Certains contenus de cette application ne sont pas disponibles pour le moment.
Si cette situation persiste, veuillez nous contacter àObservations et contact
1. (WO2019066883) DÉPLOIEMENT DE FONCTIONNALITÉ DE SÉCURITÉ DÉCLARATIVE PRÊTE À L'EMPLOI POUR PLATEFORME D'INGÉNIERIE
Note: Texte fondé sur des processus automatiques de reconnaissance optique de caractères. Seule la version PDF a une valeur juridique

PLUG-AND-PLAY DECLARATIVE SECURITY FUNCTIONALITY DEPLOYMENT FOR

AN ENGINEERING PLATFORM

TECHNICAL FIELD

[0001] This application relates to industrial control systems. More particularly, this application relates to providing cyber security to components of an industrial control system.

BACKGROUND

[0002] Recently, there has been an increased interest on the part of cyber attackers in targeting critical infrastructure. Targeting includes compromising the underlying industrial automation and control systems. Features such as vertical integration of production systems and horizontal integration of the value chain, create industrial control system (ICS) networks that are often directly or indirectly connected to information technology (IT) networks (e.g., office network) and the Internet. These networks provide access and thus opportunity for cyber attackers to exploit known and newly discovered vulnerabilities.

[0003] Unlike computers in the IT world, most ICS products such as programmable logic controllers (PLCs), distributed control system (DCS), motion controllers, supervisory control and data acquisition (SCADA) and human machine interfaces (HMIs) were originally designed for control functionalities without consideration of cybersecurity. Furthermore, most control system networks, which include multiple PLCs, HMIs, DCS, SCADA and motion controllers, are integrated without an in-depth consideration for protection against cyber threats.

[0004] The above state of the art defines at least two problems that must be addressed. First, automation engineers designing and programming the ICS may not have requisite IT security knowledge or other experience with security technologies, including encryption/decryption, intrusion detection, identity and access management (1AM), and the like. Second, IT security professionals may not have sufficient knowledge within the domain of automation and control. Accordingly, the designed security solutions devised by these individuals alone or in combination may introduce adverse influences on critical functions or possibly degrade performance of the control device. Solutions that address these shortcomings and problems are desired.

SUMMARY

[0005] An industrial control system (ICS) with enhanced cyber-security functionality includes a programmable logic controller (PLC) comprising a computer processor having a first processing core with a first control operating system running on the first processing core, and a real-time database stored in a memory controlled by the control operating system having an embedded historian within the real-time database. A first messaging component of the control operating system is in communication with the embedded historian. A security operating system runs on a second processing core. An embedded security server runs on the security operating system. A second messaging component is in communication with the embedded security server and with the first messaging component of the control operating system. The embedded security server is configured to apply supplemental security functionality to a data communication of the control operating system. In an embodiment, a second real-time database in communication with the embedded security server. The second real-time database

stores time series information of the ICS. A processing component in communication with the embedded security server performs additional processing of data in the second real-time database and a context component configured to translate meaning of the processed data in a first form to a second form representative of processing knowledge.

[0006] According to aspects of some embodiments of this disclosure, an app container in communication with the embedded security server is configured to contain at least one app in communication with the embedded security server. At least one app configured to providing security functionality is stored within the app container. The embedded security server is configured to execute the at least one app and apply the security functionality provided by the at least one app to at least one data communication of the control operating system.

[0007] The real-time database, the embedded historian and the first messaging component may be stored within a sandboxed region of a memory of the control operating system. In the ICS, a first control element in communication with the control operating system and a second control element in communication with the control operating system provide a source and destination, respectively of the data between the first control element and the second control element.

[0008] According to an embodiment, the first processing core and the second processing core are contained within one computer processor. In other embodiments, the first processing core is contained in a first computer processor and the second processing core is contained within a second computer processor.

[0009] A cyber-security system for supplementing cyber-security functionality of a computerized operations system comprising a computer processor for executing

computer executable instructions and a security server in communication with the computerized operations system. At least one computer application (app) is configured to provide cyber-security functionality to at least one aspect of the computerized operations system. The at least one app may be developed according to an application programming interface (API) associated with the computerized operations system. The at least one app is operable to receive a command to execute from the security server. According to aspects of embodiments described herein the security server is configured to execute the at least one app and apply the cyber-security functionality of the at least one app to the at least one aspect of the computerized operations system. In some embodiments, a real-time database in communication with the security server stores a plurality of time series of data generated by the operation of the computerized operations system.

