Abstract: A method for project-oriented authentication of a device in a control system for a technical installation as part of an engineering project, wherein the control system includes at least one local registration service, at least one software inventory and a certification center, where information by the at least one local registration service with respect to what communication protocols and/or applications are supported by the device and/or are active is ascertained during authentication of the device within the control system, a project-oriented device certificate is requested from the first hierarchy of the certification center by the local registration service, and the project-oriented device certificate is deposited in an inventory element, associated with the engineering project, of the software inventory of the control system, the device certificates being issuable by the first hierarchy of the certification center have a unique project identifier.

Abstract: A system for verifying components of an industrial monitoring system includes a first module which is configured to establish a trust relationship with a component of the industrial monitoring system and request a component certificate from the component. The component certificate contains relevant information relating to the component. A second module is configured to check, in interaction with the component, the component certificate on the basis of relevant data stored in a trusted database, and to generate a notification on the basis of the result of the checking process.

Abstract: A method for issuing a certificate with a specific certificate profile to a plant component of an industrial plant by a certification authority of the industrial plant, wherein an automated check is performed to determine whether the specific certificate profile can be used by the plant component, and whether the specific certificate profile in the industrial plant is assignable to the plant component before a certificate application made by the plant component is transmitted to the certification authority, where the certificate application is transmitted to the certification authority which, in the event of a successful check of the certificate application, issues the requested certificate with the specific certificate profile for the plant component if both checks are successful.

Abstract: A control system for a technical plant, in particular a manufacturing or processing plant, wherein the control system is configured to initiate the issuance and revocation of certificates for components of the technical plant as part of certificate management, where the control system includes a computer-implemented revocation service which is configured to initiate the revocation of certificates in an event-controlled and automated manner.

Abstract: A control system for a technical installation, in particular a process or manufacturing installation, includes at least one component upon which a certificate service is computer implemented, wherein the certificate service is configured to check a certificate store that is assigned to the component or a further component to determine whether two or more certificates, which only differ from one another in terms of their validity period, are stored in the certificate store, and in the event of the check identifying two or more certificates of this type, to initiate revocation and removal from the certificate store of the certificate or certificates with the validity period that ends the earliest, such that only the certificate with the validity period that ends the latest remains stored in the certificate store.

Abstract: System and method for secure time synchronization in an industrial facility, wherein a synchronization request of a facility component is transmitted to a registration service of a certificate management of the facility and the synchronization request is examined by the registration service, where the synchronization request includes a signature of the requesting facility component, and where depending on an outcome of the examination, a synchronization response is then transmitted to the requesting facility component a system time of the facility component is matched to a system time of the registration service based on the synchronization response.

Abstract: An operator station server of a technical installation upon which a certification service is implemented, wherein the certification service is configured to receive configuration information, which depends on a role of the operator station server in the technical installation, from at least one of (i) an engineering station server and (ii) a registration service of the technical installation, where the configuration information comprises information identifying which certificates of the certification service of the operator station server must be requested from a certification authority of the technical installation.

Abstract: A process control system includes an engineering system for a project configuration of hardware and software components of a process control system, an operator system having a runtime component for operator control and monitoring of a technical process, and an archive system for archiving project configuration inputs of the engineering system and for archiving operator inputs in the operator system, via which a project engineer and/or an operator may be provided with the relationships between engineering-relevant actions or events and runtime-relevant actions or events.

Abstract: System and method for secure time synchronization in an industrial facility, wherein a synchronization request of a facility component is transmitted to a registration service of a certificate management of the facility and the synchronization request is examined by the registration service, where the synchronization request includes a signature of the requesting facility component, and where depending on an outcome of the examination, a synchronization response is then transmitted to the requesting facility component a system time of the facility component is matched to a system time of the registration service based on the synchronization response.

Abstract: A method for initially allocating and/or renewing certificates for devices and/or applications in a control system for a technical installation on the basis of certificates, wherein the devices and/or applications, within a framework of the initial allocation and/or renewal of the certificates, use a certificate management protocol to post a certificate request at at least one certification authority of the technical installation, where the devices and/or applications, in addition to the certificate management protocol, implement a certification service that generates a stateless alarm message and provides this generated stateless alarm message in the control system, when a certificate request previously posted by the device and/or the application is unanswered by the certification authority after expiration of a previously determined period of time.

