Great research starts with great data.

Learn More
More >
Patent Analysis of

Network management system

Updated Time 12 June 2019

Patent Registration Data

Publication Number

US10003575

Application Number

US14/129215

Application Date

04 June 2013

Publication Date

19 June 2018

Current Assignee

YOKOGAWA ELECTRIC CORPORATION

Original Assignee (Applicant)

YOKOGAWA ELECTRIC CORPORATION

International Classification

H04L29/06,H04L12/46,H04W12/02,H04L12/24,H04W88/16

Cooperative Classification

H04L63/0263,H04L12/4625,H04L41/28,H04L63/20,H04W12/02

Inventor

SHIMOMURA, TAKANORI

Patent Images

This patent contains figures and images illustrating the invention and its embodiment.

US10003575 Network management 1 US10003575 Network management 2 US10003575 Network management 3
See all images <>

Abstract

There is provided a network management system using wireless network management devices each having a plurality of security policies. With the network management system, the wireless network management devices can be concurrently used in networks with a plurality of security levels, and security can be ensured without installing firewalls externally, so that labor for setting and operating a network for redundancy can be saved. The network management system includes: a first network NW1 to which plant management devices 11 and 12 are connected; a second network NW2 to which field devices 51 to 5n are connected; and wireless network management devices 61 and 62 each having a firewall function and connected to the first network NW1 and the second network NW2.

Read more

Claims

1. A network management system for industrial automation comprising: a first network to which a plant management device is connected; a second network to which a field device is connected, the first network and the second network having different security levels; and a plurality network management devices each having a firewall function and each independently connected to the first network and the second network through the firewall function wherein each of the plurality of network management devices is configured to be concurrently used with the first network and second network having different security levels to provide a redundant network, the plurality of network management devices comprising a system manager function and a gateway function, wherein the plurality of network management devices are directly connected to each other through a private communication line wherein the plurality of network management devices are configured to be redundant, wherein a table of IP addresses, which are permitted for communication with the first and second networks, is synchronized through the private communication line between the plurality of network management devices, and wherein the plurality of network management devices are uniquely identified on the first network, wherein each of the plurality of network management devices configures the second network.

2. The system according to claim 1, wherein each of the plurality of network management devices has a plurality of communication ports for connecting to a plurality of networks.

3. The system according to claim 2, wherein respective security policies are assigned to a corresponding one of the communication ports, and each of the communication ports connects to a corresponding one of the networks each having a different security area.

4. The system according to claim 3, wherein the network management system is constructed based on a wireless communication standard ISA100.11a for industrial automation.

5. The system according to claim 1, wherein the plurality of network management devices each comprise a filtering rule setting database comprising the table of IP addresses for the firewall function.

6. The system according to claim 1, wherein the plurality of network management devices each comprise a dedicated redundancy connection communication port for directly connecting to each other for the private communication line.

7. The system according to claim 1, wherein the private communication line comprises a backplane of a printed wiring board.

8. The network management system according to claim 1, wherein each of the plurality of network management devices has a system manager function in ISA100.11a.

9. A network management system for industrial automation comprising: a first network to which a plant management device is connected; a second network to which a field device is connected, the first network and the second network having different security levels; and a plurality of network management devices each having a gateway function and a firewall function and each independently connected to the first network and the second network through the firewall function wherein each of the plurality of network management devices is configured to be concurrently used with the first network and second network having different security levels to provide a redundant network, wherein the plurality of network management devices are directly connected to each other through a private communication line wherein the plurality of network management devices are configured to be redundant, and wherein a table of IP addresses, which are permitted for communication with the first and second networks, is synchronized through the private communication line between the plurality of network management devices, wherein each of the plurality of network management devices configures the second network.

