Abstract: Embodiments of a software defined automation system that provides a reference architecture for designing, managing and maintaining a highly available, scalable and flexible automation system. In some embodiments, an SDA system can include a localized subsystem including a system controller node and multiple compute nodes. The multiple compute nodes can be communicatively coupled to the system controller node via a first communication network. The system controller node can manage the multiple compute nodes and virtualization of a control system on a compute node via the first communication network. The virtualized control system includes virtualized control system elements connected to a virtual network that is connected to a second communication network to enable the virtualized control system elements to control a physical control system element via the second communication network connected to the virtual network.

Abstract: Embodiments of system and methods for providing centralized management of a software defined automation (“SDA”) system are disclosed. The SDA system comprises of a collection of controller nodes and logically centralized and yet physically distributed collection of compute nodes by monitoring activities of the compute nodes. In accordance with some embodiments, one or more components of the system monitor execution, network and security environments of the system to detect an event in a first environment. In response to the detected event, at least one component in the first environment is remediated, the remediation of the first environment creating a trigger to cause remediation of at least one component in each of a second and third environments.

Abstract: Embodiments of system and methods for providing centralized management of a software defined automation (“SDA”) system are disclosed. The SDA system comprises of a collection of controller nodes and logically centralized and yet physically distributed collection of compute nodes by monitoring activities of the compute nodes. In accordance with some embodiments, one or more components of the system monitor execution, network and security environments of the system to detect an event in a first environment. In response to the detected event, at least one component in the first environment is remediated, the remediation of the first environment creating a trigger to cause remediation of at least one component in each of a second and third environments.

Abstract: Embodiments of system and methods for providing centralized management of a software defined automation (“SDA”) system are disclosed. The SDA system comprises of a collection of controller nodes and logically centralized and yet physically distributed collection of compute nodes by monitoring activities of the compute nodes. In accordance with some embodiments, one or more components of the system monitor execution, network and security environments of the system to detect an event in a first environment. In response to the detected event, at least one component in the first environment is remediated, the remediation of the first environment creating a trigger to cause remediation of at least one component in each of a second and third environments.

Abstract: Embodiments of a software defined automation system that provides a reference architecture for designing, managing and maintaining a highly available, scalable and flexible automation system. In some embodiments, an SDA system can include a localized subsystem including a system controller node and multiple compute nodes. The multiple compute nodes can be communicatively coupled to the system controller node via a first communication network. The system controller node can manage the multiple compute nodes and virtualization of a control system on a compute node via the first communication network. The virtualized control system includes virtualized control system elements connected to a virtual network that is connected to a second communication network to enable the virtualized control system elements to control a physical control system element via the second communication network connected to the virtual network.

Abstract: Systems and methods for performing access control in an industrial control system are described. A first component of an industrial control system may be connected to a second component of the industrial control system. A digital certificate may be generated for the first component that includes both authentication information and authorization information associated with the first component. The first component may transmit the digital certificate to the second component, and the second component may extract the authorization information from the digital certificate. The second component may identify a set of access rights based on the authorization information extracted and authorize the first component to access the second component based on the set of access rights identified.

Abstract: Aspects of the invention provide apparatuses, systems, and computer readable media for providing security to an end device (209) by a security device (205). The security device is typically installed in front of the end device. The combination of the end device and the security device appear as a single secure end device from the network having a network address of the original end device. The security device may include a first communications port (405) that receives a message designated for an end device, a second communications port (407) that connects directly to the end device, and a processor (401) that is connected to the first and second communications ports. The processor is configured to determine whether to pass the message to the end device based on at least one security consideration and to provide at least one service that is not originally supported on the end device.

Abstract: Aspects of the invention support a component configuration mechanism when rebooting a circuit module (201) of a programmable logic controller (101). A component (application) may be configured from a plurality of sources, including flash memory (204) and a web-based configuration source. The configuration mechanism avoids using invalid configuration data when replacing the communication module. The circuit module may support a plurality of components, where some of the components may be associated with a web-based configuration while other components may be associated with a CPU-based configuration. If the configuration data in the flash memory of the communication module is determined to be invalid, the communication module obtains configuration data from a web-based configuration source for a web-based configured component and from an associated CPU module (202) for a CPU-based configured component.

Abstract: Aspects of the invention support a component configuration mechanism when rebooting a circuit module (201) of a programmable logic controller (101). A component (application) may be configured from a plurality of sources, including flash memory (204) and a web-based configuration source. The configuration mechanism avoids using invalid configuration data when replacing the communication module. The circuit module may support a plurality of components, where some of the components may be associated with a web-based configuration while other components may be associated with a CPU-based configuration. If the configuration data in the flash memory of the communication module is determined to be invalid, the communication module obtains configuration data from a web-based configuration source for a web-based configured component and from an associated CPU module (202) for a CPU-based configured component.

Abstract: Aspects of the invention provide apparatuses, systems, and computer readable media for providing security to an end device (209) by a security device (205). The security device is typically installed in front of the end device. The combination of the end device and the security device appear as a single secure end device from the network having a network address of the original end device. The security device may include a first communications port (405) that receives a message designated for an end device, a second communications port (407) that connects directly to the end device, and a processor (401) that is connected to the first and second communications ports. The processor is configured to determine whether to pass the message to the end device based on at least one security consideration and to provide at least one service that is not originally supported on the end device.