[0010] A method for supplementing cyber security in a computerized control system according to aspects of embodiments of this disclosure includes in a security server, intercepting a communication between a first component and a second component of the computerized control system. The security server applies at least one security functionality to the intercepted communication and transmits the communication to the second component of the computerized control system. A security enhanced communication is delivered to the second component, based on the security functionality applied by the security server. Additionally, the security server may provide a command to a security app, the command operative to execute the security app to apply the at least one security functionality to the intercepted communication. Still further, the security server may apply at least a second a security functionality to the intercepted communication before the intercepted communication is delivered to the second component.

BRIEF DESCRIPTION OF THE DRAWINGS

[0011] The foregoing and other aspects of the present invention are best understood from the following detailed description when read in connection with the accompanying drawings. For the purpose of illustrating the invention, there is shown in the drawings embodiments that are presently preferred, it being understood, however, that the invention is not limited to the specific instrumentalities disclosed. Included in the drawings are the following Figures:

[0012] FIG. 1 is a block diagram illustrating a security model for an ICS according to aspects of an embodiment of the present disclosure.

[0013] FIG. 2 is a control and security coupled PLC according to aspects of an embodiment of the present disclosure.

[0014] FIG. 3 is a control PLC coupled to security functionality according to aspects of another embodiment of the present disclosure.

[0015] FIG. 4 is an exemplary code listing illustrating injectable security functionality according to aspects of an embodiment of the present disclosure.

[0016] FIG. 5 is an exemplary computer system which may be used in aspects of embodiments described in this disclosure.

[0017] FIG. 6 is a block diagram of an industrial control system according to aspects of an embodiment of the present disclosure.

[0018] FIG. 7 is a block diagram of a system for providing supplemental cyber-security functionality to computerized control system according to aspects of an embodiment of the present disclosure.

DETAILED DESCRIPTION

[0019] Referring to FIG. 1 , a block diagram illustrating a conventional security model for an industrial control system (ICS) is shown. ICS security functions are traditionally created in essentially two phases. The first phase occurs during product design and manufacture by a vendor. This is represented by blocks 101 and 103. New ICS products may have some basic security functions such as communication encryption and/or security logging. However, these features are implemented with commonly required features appropriate to all target use cases. The features are designed based on a generic security risk model 101 and create a number of statically designed security features 103, which are marketed as part of the ICS equipment. While these static security features 103 may provide some limited degree of protection, they will not protect a system against risks arising out of specific operational implementations, including networking and interconnection of the ICS components to other system components. Static security features 103 will further not provide protection from outside control and data connected services provided by network interconnections. Moreover, these static systems cannot provide protection against newly created threats and attack vectors. While static security features 103 may be updated based on later identified product vulnerabilities, they are not updated to provide additional protection integrity or response to threats.

[0020] In a second phase, additional security may be provided external to the product design and manufacture. During system integration, security features in addition to what is available in the static security features 103 provided by the vendors of each piece of the system may be designed or implemented. In this phase, the customer's specific security needs are defined and assessed to construct a customer specific security model 1 10. Based on the types of components and their arrangements and interactions, a required dynamic set of security features 1 1 1 is obtained.

[0021] During the first phase, static designed security features 103 are generally created by parties well familiar with the ICS product or component. These parties are well versed with the specific operation of the component in isolation and can provide limited security based on that knowledge. However, the knowledge of these individuals does not generally extend to the domain of cyber security for distributed of locally networked systems. Similarly, persons tasked with implementing the dynamic required security features 1 1 1 are well versed in cyber security, but less familiar with the specifics of ICS devices. As a result, the overall security model comprising the static designed security features 103 and the dynamic required security features 1 1 1 form a mismatch 140 representing exposure to threats not identified in either set of security features 103, 1 1 1. While some new threats and attack vectors 120 may be addressed through the customer specific security risk model 1 10, the resulting designed and implemented security model 121 is relatively poor due to the lack of feedback 130 for reporting new threats 120 to the designed model 103 for the ICS device.

[0022] In short, while asset owners and system integrators are capable of visualizing a realistic risk model for the control system as deployed, they may lack the ability to effectively implement the necessary security features to mitigate these same risks.

