to allow only communications from the first device of said electronic protection assembly to the second device of said electronic protection assembly, said at least one first device of said electronic protection assembly comprising at least one first processor configured to: • obtaining an addressing identifier for said at least one piece of equipment to be protected on said first portion of said communications network, said addressing identifier being obtained dynamically by scanning said first portion; • a transmission to said second device of said addressing identifier of said at least one piece of equipment to be protected; • during a connection (or communication) between said equipment to be protected and said first device, obtaining the current value of at least one data item of said equipment; • a transmission to said second device, via said one-way communication, of the current value obtained. And said at least one second electronic device comprising at least one second processor configured to: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier, on said first portion of said communication network, of at least one piece of equipment of said first portion; • upon receipt of a request having as destination address said addressing identifier and relating to at least one first data item of said equipment, a transmission of a value of said at least one first data item, previously obtained via said one-way communication, to a transmitter of said request.
  16. 16. Computer program comprising instructions for implementing, when said program is executed by a processor, a protection method according to any one of claims 1 to 7 and/or a provision method according to any one of claims 8 to 11.
  17. 17. Information medium readable by an electronic device and on which is recorded a computer program comprising instructions for the implementation, when said program is executed by a processor, of a protection method according to any one of claims 1 to 7 and/or a supply method according to any one of claims 8 to 11.

Description

DESCRIPTION Title of the invention: Methods for protecting equipment and providing data, electronic devices and assemblies, computer program products and corresponding information media Technical field This application relates to the field of securing at least a portion of a communications network. It relates in particular to a method for protecting at least one item of equipment, implemented by a first electronic device of a first portion of a communication network, and a method for providing data, implemented by a second electronic device of a second portion of a communication network, as well as the corresponding electronic devices and assemblies, computer program products and information media. 1. State of the art The present invention relates to the protection of at least one piece of equipment accessible via a communication network. For example, this may be equipment handling sensitive data, or carrying out sensitive processing, and may therefore be the target of attack by malicious third parties, either to improperly access sensitive data, or to disrupt, or even prevent, certain processing via the propagation of a computer virus to the equipment. This equipment is, for example, part of a private company network or a home network, interconnected to a public network such as the Internet. Examples of sensitive data include personal data (medical data, banking data, etc.), industrial data (such as plans of manufactured objects, data relating to the production of certain industrial machines such as measurement results, number of parts produced, etc.), history of orders received by industrial equipment, alerts, etc. Malicious third parties may, for example, be tempted to disable equipment, to harm a company or obtain a ransom. Private network security solutions have been developed to protect equipment or a set of equipment belonging to the same private network from such attacks. Examples include solutions based on firewalls and/or intrusion detection systems. Also included is the use of virtual private networks (VPNs) that isolate, by encryption, within a wide area network, exchanges between equipment on the wide area network belonging to the virtual private network. Such solutions make it possible to limit communications with equipment outside the private network to communications sent from the private network to these "external" equipment, and thus prevent access from outside the network to equipment to be protected. However, these solutions, sometimes called "network diodes", are sometimes inappropriate and very restrictive for protecting certain electronic equipment such as industrial machines. Indeed, such solutions only allow information to be sent back at the initiative of the protected equipment. Software running on an electronic device outside the private network cannot therefore query a protected equipment to obtain data in return. Such solutions greatly limit, or even prevent, the use of certain communication protocols based on such requests and in particular certain protocols that are very widespread in the industrial field (such as, in the industrial field, the OPC-UA or ModBus protocols used by many machine tools on the market). They are therefore not suitable for protecting certain equipment on the market. The purpose of this application is to propose improvements to at least some of the drawbacks of the state of the art. 2. Statement of the invention The present application aims to improve the situation by means of a method for protecting equipment, called equipment to be protected, of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via a first electronic device and a second electronic device in unidirectional communication, so as to only allow communications from the first device to the second device, said method comprising: • a transmission to said second device of an addressing identifier for said equipment on said first portion of said communications network; • during a connection (or communication) between said equipment to be protected and said first device, obtaining the current value of at least one piece of data from said equipment; • a transmission to said second device, via said one-way communication, of the current value obtained. The present application relates in particular to a method for protecting equipment of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via a first electronic device and a second electronic device in unidirectional communication, so as to only allow communications from the first device to the second device, said method comprising: • obtaining an addressing identifier for said equipment to be protected on said first portion of said communications network, said