Read more

Claim Tree

  • 1
    1. A network management system for industrial automation comprising:
    • a first network to which a plant management device is connected
    • a second network to which a field device is connected, the first network and the second network having different security levels
    • and a plurality network management devices each having a firewall function and each independently connected to the first network and the second network through the firewall function wherein each of the plurality of network management devices is configured to be concurrently used with the first network and second network having different security levels to provide a redundant network, the plurality of network management devices comprising a system manager function and a gateway function, wherein the plurality of network management devices are directly connected to each other through a private communication line wherein the plurality of network management devices are configured to be redundant, wherein a table of IP addresses, which are permitted for communication with the first and second networks, is synchronized through the private communication line between the plurality of network management devices, and wherein the plurality of network management devices are uniquely identified on the first network, wherein each of the plurality of network management devices configures the second network.
    • 2. The system according to claim 1, wherein
      • each of the plurality of network management devices has a plurality of communication ports for connecting to a plurality of networks.
    • 5. The system according to claim 1, wherein
      • the plurality of network management devices each comprise
    • 6. The system according to claim 1, wherein
      • the plurality of network management devices each comprise
    • 7. The system according to claim 1, wherein
      • the private communication line comprises
    • 8. The network management system according to claim 1, wherein
      • each of the plurality of network management devices has a system manager function in ISA100.11a.
  • 9
    9. A network management system for industrial automation comprising:
    • a first network to which a plant management device is connected
    • a second network to which a field device is connected, the first network and the second network having different security levels
    • and a plurality of network management devices each having a gateway function and a firewall function and each independently connected to the first network and the second network through the firewall function wherein each of the plurality of network management devices is configured to be concurrently used with the first network and second network having different security levels to provide a redundant network, wherein the plurality of network management devices are directly connected to each other through a private communication line wherein the plurality of network management devices are configured to be redundant, and wherein a table of IP addresses, which are permitted for communication with the first and second networks, is synchronized through the private communication line between the plurality of network management devices, wherein each of the plurality of network management devices configures the second network.
See all independent claims <>

Description

TECHNICAL FIELD

The present invention relates to a network management system. In particular, the present invention relates to security management for networks.

BACKGROUND ART

FIG. 3 is a block diagram showing an example of background-art networks constructed based on a wireless communication standard ISA100.11a for industrial automation. Plant management devices 11 and 12 are connected to a first network NW1. These plant management devices 11 and 12 constitute a first security area SA1.

The first network NW1 is connected to a second network NW2 through a firewall 21.

Wireless network management devices 31 and 32 are devices each having a system manager function and a gateway function in ISA100.11a so that each of the wireless network management devices 31 and 32 can manage a wireless network and exchange information with any device on the wireless network.

In addition, the wireless network management devices 31 and 32 are not only connected to the second network NW2 but also connected to a third network NW3.

A maintenance terminal 4 is also connected to the third network NW3. These wireless network management devices 31 and 32 and the maintenance terminal 4 constitute a third security area SA3.

The third network NW3 is connected to a fourth network NW4 through a firewall 22.

Field devices 51 to 5n are connected to the fourth network NW4. These field devices 51 to 5n constitute a fifth security area SA5.

Here, the firewalls 21 and 22 are provided in network boundaries respectively in order to satisfy different security policies of the first security area SA1, the third security area SA3 and the fifth security area SA5.

Incidentally, for example, each security policy corresponds to information including IP address information for permitting connection to a corresponding network. When an IP address permitted for connection is set for a communication port, connection from another IP address through the communication port is not permitted.

A security policy for using the plant management devices 11 and 12 in a redundant configuration is set in the first security area SA1.

A security policy for using the wireless network management devices 31 and 32 in a redundant configuration is set in the third security area SA3.

A security policy for parallel driving the plurality of field devices 51 to 5n is set in the fifth security area SA5.

Patent Literature 1 discloses a technique about a control network management system in which a process control system in industrial automation is configured as a wireless control network system, so that falsification etc. by a malicious third party can be avoided and a process control wireless communication signal which is required to have a high real-time property with ensured priority and a signal which is not required to have such a high real-time property can be made to coexist on one and the same network.

