Search

EP-4736371-A1 - METHODS FOR THE PROTECTION OF A PIECE OF EQUIPMENT AND FOR THE TRANSMISSION OF DATA, AND CORRESPONDING ELECTRONIC DEVICES AND ELECTRONIC ASSEMBLY, COMPUTER PROGRAM PRODUCTS AND INFORMATION STORAGE MEDIA

EP4736371A1EP 4736371 A1EP4736371 A1EP 4736371A1EP-4736371-A1

Abstract

The invention relates to a method for protecting a piece of equipment in a communication network partitioned into a first portion and a second portion that is interconnected with the first portion via a first device in the first portion and a second device in the second portion, the method comprising: • transmitting, to the second device, an address of a piece of equipment in the first portion of the network; • transcoding data received from the second device into a structured data packet comprising an identifier for addressing the piece of equipment that is the recipient of the packet in the first portion; • transmitting the packet to the recipient piece of equipment. The invention also relates in particular to a transmission method implemented by a second electronic device in a second portion of the communication network, as well as to the corresponding electronic devices and electronic assembly, computer program products and information storage media.

Inventors

  • HAMON, Yoann
  • ESNAULT, Régis

Assignees

  • ORANGE

Dates

Publication Date
20260506
Application Date
20240626

Claims (17)

  1. 1. Method for protecting at least one piece of equipment of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via a first device of said first portion and a second device of said second portion, said method comprising: • a transmission to said second device of at least one addressing identifier of said equipment of said first portion of said communications network; • a transcoding of data received from said second device into at least one structured data packet comprising at least one addressing identifier of a device receiving said packet on said first portion; • a transmission of said packet to said recipient equipment; at least one of said transcoding and/or transmission being carried out conditionally, taking into account at least one filtering rule relating to the content of said packet.
  2. 2. Protection method according to claim 1 where said filtering rule takes into account at least one element contained in said packet among the following elements: - a designation of a device transmitting said packet; - addressing information relating to at least one piece of data from said equipment; - a type of access to be carried out on said data; - a designation of a communication protocol used by said packet; - a combination of at least two of the above elements;
  3. 3. Protection method according to claim 1 or 2 wherein said filtering is carried out before said transcoding.
  4. 4. Protection method according to claim 1 or 2 wherein said filtering is carried out after said transcoding.
  5. 5. Protection method according to one of claims 1 to 4 where said first and second devices communicate with each other via at least two communication paths, a first unidirectional communication path allowing the first device to receive data from said second device, and a second unidirectional communication path allowing the first device to send to said second device a response to said packet transmitted to said recipient equipment.
  6. 6. Protection method according to any one of claims 1 to 5 where the method said transcoding comprises a deserialization of said data.
  7. 7. Method for transmitting data intended for at least one device of a communication network partitioned into a plurality of portions comprising at least a first portion, and at least a second portion interconnected with said first portion via a first device of said first portion and a second device of said second portion, said method comprising: • An assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier of a device of said first portion; • Upon receipt of a structured data packet having as destination address said addressing identifier, a serialization of the data of said packet; and • a transmission of said serialized data to said first device. at least one of said serialization and/or said transmission being carried out conditionally taking into account at least one filtering rule relating to the content of said packet.
  8. 8. Transmission method according to claim 7, where said filtering rule takes into account at least one element contained in said packet among the following elements: - a designation of a device transmitting said packet; - addressing information relating to at least one piece of data from said equipment; - a type of access to be carried out on said data; - a designation of a communication protocol used by said packet; - a combination of at least two of the above elements;
  9. 9. Transmission method according to claim 7 or 8 comprising obtaining a description relating to said equipment of said first portion of said communication network comprising said at least one addressing identifier of said at least one equipment on said first portion of said communication network.
  10. 10. Transmission method according to one of claims 7 to 9 where said filtering is carried out on the serialized data.
  11. 11. Transmission method according to one of claims 7 to 10 where said filtering is carried out before said serialization.
  12. 12. Transmission method according to one of claims 7 to 11 where said first second devices communicate with each other via at least two unidirectional communication paths, a first unidirectional communication path allowing the second device to transmit data to said first device, and a second unidirectional communication path allowing the second device to receive from the first device a response to said data transmitted to said first device.
  13. 13. First electronic device of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising at least one piece of equipment to be protected and said first device, and at least a second portion interconnected with said first portion via the first device and a second device of said second portion, said first device comprising at least one processor configured to: • a transmission to said second device of at least one addressing identifier of said equipment of said first portion of said communication network; • a transcoding of data received from said second device into at least one structured data packet comprising at least one addressing identifier of a device receiving said packet on said first portion; • a transmission of said packet to said recipient equipment; at least one of said transcoding and/or transmission being carried out conditionally, taking into account at least one filtering rule.
  14. 14. Second electronic device of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising at least one equipment, and at least a second portion comprising said second device, and interconnected with said first portion via a first device of said first portion and the second device; said second device comprising at least one processor configured to: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier of a device of said first portion • upon receipt of a structured data packet having as destination address said addressing identifier, a serialization of the data of said packet and; • a transmission of said serialized data to said first device; at least one of said serialization and/or said transmission being carried out conditionally taking into account at least one filtering rule relating to the content of said packet.
  15. 15. Electronic assembly for protecting at least one piece of equipment of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via at least a first device of said electronic assembly, said first device belonging to said first portion, and at least a second device of said electronic assembly, said second device belonging to said second portion, said at least one first electronic device comprising at least one processor configured to: • a transmission to said second device of at least one addressing identifier of said equipment of said first portion of said communication network; • a transcoding of data received from said second device into at least one first structured data packet comprising at least one addressing identifier of a device receiving said first packet on said first portion; • a transmission of said first packet to said recipient equipment; at least one of said transcoding and/or transmission being carried out conditionally taking into account at least one first filtering rule relating to the content of said first packet. said at least one second electronic device comprising at least one processor configured to: • an assignment to said second device, as an addressing identifier on said second portion of said network, of at least one addressing identifier of a device of said first portion • upon receipt of a second structured data packet having as destination address said addressing identifier, a serialization of the data of said second packet and; • a transmission of said serialized data to said first device. at least one of said serialization and/or said transmission being carried out conditionally taking into account at least one second filtering rule relating to the content of said second packet.
  16. 16. Computer program comprising instructions for implementing a protection method according to one of claims 1 to 6, and/or a transmission method according to one of claims 7 to 12, when said program is executed by a processor.
  17. 17. Information medium readable by an electronic device and on which is recorded a computer program comprising instructions for implementing a protection method according to at least one of claims 1 to 6, and/or a transmission method according to at least one of claims 7 to 12.