[0023] The above-mentioned problems relate to the fact that software architectures in most control critical devices (e.g. PLCs) do not presently offer the opportunity for quick and easy implementation of security functions. This challenge may fundamentally be handled through the use of an "app concept" coupled with a "development toolkit".

[0024] FIG. 2 shows a highly-coupled control-security PLC 200 according to one embodiment of this disclosure. Security vulnerabilities in industrial control systems (ICS) may be traced in large part to the fact that software architectures of critical devices, such as PLCs, do not offer a convenient or simple means for implementation and use of security functions. Referring to FIG. 2, PLC 200 includes a PLC control processor 201 including at least two processing cores 203, 205. First processing core 203 runs a PLC firmware operating system in a virtual machine 210. For example, one instance of firmware that may be used for PLC firmware according to embodiments of this disclosure is SIMATIC S7 developed by SIEMENS AG of Munich, Germany. The second processing core 205 may run a second operating system such as LINUX or MICROSOFT WINDOWS. The second core 205 processes data via the second operating system and runs as a second virtual machine 220. A virtualization layer 240, for example HYPERVISOR, available from SIEMENS AG may provide distribution of resources from the processing cores 203, 205 to the virtual machines 210, 220. In the PLC firmware processor 203, a real-time database (RTDB) 215 is established, which serves as an embedded historian 216. The RTDB 215 receives and stores all real-time

data processing data from processing image 213 and organizes the data as one or more time series containing elements such as inputs, outputs, memory variables, and commands from human-machine interfaces (HMIs) and Manufacturing Execution Systems (MES). In the second virtual machine 220 of processing core 205 a second RTDB 223 is defined. RTDB 223 exchanges data with RTDB 215 hosted by the PLC firmware in virtual machine 210. A processing module 225 processes primary data processing functions, such as reading/writing/filtering/smoothing of primary data in the RTDB 223. Processing module 225 receives and performs various processing functions on data stored in RTDB 223 of virtual machine 220. For example, process module 225 may read data from RTDB 223 and perform filtering processing on the read data. Other data processing, such as smoothing of the read data may be performed in addition to or instead of the filtering processing. Data processed by the process module 225 may then be written back to RTDB 223 for later retrieval or further processing.

[0025] Context module 227 acts as a translator and translates meanings of all data stored in the RTDB 223 to processing knowledge. Context module 227 may receive or read data from RTDB 223 and perform processing of the received data, the processing performing translation functions on the received data. For example, data may be retrieved from RTDB 223, and processed to transform the received data from a first format to a second format representative of production knowledge. In one non-limiting example, an electrical or digital signal from a sensor in communication with PLC 200 may be translated into a temperature value. In an exemplary embodiment, the sensor may be in communication with a fermentation tank in a brewery, which senses thermal conditions in the fermentation and generate an electrical or digital signal representative of the thermal conditions. Context module 227 extracts the electrical of digital signal from RTDB 223 and performs a conversion process to produce an output representative of a temperature value corresponding to the electrical or digital signal. The temperature value may be written to the RTDB 223 for later retrieval and further processing.

[0026] Processing core 205 further hosts, via virtual machine 220, an app container 230 housing processing instructions in the form of apps 231 , 233. Apps 231 , 233 may be accessible to the ICS from a commonly accessible marketplace. The marketplace may be accessible through a public or private network, including but not limited to, the Internet. Apps are developed by one or more parties and provided to the marketplace. Users may browse or search the marketplace for functionality provided by the apps. The functionality may be directed to various components or processes associated with the ICS implemented by PLC 200. By way of example, App 1 , 231 may by a security anomaly detection app for providing cyber-attack detection. Meanwhile, App 2, 233 may embody a machine prognostic analysis application. Both App 1 221 and App 2 223 operate on data stored in RTDB 223. Other functionality, including encryption, intrusion detection, identification and authentication, logging, key generation may be provided by apps, by way of non-limiting example.