CITATION LIST

Patent Literature

Patent Literature 1: JP-A-2011-142441

SUMMARY OF INVENTION

Technical Problem

When a wireless network management device is newly connected in the configuration of FIG. 3, network boundaries must be protected using a firewall, which results in the cost for installing the firewall.

In addition, since the maintenance terminal directly connected to the wireless network management devices and the security of the third security area SA3 for redundancy must be taken into consideration, security policy management becomes complicated.

In addition, not only installation of a firewall but also equipment such as a network switch for constituting a network for redundancy are required.

Further, depending on the configuration of each network, communication for controlling a redundancy configuration for the network may go through another network and affect it.

The present invention is directed toward the problems in the background art. An object of the invention is to use wireless network management devices each having a plurality of security policies so that the wireless network management devices can be concurrently used in networks with a plurality of security levels.

Another object is to use a wireless network management device having a built-in firewall function to thereby ensure security without externally installing a firewall and save labor for setting and operating a network for redundancy.

An objection of the present invention can be achieved with following configurations.

(1) A network management system comprising:

    • a first network to which a plant management device is connected;
    • a second network to which a field device is connected; and
    • network management devices each having a firewall function and connected to the first network and the second network.

(2) The system according to the above item (1), wherein the network management devices are connected to each other through a private communication line so as to be made redundant.

(3) The system according to the above items (1) or (2), wherein each of the network management devices has a plurality of communication ports for connecting to a plurality of networks.

(4) The system according to the above item (3), wherein respective security policies are assigned to a corresponding one of the communication ports, and each of the communication ports connects to a corresponding one of the networks each having a different security area.

(5) The system according to any one of the above items (1) to (4), wherein the network management system is constructed based on a wireless communication standard ISA100.11a for industrial automation.

Advantageous Effects of Invention

With these configurations, network management devices can be used concurrently in networks with a plurality of security levels.

In addition, it is possible to ensure security without separately providing firewalls so that it is possible to save labor for setting and operating a network for redundancy.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram showing an embodiment of the invention;

FIG. 2 is a block diagram showing a specific example of a wireless network management device 61; and

FIG. 3 is a block diagram showing an example of background-art networks.

DESCRIPTION OF EMBODIMENTS

The invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing an embodiment of the invention. In FIG. 1, parts in common with those in FIG. 3 are referred to by the same numerals correspondingly.

Plant management devices 11 and 12 are connected to a first network NW1. These plant management devices 11 and 12 constitute a first security area SA1.

Wireless network management devices 61 and 62 are connected to the first network NW1 and a second network NW2. The wireless network management devices 61 and 62 are connected to each other through a private connection line. A maintenance terminal 7 is directly connected to the wireless network management device 61 or 62. These wireless network management devices 61 and 62 and the maintenance terminal 7 constitute a sixth security area SA6.

Field devices 51 to 5n are connected to the second network NW2.

Each of the wireless network management devices 61 and 62 has not only a system manager function and a gateway function in a wireless communication standard ISA100.11a for industrial automation but also a firewall function. Due to the firewall function provided in each of the wireless network management devices 61 and 62, the wireless network management devices 61, and 62 can be connected directly to the networks NW1 and NW2.

When security policies are assigned to respective ports of the wireless network management devices 61 and 62, the wireless network management device 61, 62 can be connected to a plurality of networks with different security policies.

In addition, a private connection line is used for communication between the wireless network management devices 61 and 62 so that a redundant configuration can be constructed.

FIG. 2 is a block diagram showing a specific example of the wireless network management device 61. In FIG. 2, a redundancy management device connection communication port 61b is connected to a packet processor 61a, and a firewall function unit 61c is also connected to the packet processor 61a.

A filtering rule setting database 61d is connected to the firewall function unit 61c. In addition, a maintenance terminal direct link communication port 61e, an upper network connection communication port 61f and a lower network connection communication port 61g are also connected to the firewall function unit 61c.

In the configuration of FIG. 2, the firewall function unit 61c acquires a filtering rule from the filtering rule setting database 61d and operates in accordance therewith. Here, the filtering rule means information such as a table of IP addresses which are permitted for communication through the respective communication ports.