Description

DESCRIPTION Title of the invention: Methods for protecting equipment and transmitting data, electronic devices and assemblies, computer program products and corresponding information media Technical field This application relates to the field of securing at least a portion of a communications network. It relates in particular to a method of protecting at least one item of equipment, implemented by a first electronic device of a first portion of a communication network, and a method of transmitting data, implemented by a second electronic device of a second portion of a communication network, as well as the corresponding electronic devices and assemblies, computer program products and information media. 1. State of the art The present invention relates to the protection of at least one piece of equipment accessible via a communication network. For example, this may be equipment handling sensitive data, or carrying out sensitive processing, and may therefore be the target of attack by malicious third parties, either to improperly access sensitive data, or to disrupt, or even prevent, certain processing via the propagation of a computer virus to the equipment. This equipment is, for example, part of a private company network or a home network, interconnected to a public network such as the Internet. Examples of sensitive data include personal data (medical data, banking data, etc.), industrial data (such as plans of manufactured objects, data relating to the production of certain industrial machines such as measurement results, number of parts produced, etc.), order histories received by industrial equipment, alerts, etc. Malicious third parties may, for example, be tempted to disable equipment, to harm a company or obtain a ransom. Private network security solutions have been developed to protect equipment or a plurality of equipment belonging to the same private network from such attacks. Examples include solutions based on firewalls and/or intrusion detection systems. Also included is the use of virtual private networks (VPNs) that isolate, by encryption, within a wide area network, exchanges between equipment in the wide area network belonging to the virtual private network. Such solutions make it possible to limit communications with equipment outside the private network to communications sent from the private network to these equipment. “external”, and thus prevent access from outside the network to equipment to be protected. However, these solutions, sometimes called "network diodes", are sometimes inappropriate and very restrictive for protecting certain electronic equipment such as industrial machines. Indeed, such solutions only allow information to be sent back at the initiative of the protected equipment. Software running on an electronic device outside the private network cannot therefore query protected equipment to obtain data in return. Such solutions greatly limit, or even prevent, the use of certain communication protocols based on such requests and in particular certain protocols that are very widespread in the industrial sector (such as, in the industrial sector, the OPC-UA or ModBus protocols used by many machine tools on the market). They are therefore not suitable for protecting certain equipment on the market. The purpose of this application is to propose improvements to at least some of the drawbacks of the state of the art. 2. Statement of the invention The present application aims to improve the situation by means of a method for protecting at least one piece of equipment of a communication network partitioned into a plurality of portions comprising at least a first portion, comprising said equipment, and at least a second portion interconnected with said first portion via a first device of said first portion and a second device of said second portion, said method comprising: • a transmission to said second device of at least one addressing identifier of said equipment of said first portion of said communications network; • a transcoding of data received from said second device into at least one structured data packet comprising at least one addressing identifier of a device receiving said packet on said first portion; • a transmission of said packet to said recipient equipment; at least one of said transcoding and/or transmission being carried out conditionally, taking into account at least one filtering rule relating to the content of said packet. In some embodiments, said filtering rule takes into account at least one element contained in said packet among the following elements: • a designation of a device transmitting said packet; • addressing information relating to at least one piece of data of said equipment; • a type of access to be carried out on said data; • a designation of a communication protocol used by said package; • a combination of at least two of the above elements. In some embodiments, said filtering is performed prior to said transcoding. In some embodiments,