[0027] An embedded security server, denoted as security daemon 226, orchestrates security functions such as encryption/decryption, access control (both role-based access control and attribute-based access control), signature, hashing, secure key generation and storage, secure timestamping, secure event logging and the like. The security functions may be provided by executable computer programs embodied as an app, similar to apps 231 , 233. The security daemon 226 acts as a go-between between the security functions provided by apps within app container 230 and the ICS functions being performed by virtual machine 210. The security daemon 226 is configured to recognize ICS control functions performed by the PLC and to implement security features provided by apps in app container 230 relating to the ICS control functions. For example, a communication between a first control element and a second control element may be encrypted to protect the communication during transmission. During manufacture and implementation of the PLC system, the engineers and security specialists may not have the knowledge or requisite skill to implement an encryption function for the given communication. According to the PCL embodiment 200 of FIG. 2, security daemon 226 receives a notification that the communication is about to commence. Security daemon intercepts the communication and provides processing via one or more apps, such as app 1 231 and/or app 2 233, to encrypt the communication data. The communication is then transmitted to its destination. Upon reaching its destination, the communication is intercepted by security daemon 226 and decrypted using functionality provided by an app within app container 230. The decrypted message is then provided to its intended destination.

[0028] FIG. 3 is an illustration of a PLC coupled with security functionality according to another embodiment of this disclosure. Programmable Logic Controller 300 includes PLC control processor 301 including processing core 303. Core 303 processes instructions which establish the ICS control firmware 31 1 in virtual machine 310. A virilization layer 240, for example HYPERVISOR, available from SIEMENS AG may provide distribution of resources from the processing cores 203, 205 to the virtual machine 310. The ICS firmware 31 1 performs operations and control functions for the system and includes a process image 313, which cyclically stores input data from input sensors or modules of the system, processes the input values, and stores and distributes updated output values to output modules of the system. Additional processing of the ICS data may be performed by a business analysis database 312. One example of a business analysis database application 312 is ADONIS available from BOC Information Technologies Consulting GmbH, of Vienna, Austria. A sandboxed region 317 of memory in virtual machine 310 stores a real-time database 315, which stores values of inputs and outputs generated in the process image 313 and other processes including business analytics generated by the business analysis database 312. Included in the real-time database 315 is an embedded historian 316. Embedded historian 316 stores a number of time series representative of system input/output values over some time interval. The time-series may be arranged according to individual sensor values, input modules or output modules. Other system parameters represented by the stored data in the real-time database 315 may be stored as time series data by the embedded historian 316. System parameters may include input values that are processed and transformed into output values. System parameters may also include output values that are inputs to other calculations that generate additional system information as a function of the output values. PLC 300 includes a portion of memory configured as messaging firmware 314.

[0029] The messaging firmware 314 is in communication with messaging firmware of a security server 320 via a secure communication channel 321. Security server 320, may be a stand-alone computer workstation according to an embodiment. In various embodiments security server 320 may be implemented in software or firmware of a host computing device or any combination thereof. For example, security server 320 may be implemented in a virtual machine established by an operating system of a host computer system. In the security server 320, a second RTDB 323 is defined. RTDB 323 exchanges data with RTDB 315 hosted by the PLC firmware in virtual machine 310. A processing module 325 processes primary data processing functions, such as reading/writing/filtering/smoothing of primary data in the RTDB 323. Processing module 325 receives and performs various processing functions on data stored in RTDB 323 of virtual machine 320. For example, process module 325 may read data from RTDB 323 and perform filtering processing on the read data. Other data processing, such as smoothing of the read data may be performed in addition to or instead of the filtering processing. Data processed by the process module 325 may then be written back to RTDB 323 for later retrieval or further processing. Context module 327 acts as a translator and translates meanings of all data stored in the RTDB 323 to processing knowledge. Context module 327 may receive or read data from RTDB 323 and perform processing of the received data, performing translation functions on the received data. For example, data may be retrieved from RTDB 323, and processed to transform the received data from a first format to a second format representative of production knowledge.

[0030] A novel method for simplifying engineering and configuration of cyber security functions for automation engineers is proposed. It includes, (a) an embedded security server (security daemon of FIG. 2 and FIG. 3), which orchestrates security functions such as encryption/decryption, access control (both role-based access control and attribute-based access control), signature, hashing, secure keys generation and

storage, secure timestamping, security event logging, etc., (b) a set of cyber security function blocks specifically created for created for Programmable Logic Controller (PLC), Motion Controller (MC) and Distributed Control System (DCS) with Application Program Interfaces (APIs) to interface with the security server and allow security operations to be called and performed together with control logic execution; (c) a security code injection/deployment architecture with a dynamic proxy that stands between the control code and the security server, and applies the security functions added to the component; and (d) a representation of these security injectable functions as icons in the engineering system (e.g., TIA Portal and SIMATIC Manager). During system design, automation engineers may to drag and drop those cyber security functions to configure, e.g., secure communications between control apps and devices, creating a layer of abstraction that allows security function deployment despite lack of security knowledge of the automation engineers.

