JP-7856367-B2 - Least-privilege-based process control software security architecture, computer devices

Inventors

• リー アレン ネイツル
• ダン ハルバー ウシン

Assignees

• フィッシャー－ローズマウント システムズ，インコーポレイテッド

Dates

Publication Date

20260511

Application Date

20230110

Priority Date

20140725

Claims (4)

1. A computer device, Processor and Includes an operating system that runs on the processor according to configuration data for implementing a service process and one or more desktop applications, The service process provides services to one or more desktop applications. A computer device in which the operating system operates to separate the desktop namespace from the desktop namespace and the service namespace, and to prevent service processes in the service namespace from directly accessing objects in the desktop namespace, and one or more desktop applications in the desktop namespace from directly accessing objects in the service namespace, by restricting communication between the service processes and one or more desktop applications to inter-process communication, and when one or more desktop applications in the desktop namespace communicate with external media or a communication network, by restricting one or more desktop applications to communicate with the external media or the communication network via a service process that includes external media access or a service process that includes communication access, which is included in the service namespace.
2. The computer device according to claim 1, wherein one or more desktop applications are assigned a restricted set of operating system privileges from the set of operating system privileges associated with the user account that initiates one or more desktop applications.
3. A computer device according to claim 1 or 2, further comprising a desktop including a user interface, wherein the operating system implements rules to prevent any service process from directly accessing the desktop.
4. The computer device according to any one of claims 1 to 3, wherein the computer device includes a local memory storage unit, and the operating system implements rules to prevent one or more desktop applications from writing to service files or service folders stored in the local memory storage unit.

Description

This application relates, in general terms, to process plant computer systems, and more specifically, to methods and apparatus for safely operating software processes within devices such as computer devices in a process or plant environment. Process control systems, such as distributed or scalable process control systems used in power generation, chemical, petroleum, or other processes, typically include one or more controllers that are communicably connected to each other via a process control network to at least one host or operator workstation, and to one or more field devices via analog, digital, or combined analog/digital buses. Field devices, which may be valves, valve positioners, switches, and transmitters (e.g., temperature, pressure, and flow sensors), perform functions within a process or plant, such as opening or closing valves, switching devices on and off, and measuring process parameters. Controllers receive signals indicating process or plant measurements made by field devices and/or other information associated with the field devices, use this information to implement control routines, and then generate control signals that are transmitted to the field devices via the bus to control the operation of the process or plant. Information from the field devices and controllers is typically made available for one or more applications performed by the operator workstation, enabling the operator to perform any desired function related to the process or plant, such as checking the current status of the plant or correcting plant operation. A process controller is typically located within a process plant environment. It receives signals indicating process measurements or process variables produced by or associated with field devices, and/or other information about the field devices. This information is used to execute controller applications. The controller applications, for example, implement different control modules that make process control decisions, generate control signals based on the received information, and coordinate with control modules or blocks within field devices, such as HART® and FOUNDATION® fieldbus field devices. The control modules within the process controller transmit control signals to field devices via communication lines or other signaling paths, thereby controlling the operation of the process. Information from field devices and process controllers is also made available via the process control network to one or more hardware devices, such as operator workstations, maintenance workstations, servers, personal computers, portable devices, data historians, report generators, and centralized databases. The information communicated via the network allows operators or maintenance personnel to perform desired process functions and/or verify plant operation. For example, this information enables operators to change process control routine settings, modify the operation of control modules in process controllers or smart field devices, check the current process status or the status of specific devices in the process plant, review warnings generated by field devices and process controllers, simulate process operation for personnel training or process control software testing purposes, and diagnose problems or hardware failures in the process plant. Field devices typically communicate with other hardware devices via a process control network, which may be, for example, an Ethernet-configured LAN. The network relays process parameters, network information, and other process control data to various entries within the process control system through various network devices. Typical network devices include network interface cards, network switches, routers, servers, firewalls, controllers, and operator workstations. Network devices typically facilitate the flow of data through the network by controlling their routing, frame rate, timeout, and other network parameters, but they do not modify the process data itself. As the process control network grows in size and complexity, the number and types of network devices increase accordingly. As a result of the growth of the system and network, security and management can gradually become more difficult. For example, each network device may include one or more communication ports that provide access points or ports for physically interconnecting process control system components and other network devices with each other over the network. However, some of these ports or connections may be used to connect control devices to publicly accessible networks such as the Internet, and to connect portable memory devices to control system devices. Therefore, open ports on a device can become access points for network expansion by adding other devices, or they can allow malicious or non-malicious entities to access the network and initiate unwanted and potentially harmful network traffic, or introduce malware (e.g., malicious programs, spy or data-gathering pr