بعض محتويات هذا التطبيق غير متوفرة في الوقت الحالي.
إذا استمرت هذه الحالة ، يرجى الاتصال بنا علىتعليق وإتصال
1. (WO2019006537) CRITICAL INFRASTRUCTURE SECURITY FRAMEWORK
ملاحظة: نص مبني على عمليات التَعرف الضوئي على الحروف. الرجاء إستخدام صيغ PDF لقيمتها القانونية

We claim:

1. A system for an end-to-end security framework in a mission critical infrastructure site, the system comprising:

(a) an L3 level network partitioned into a plurality of L2 level networks based on functional purpose and connected through a plurality of firewall devices

(b) a control device provided in the mission critical infrastructure site connected to one of the plurality of L2 level networks, ;

(c) an input device connected to one of the plurality of L2 level networks for allowing a user to request access to the control device by inputting user information into the input device;

(d) a secure gateway device with dynamic firewall function managing access between the input device and the control device through applying dynamic firewall rules;

(e) a credential management application connected to at least one of the plurality L2 networks having a role based access control protocol for granting access to the control device by analyzing the user information, ; and

(f) whereby the user can be granted access to the control device based on the analysis of the user information by the role based access control protocol of the credential management application.

2. The system of claim 1 wherein the secure gateway device is located in the mission critical infrastructure site

3. The system of claim 1 wherein the secure gateway device is located remote from the mission critical infrastructure site.

4. The system of claim 1 wherein the credential management application is located in the mission critical infrastructure site.

5. The system of claim 1 wherein the credential management application is located remote from the mission critical infrastructure site.

6. An end-to-end security framework for a mission critical infrastructure having plurality of sites, the framework comprising:

(a) a L3 level network partitioned into a plurality of L2 level networks,

(b) a plurality of intelligent electronic devices connected through one of a plurality of L2 level networks to form a plurality of functional groups across the plurality of sites, at least one device being accessible to a user and at least one device being a secure gateway, wherein L2 connectivity between the plurality of the intelligent electronic devices within the same functional group is maintained across sites to accommodate critical infrastructure L2 protocol communications requirements and non-L3 critical infrastructure communication protocols yet restricting access through a role based authentication control protocol,

(c) an input device connected to one of the plurality of the L2 level networks for allowing a user to request access to the control device by inputting user information into the input device;

(d) a secure gateway device connected to one of the plurality of the L2 level networks for control access between the input device and the plurality of intelligent electronic devices,

(e) a credential management application connected to one of the plurality of the L2 level networks having a role based access control (RBAC) protocol for granting access to each of the plurality of intelligent electronic devices by analyzing the user information; and

(f) whereby the user can be granted access to each of the plurality of intelligent electronic devices based on the analysis of the user information by the role based access control protocol of the credential management application.

7. The framework of claim 6 wherein each of the plurality of intelligent electronic devices are grouped based on functional purpose and connected through the secure gateway device..

8. The framework of claim 7 wherein the secure gateway device further comprises an authentication proxy function using role based access control authentication rules used to control access to the plurality of intelligent electronic devices

9. The framework of claim 6 wherein the functional separation is based on application, control element, user role or managing authority jurisdiction.

10. The framework of claim 9 wherein user access to one of the plurality of intelligent electronic device is restricted across functional groups though access control function using dynamic firewall rules based on user credentials.

11. The framework of claim 10 wherein the L3 level network is part of a critical infrastructure.

12. The framework of claim 11 wherein one of the plurality of sites is a control room.

13. The framework of claim 12 wherein one of the plurality of L2 Level Networks is a SCADA or Operator Network Segment.

14. The framework of claim 13 wherein at least one of the plurality of L2 Level Networks is a SCADA network segment.

15. The framework of claim 13 wherein at least one of the plurality of L2 Level Networks is an Operator Network Segment.

16. The framework of claim 13 wherein the control room is provided with OT DMZ for OT partner access.

17. The framework of claim 13 further comprising a stateful firewall between the SCADA and Operator network segment.

18. The framework of claim 13 wherein the control room further comprises enterprise grade IDS.

19. The framework of claim 13 wherein the plurality of L2 Level Networks further comprise an antivirus, anti-spam or anomaly detection function.

20. The framework of claim 13 wherein the plurality of L2 Level Networks further comprises a SIEM platform for security monitoring.

21. The framework of claim 13 wherein the user authentication is conducted by a fallback mode supported on the secure gateway to facilitate site independent operation requirements for critical infrastructure sites.

22. The framework of claim 21 wherein the secure gateway utilizes dynamic firewall roles applied and removed based on RBAC according to user credentials.

23. The framework of claim 22 wherein a critical infrastructure protocol aware grade IDS monitors security.

24. The framework of claim 22 wherein the plurality of L2 Level Networks further comprises VLANs.

25. The framework of claim 24 wherein logical separation into functional groups uses device MAC address to restrict access to network ports to the specific intended device specially on the SCADA network segment and control room network segment.

26. The framework of claim 25 wherein an unused port on a device is put in disable or shut down mode with the exception of maintenance ports for which the appropriate VLAN needs to be configured for functional separation and maintaining security.

27. The framework of claim 26 wherein a static connection is created across functional groups.

28. The framework of claim 27 wherein the static connection can be accommodated through the use of static client mode.

29. The framework of claim 22 wherein L2 encryption is used between the first and second site while maintaining the L2 connectivity required to support non-L3 critical infrastructure communication protocols.

30. The framework of claim 22 further comprising a plurality of secure gateways to enhance the availability and reliability of the framework.

31. The framework of claim 13 wherein the secure gateways further comprise stateful firewalls to maintain security between the SCADA network segment and Operator network Segment.

32. The framework of claim 31 wherein the stateful firewalls enhance security between SCADA and OT DMZ.

33. The framework of claim 32 further comprising enterprise grade IDS system for anomaly detection and reporting.

34. A method for implementing a security framework for mission critical infrastructure applications maintaining L2 connectivity across infrastructure sites, the method comprising:

(a) partitioning an L3 level network into a plurality of L2 level networks based on functional purpose and connected through a plurality of firewall devices;

(b) providing a control device in the mission critical infrastructure site connected to one of the plurality of L2 level networks;

(c) allowing a user to request access to the control device through an input device connected to one of the plurality of L2 level networks, the user inputting user information into the input device;

(d) managing access between the input device and the control device through a secure gateway device with dynamic firewall function applying dynamic firewall rules;

(e) granting access to the control device through a credential management application connected to at least one of the plurality L2 networks analyzing the user information using a role based access control protocol; and

(f) whereby the user can be granted access to the control device based on the analysis of the user information by the role based access control protocol of the credential management application.