[0031] FIG. 7 is a high-level block diagram of a system for providing supplemental cyber-security functionality to a computerized control system. A computerized control system 701 is in communication with one or more modules or sensors. For example, a first module or element 703 and a second module or element 705 may be in communication with computerized control system 701 via a communication network as known in the art. In one embodiment, module/sensor 1 703 may be a sensor that senses and measures a state of at least one aspect of the overall computerized control system 701. For example, module/sensor 701 may be a temperature sensor. Module or element 2 705 may be an actuator to control a valve, by way of non-limiting example. Module/sensor 1 703 provides an electrical or digital signal to the computerized control system 701 . The signal is representative of a temperature value measured by sensor 1 703. Computerized control system 701 receives the signal and may perform additional processing, such as filtering, smoothing or other further processing of the signal. Based on the value of the signal and the additional processing, logic within the computerized control system 701 may generate further signals that are operative to control module/sensor 2 705. For example, computerized control system 701 may include programmed logic to close a valve associated with module/sensor 2 705 when the temperature sensed by module/sensor 1 703 exceeds some predetermined value. Computerized controls system 701 may send a signal to module/sensor 2 705 operative to cause an actuator to provide mechanical force to close a valve associated with the actuator in response to the temperature signal provided by the first module sensor 703. The resulting control of the second module 705 may be envisioned as a communication 710 between the first module 703 and the second module 705. Communication 710 may be vulnerable to cyber-security threats. For example, an entity interested in interfering with the system operations controlled by computerized control system 701 may be motivated to change the value of the signal provided by the first module 703, or alter the command issued to the second module 705. The altered command may cause the actuator associated with the second module 705 to control a system component (e.g. a valve) in a manner that is detrimental to operation of the overall system. Security functionality built-in to the computerized control system 701 may be insufficient to identify and mitigate some cyber-security threats. Therefore, supplemental cyber-security functionality is desirable.

[0032] Security server 71 1 is configured to intercept communication 710 and inject additional cyber-security functionality to communication 720. Security server 71 1 is further in communication with an app container 713, which stores one or more apps 715. Apps 715 may be programmed to provide additional or supplemental cyber-security functionality to computerized control system 701. For example, one app of apps 715 may provide data encryption functionality. In another embodiment, a second app of apps 715 may provide cyber-attack detection. Other security-related functionality may be provided by other apps 715. Apps 715 may be programmed in accordance with an API defined to interconnect with computerized operations of the computerized control system 701.

[0033] Security server 71 1 intercepts communication 710 and calls the execution of one or more apps 715. The selected apps provide additional or supplement cyber-security functionality to communication 710 before the communication 710 reaches second module/sensor 705. In some embodiments, additional cyber-security functionality may be applied to the communication 710 before reaching its destination. A non-limiting example of this would be an embodiment where the security server 71 1 intercepts a communication of first sensor 703 and provides data encryption to the signal to protect the content of the signal during transmission. Prior to reaching the second module/sensor 705, security server may call an app 715 to provide decryption of the encrypted communication 710 before it reaches second module/sensor 705.

[0034] Computerized control system 701 is in communication with a first real-time database 707 which stores time-series values pertaining to the computerized control system. For instance, input and output values, computed values, and other data

generated as the computerized control system 701 operates may be stored in real-time database 707 according to the times at which the values are generated. A second realtime database 717 is associated with security server 71 1 and provides the security server 71 1 with information relating to the states and operational states of the computerized control system 701. First real-time database 707 and second real-time database 717 intercommunicate via a secured communication path 730.

[0035] The computerized control system 701 may be implemented as a PLC. For a PLC, a set of cyber security function blocks may be specifically created for the PLC, motion controllers (MC) and a distributed control system (DCS). Each function block is associated with one or more application program interfaces (APIs) allowing the function block to interface with the security server 71 1 . In this way, security operations may be called and performed along with the execution of control logic.