The firewall function unit 61c controls received packets based on the filtering rule acquired from the filtering rule setting database 61d, and packets permitted for communication can be delivered to the packet processor 61a.

Information is synchronized between the wireless network management devices 61 and 62 which are configured redundantly so that the database in one wireless network management device 61 is equivalent to the database in the other wireless network management device 62.

For example, the redundancy management device connection communication port 61b for directly connecting one wireless network management device 62 to the other wireless network management device 61 is used for communication for synchronizing the databases. Thus, the communication for synchronizing the databases can be prevented from flowing out on the upper network NW1 and the lower network NW2.

According to such a configuration, each of the wireless network management devices 61 and 62 can be connected to the plurality of networks NW1 and NW2 having different security levels.

The wireless network management devices 61 and 62 can be installed in a security level boundary without separately using firewalls.

Since the wireless network management devices 61 and 62 are connected directly to each other through the private connection line, redundancy can be achieved easily without the necessity of constructing a network for a redundancy configuration.

Further, since communication required for operating the wireless network management devices 61 and 62 in the redundancy configuration is performed through the private connection line, the communication gives no influence to other networks. The private connection line in this case is not limited to a network cable. A private cable or a backplane of a printed wiring board may be used as the private connection line.

In addition, although the embodiment has been described in the case where the network management devices are wireless network management devices by way of example, the invention is not limited thereto. When the network management devices are wired network management devices, an equivalent effect can be also obtained.

As described above, according to the invention, the wireless network management devices each having a built-in firewall function are used. Thus, it is possible to achieve a network management system in which the wireless network management devices can be concurrently used in networks with a plurality of security levels, and security can be ensured without installing firewalls externally, so that labor for setting and operating a network for redundancy can be saved.

Incidentally, in the above description, explanation and illustration of the invention are simply to show a specific preferred embodiment. Accordingly, the invention is not limited to the embodiment but may further include lots of changes and modifications without departing from the nature of the invention.

The present application is based on Japanese patent application No. 2012-142224, filed on Jun. 25, 2012, the contents of which are incorporated herein by reference.

REFERENCE SIGNS LIST

11, 12 plant management device

51 to 5n field device

61, 62 wireless network management device

61a packet processor

61b redundancy management device connection communication port

61c firewall function unit

61d filtering rule setting database

61e maintenance terminal direct link communication port

61f upper network connection communication port

61g lower network connection communication port

Read more
PatSnap Solutions

Great research starts with great data.

Use the most comprehensive innovation intelligence platform to maximise ROI on research.

Learn More

Patent Valuation

$

Reveal the value <>

30.3/100 Score

Market Attractiveness

It shows from an IP point of view how many competitors are active and innovations are made in the different technical fields of the company. On a company level, the market attractiveness is often also an indicator of how diversified a company is. Here we look into the commercial relevance of the market.

88.0/100 Score

Market Coverage

It shows the sizes of the market that is covered with the IP and in how many countries the IP guarantees protection. It reflects a market size that is potentially addressable with the invented technology/formulation with a legal protection which also includes a freedom to operate. Here we look into the size of the impacted market.

66.23/100 Score

Technology Quality

It shows the degree of innovation that can be derived from a company’s IP. Here we look into ease of detection, ability to design around and significance of the patented feature to the product/service.

54.0/100 Score

Assignee Score

It takes the R&D behavior of the company itself into account that results in IP. During the invention phase, larger companies are considered to assign a higher R&D budget on a certain technology field, these companies have a better influence on their market, on what is marketable and what might lead to a standard.

20.56/100 Score

Legal Score

It shows the legal strength of IP in terms of its degree of protecting effect. Here we look into claim scope, claim breadth, claim quality, stability and priority.