Abstract: A client-server architecture for a control system of a technical installation, wherein the client-server architecture includes at least one first device formed as a client and at least one second device that formed as a server assigned to the client, where the client is configured to establish contact with the server, and is configured to execute a code received from the server, communication from the client to the control system exists via the server which is configured to detect whether the code, which the client executes, corresponds to the code that the client received from the server, and where the server, in the event of the code not corresponding, is further configured to interrupt the execution of the code by the client and lock the client out of communication with the control system.

Abstract: An automation system includes at least one automation unit, multiple automation servers and a central management unit interconnected via a communication network, wherein the automation servers communicate with the automation unit using a pre validated certificate of the automation unit, where in order to validate the certificate, the automation servers check a chain of trust of the respective certificate and, by accessing a black list, the validity thereof, where communication of the respective chain of trust only occurs when corresponding chains of trust are revoked from all other automation servers beforehand, corresponding certificates are entered into the black list or the certificate is otherwise invalid.

Abstract: A method and technical module in a technical installation, which includes at least one technical function and which is configured for integration into a higher-level control level of the technical installation, wherein functional rights relating to the at least one technical function are stored in the technical module.

Abstract: A method for handling security alarms by a control system of a technical installation includes a) receiving diagnostic messages that have been generated by technical objects (7) of a technical installation; b) analyzing the diagnostic messages such that diagnostic messages relevant to the security of an operation of the technical installation are identified by means of comparative data records, where a machine learning network is used to analyze the diagnostic messages to assess the security relevance of the diagnostic messages, where the network is previously trained using special inputs from operators of the technical installation that have assessed past diagnostic messages with regard to their security relevance; c) if necessary, adapting the previously identified diagnostic messages to requirements of a computer-implemented security module of the technical installation and d) transmitting the previously identified and optionally adapted diagnostic messages to the computer-implemented security module of th

Abstract: A control system for a technical installation includes a certification body, first and second installation components, wherein the certification body issues/revokes certificates for the first and second installation components, where a certificate revocation list service receives from the certification body a certificate revocation list having certificates already revoked by the certification body and provides the certificate revocation list to the components, a certificate revocation list distribution service implemented on the first and second installation components receives the certificate revocation list from the certificate revocation list service and stores the certificate revocation list in a storage device of the respective installation component, and where the certificate revocation list distribution service of an installation component additionally in each case connects to the certificate revocation list distribution service on another installation component and receives the certificate revocation

Abstract: A method for creating a topology of a technical system, more particularly of a production plant or process plant, with a public key infrastructure via a software tool designed therefor, wherein a plurality of individual components are linked together to form a topology of the technical system, where which certificates needed by the individual components during operation of the technical system is derived from an analysis of security requirements of the technical system in an automated manner and stored in the software tool, where which PKI components and which communication links among the individual components, from the components to the PKI components, and among the individual PKI components, are needed to construct the public key infrastructure is taken into account in an automated manner in the linking of the individual components.

Abstract: A method for controlling a technical system via a control system, wherein the control system, after processing a request from an operator, generates a response message to the request such that if a faulty state of the technical system occurs, then associated fault messages are linked in an automated manner to the request and the response message in the time between the request and the generation of the response message, and a corresponding item of information relating thereto is presented to the operator, where the link between the request, response message and fault messages is provided with a digital signature of the operator who made the request to the control system.

Abstract: A control system for a technical installation includes at least one certification authority and installation components, wherein the certification authority issues and revokes certificates and creates a certificate revocation list of already revoked certificates that can be distributed in the control system, where a certificate revocation list service is implemented which is configured to distribute the certificate revocation list to the installation component, installation components each comprise a local storage device in which filing of the previously distributed certificate revocation list is possible, and where the certificate revocation list service determines a revocation reason, and depending on the revocation reason, removal of a previously distributed certificate revocation list stored on the respective local storage device of the installation components is triggered such that after performance of the revocation storage of a newly created certificate revocation list in the respective local storage d

Abstract: The invention relates to a method for ensuring the authenticity of at least one value of a device property wherein the device property is a characteristic of a device (6). According to the invention, at least one operating value (14, 16) of at least one dynamic device property is signed using a digital key (20), wherein an operating-dependent digital signature (2) is generated.

Abstract: A method for authenticating devices and/or applications, specifically web applications, in a control system for an industrial plant, wherein the control system includes at least one local registration service and at least one software inventory, where the method includes determining by the at least one local registration service information about which communications protocols and/or applications are supported by the devices and/or applications and/or which communications protocols and/or applications are active, during authentication of the devices and/or applications within the control system, and storing the device-specific information determined by the local registration service in the at least one software inventory of the control system.