[0036] Security server 21 1 and computerized control system 701 may be in communication with a trusted platform module (TPM) 720. The TPM 720 includes encryption keys to identify hardware components within the computerized control system 701 , including but not limited to module/sensor 1 703 and module/sensor 2 705. While executing commands or instructions during run-time, the TPM 720 assures that the components providing inputs, outputs, or processing are trusted devices recognized by the system.

[0037] Referring now to FIG. 6, a process flow diagram for a method of enhancing security functionality in an industrial control system or other computerized control system is shown. In the ICS or computerized control system, a communication is transmitted from a first module or component of the ICS to a second module or

component of the ICS 601. An embedded security server, such as the security daemon of FIG. 2 and FIG. 3 intercepts the communication 603. The embedded security server applies at least one instance of security functionality to the intercepted communication 605. In an embodiment, the embedded security server may coordinate with an app container, containing a number of security-based apps. The embedded security server may execute one or more of the security-based apps such that the selected apps provide cyber-security functionality to the communication intercepted by the embedded security server 605. The secured communication is then supplied to its intended destination 607. Before delivering the communication to the destination module, additional security-based processing may be performed 609. For example, a message that was encrypted for transmission to the destination may be intercepted by the embedded security server. Additional security-based functionality, such as decryption, may be performed to decrypt the message prior to providing the message to its intended recipient.

[0038] The implementation of security functions may utilize qualities of Aspect-Oriented Programming (AOP) to wire loosely-coupled components that originally do not offer security protection and Dependency Injection (Dl) to instruct the application container to wire business objects to security objects. This infrastructure allows the concept of Security Annotation at multiple levels including a) inside the app code, and b) inside the specified control logic within a control app. At the control logic level, the security annotations would be possible, for example, through the following programming editor.

[0039] Structured Control Language (SCL) used in the programming of complex algorithms corresponds to the textual high-level language structured text (ST) defined in the standard IEC 61 131 -3 and fulfills base level and reusability level requirements according to PLC open. SCL is particularly suited for high-speed programming of complex algorithms and arithmetic functions as well as for other tasks involving data processing. The SCL code is simple, concise and clear to produce and manage. Programming efficiency may be enhanced using new, high-performance SCL compilers.

[0040] FIG. 4 illustrates an exemplary security feature declaration inside a SCL code written to an Organization Block Cycle (OB1). Security annotations have the objective of expression for a given application, which may or may not be a control application, the security requirements for the execution of that given application using either deployment descriptors or code annotations. The presence of an annotation in the control logic that specifies execution permissions, for instance, may be useful for execution protection and authentication. In the FIG. 4, the annotation @SecurityEncryption("confidential") 401 tells the runtime execution environment to perform low level encryption before storing the data. The @SecurityLoggable annotation 403 instructs the runtime environment to generate a security log entry for the output switch data recording event.

[0041] In this example, a dynamic proxy would intercept the calls and redirect security function execution to the Security Daemon to handle all security sensitive and critical operations. The security daemon may be implemented in software, hardware (through a hardware security module (HSM) or TPM - trusted platform module system-on-a-chip (SOC)) or any combination these.

[0042] Some security functions may also be implemented by statement list (SL) programming. The statement list textual programming language (STL) enables the creation of hardware-level runtime and memory-optimized user programs. Since this is designed as a low-level programming option for high-performance, only a subset of the injectable functions would be available.

[0043] Further examples of cyber-security related annotations may include:

• @SecurityRolesAllowed("Supervisor"): defines application authorization levels (access control) for user or machine-to-machine authentication (e.g., authentication between a PLC and smart field device sending critical data);

• @SecurityAuth: requires authentication as a pre-condition for the execution of a given command;

• @SecurityVolatile: instructs the application to consider the command execution as a sensitive operation that requires secure memory handling (e.g. with obfuscation and secure deletion after execution);

• @SecurityRunAs: instructs the application to set the role for the command execution;

• @SecurityPermitLocal: instructs the application to accept only locally collected data (e.g., I/O as an input);

• @SecurityPermitNetwork: ("192.168.0.0/16"): instructs the application to execute the command if the remote invocation comes from the specified network address.

[0044] Security daemons may be configured to also have the ability to communicate with each other while running at different devices (e.g., between a HMI and a PLC running the common runtime). This would allow functionality to achieve a coordinated result including, but not limited to, automatic negotiation of cryptographic cyphers to use in a given required secure data communication without the need for advanced knowledge by the engineer who is designing the process automation applications.