Citation

Patents Cited in This Cited by
Title Current Assignee Application Date Publication Date
Method of sharing state between stateful inspection firewalls on MEP network SEOUL NATIONAL UNIVERSITY INDUSTRY FOUNDATION 23 April 2004 27 October 2005
Method and apparatus for implementing a layer 3/layer 7 firewall in an L2 device JUNIPER NETWORKS, INC. 28 September 2001 03 April 2003
フィールド通信システムおよびフィールド通信方法 横河電機株式会社 22 April 2010 10 November 2011
System and method of interactive network system design VERIZON PATENT AND LICENSING INC. 08 June 2001 12 December 2002
Firewall system for interconnecting two IP networks managed by two different administrative entities LE PENNEC JEAN-FRANCOIS,BRUNO AURELIEN,GRISI NICOLAS,SOMMERLATT JEAN-MARIE 31 July 2007 22 November 2007
See full citation <>

More like this

Title Current Assignee Application Date Publication Date
Enhanced firewall and method for securing internet communications WOOD, MICHAEL 08 March 2017 21 September 2017
Security mechanism for communication network including virtual network functions NOKIA SOLUTIONS AND NETWORKS OY 22 October 2015 27 April 2017
System and method for network discovery and connection management CAREFUSION 303, INC. 01 December 2004 31 August 2010
Rule-based network-threat detection for encrypted communications CENTRIPETAL NETWORKS, INC. 16 December 2016 29 June 2017
Distributed firewalls and virtual network services using network packets with security tags ATTALA SYSTEMS CORPORATION 24 October 2016 27 April 2017
System and method for threat-driven security policy controls VARMOUR NETWORKS, INC. 25 March 2016 06 October 2016
Communication system, communication device, communication method and control program NEC CORPORATION 09 December 2015 14 July 2016
Managing communication between gateway and building automation device by installing protocol software in gateway ABB AG 20 November 2015 26 May 2017
Managing dynamic IP address assignments AMAZON TECHNOLOGIES, INC. 16 June 2016 22 December 2016
Network security management BRITISH TELECOMMUNICATIONS PUBLIC LIMITED COMPANY 23 December 2013 10 December 2015
Communication network, communication network management method and management system HITACHI, LTD. 29 May 2015 08 December 2016
Inserting and removing stateful devices in a network F5 NETWORKS, INC.,SZABO, PAUL, IMRE,THORNEWELL, PETER, MICHAEL 22 December 2016 29 June 2017
Communication apparatus, communication system, and network management method KABUSHIKI KAISHA TOSHIBA 22 December 2016 06 July 2017
Security mechanism for hybrid networks NOKIA SOLUTIONS AND NETWORKS OY 13 February 2015 18 August 2016
Technologies for managing network privileges based on physical presence INTEL CORPORATION 25 November 2015 30 June 2016
Infrastructure-based d2d connection setup using OTT services KONINKLIJKE KPN N.V.,NEDERLANDSE ORGANISATIE VOOR TOEGEPAST-NATUURWETENSCHAPPELIJK ONDERZOEK TNO 27 November 2015 02 June 2016
Conditional declarative policies VARMOUR NETWORKS, INC. 24 March 2016 06 October 2016
Systems and methods for protecting network devices by a firewall CRYPTZONE NORTH AMERICA, INC. 07 June 2016 19 October 2017
Routing and security within a mobile network JPU.IO LTD 02 December 2016 15 June 2017
Protecting network devices by a firewall CRYPTZONE NORTH AMERICA, INC. 06 June 2016 17 August 2017
See all similar patents <>

More Patents & Intellectual Property

PatSnap Solutions

PatSnap solutions are used by R&D teams, legal and IP professionals, those in business intelligence and strategic planning roles and by research staff at academic institutions globally.

PatSnap Solutions
Search & Analyze
The widest range of IP search tools makes getting the right answers and asking the right questions easier than ever. One click analysis extracts meaningful information on competitors and technology trends from IP data.
Business Intelligence
Gain powerful insights into future technology changes, market shifts and competitor strategies.
Workflow
Manage IP-related processes across multiple teams and departments with integrated collaboration and workflow tools.
Contact Sales
Clsoe
US10003575 Network management 1 US10003575 Network management 2 US10003575 Network management 3