[0045] FIG. 5 illustrates an exemplary computing environment 500 within which embodiments of the invention may be implemented. Computers and computing environments, such as computer system 510 and computing environment 500, are known to those of skill in the art and thus are described briefly here.

[0046] As shown in FIG. 5, the computer system 510 may include a communication mechanism such as a system bus 521 or other communication mechanism for communicating information within the computer system 510. The computer system 510 further includes one or more processors 520 coupled with the system bus 521 for processing the information. A trusted platform module (TPM) 521 may be included. The TPM is in communication with hardware devices and secures the hardware devices through cryptographic keys associated with each hardware device. Software may use the TPM 521 to authenticate hardware devices. The TPM includes a unique key burned into its chip when produced and is therefore capable of perform platform authentication.

[0047] The processors 520 may include one or more central processing units (CPUs), graphical processing units (GPUs), or any other processor known in the art. More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing

tasks. A processor acts upon information by manipulating, analyzing, modifying, converting or transmitting information for use by an executable procedure or an information device, and/or by routing the information to an output device. A processor may use or comprise the capabilities of a computer, controller or microprocessor, for example, and be conditioned using executable instructions to perform special purpose functions not performed by a general-purpose computer. A processor may be coupled (electrically and/or as comprising executable components) with any other processor enabling interaction and/or communication there-between. A user interface processor or generator is a known element comprising electronic circuitry or software or a combination of both for generating display images or portions thereof. A user interface comprises one or more display images enabling user interaction with a processor or other device.

[0048] Continuing with reference to FIG. 5, the computer system 510 also includes a system memory 530 coupled to the system bus 521 for storing information and instructions to be executed by processors 520. The system memory 530 may include computer readable storage media in the form of volatile and/or nonvolatile memory, such as read only memory (ROM) 531 and/or random-access memory (RAM) 532. The RAM 532 may include other dynamic storage device(s) (e.g., dynamic RAM, static RAM, and synchronous DRAM). The ROM 531 may include other static storage device(s) (e.g., programmable ROM, erasable PROM, and electrically erasable PROM). In addition, the system memory 530 may be used for storing temporary variables or other intermediate information during the execution of instructions by the processors 520. A basic input/output system 533 (BIOS) containing the basic routines that help to transfer information between elements within computer system 510, such as during start-up, may be stored in the ROM 531. RAM 532 may contain data and/or program modules that are immediately accessible to and/or presently being operated on by the processors 520. System memory 530 may additionally include, for example, operating system 534, application programs 535, other program modules 536 and program data 537.

[0049] The computer system 510 also includes a disk controller 540 coupled to the system bus 521 to control one or more storage devices for storing information and instructions, such as a magnetic hard disk 541 and a removable media drive 542 (e.g., floppy disk drive, compact disc drive, tape drive, and/or solid state drive). Storage devices may be added to the computer system 510 using an appropriate device interface (e.g., a small computer system interface (SCSI), integrated device electronics (IDE), Universal Serial Bus (USB), or FireWire).

[0050] The computer system 510 may also include a display controller 565 coupled to the system bus 521 to control a display or monitor 566, such as a cathode ray tube (CRT) or liquid crystal display (LCD), for displaying information to a computer user. The computer system includes an input interface 560 and one or more input devices, such as a keyboard 562 and a pointing device 561 , for interacting with a computer user and providing information to the processors 520. The pointing device 561 , for example, may be a mouse, a light pen, a trackball, or a pointing stick for communicating direction information and command selections to the processors 520 and for controlling cursor movement on the display 566. The display 566 may provide a touch screen interface which allows input to supplement or replace the communication of direction information and command selections by the pointing device 561. In some embodiments, an augmented reality device 567 that is wearable by a user, may provide input/output functionality allowing a user to interact with both a physical and virtual world. The augmented reality device 567 is in communication with the display controller 565 and the user input interface 560 allowing a user to interact with virtual items generated in the augmented reality device 567 by the display controller 565. The user may also provide gestures that are detected by the augmented reality device 567 and transmitted to the user input interface 560 as input signals.

[0051] The computer system 510 may perform a portion or all the processing steps of embodiments of the invention in response to the processors 520 executing one or more sequences of one or more instructions contained in a memory, such as the system memory 530. Such instructions may be read into the system memory 530 from another computer readable medium, such as a magnetic hard disk 541 or a removable media drive 542. The magnetic hard disk 541 may contain one or more datastores and data files used by embodiments of the present invention. Datastore contents and data files may be encrypted to improve security. The processors 520 may also be employed in a multi-processing arrangement to execute the one or more sequences of instructions contained in system memory 530. In alternative embodiments, hard-wired circuitry may be used in place of or in combination with software instructions. Thus, embodiments are not limited to any specific combination of hardware circuitry and software.

[0052] As stated above, the computer system 510 may include at least one computer readable medium or memory for holding instructions programmed according to embodiments of the invention and for containing data structures, tables, records, or

other data described herein. The term "computer readable medium" as used herein refers to any medium that participates in providing instructions to the processors 520 for execution. A computer readable medium may take many forms including, but not limited to, non-transitory, non-volatile media, volatile media, and transmission media. Non-limiting examples of non-volatile media include optical disks, solid state drives, magnetic disks, and magneto-optical disks, such as magnetic hard disk 541 or removable media drive 542. Non-limiting examples of volatile media include dynamic memory, such as system memory 530. Non-limiting examples of transmission media include coaxial cables, copper wire, and fiber optics, including the wires that make up the system bus 521. Transmission media may also take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.

[0053] The computing environment 500 may further include the computer system 510 operating in a networked environment using logical connections to one or more remote computers, such as remote computing device 580. Remote computing device 580 may be a personal computer (laptop or desktop), a mobile device, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to computer system 510. When used in a networking environment, computer system 510 may include modem 572 for establishing communications over a network 571 , such as the Internet. Modem 572 may be connected to system bus 521 via user network interface 570, or via another appropriate mechanism.

[0054] Network 571 may be any network or system generally known in the art, including the Internet, an intranet, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a direct connection or series of connections, a cellular telephone network, or any other network or medium capable of facilitating communication between computer system 510 and other computers (e.g., remote computing device 580). The network 571 may be wired, wireless or a combination thereof. Wired connections may be implemented using Ethernet, Universal Serial Bus (USB), RJ-6, or any other wired connection generally known in the art. Wireless connections may be implemented using Wi-Fi, WiMAX, and Bluetooth, infrared, cellular networks, satellite or any other wireless connection methodology generally known in the art. Additionally, several networks may work alone or in communication with each other to facilitate communication in the network 571.

[0055] An executable application, as used herein, comprises code or machine readable instructions for conditioning the processor to implement predetermined functions, such as those of an operating system, a context data acquisition system or other information processing system, for example, in response to user command or input. An executable procedure is a segment of code or machine readable instruction, sub-routine, or other distinct section of code or portion of an executable application for performing one or more particular processes. These processes may include receiving input data and/or parameters, performing operations on received input data and/or performing functions in response to received input parameters, and providing resulting output data and/or parameters.

[0056] A graphical user interface (GUI), as used herein, comprises one or more display images, generated by a display processor and enabling user interaction with a processor or other device and associated data acquisition and processing functions.

The GUI also includes an executable procedure or executable application. The executable procedure or executable application conditions the display processor to generate signals representing the GUI display images. These signals are supplied to a display device which displays the image for viewing by the user. The processor, under control of an executable procedure or executable application, manipulates the GUI display images in response to signals received from the input devices. In this way, the user may interact with the display image using the input devices, enabling user interaction with the processor or other device.

[0057] The functions and process steps herein may be performed automatically or wholly or partially in response to user command. An activity (including a step) performed automatically is performed in response to one or more executable instructions or device operation without user direct initiation of the activity.

[0058] The system and processes of the figures are not exclusive. Other systems, processes and menus may be derived in accordance with the principles of the invention to accomplish the same objectives. Although this invention has been described with reference to particular embodiments, it is to be understood that the embodiments and variations shown and described herein are for illustration purposes only. Modifications to the current design may be implemented by those skilled in the art, without departing from the scope of the invention. As described herein, the various systems, subsystems, agents, managers and processes can be implemented using hardware components, software components, and/or combinations thereof. No claim element herein is to be construed under the provisions of 35 U.S.C. 1 12, sixth paragraph, unless the element is expressly recited using the phrase "means for."