Abstract: A system has at least one machine, including at least one device for exchanging data with another device of the at least one machine or of another machine for a joint solution of a task or with a higher-level device. The system further including a certification device configured to identify the at least one machine with a root certificate and configured to grant a sub-certificate to the at least one device of the machine. The certification device is further configured to sign the sub-certificate with the root certificate of the at least one machine in order to identify the at least one device as belonging to the at least one machine, and the sub-certificate is issued biuniquely for the at least one device.

Abstract: A method monitors an industrial network. The industrial network is divided into at least two hierarchical levels each with a different hierarchical stage. At least one network component is respectively included for each hierarchical level. Each hierarchical level has at least one segment. Each segment comprises at least one network component of the respective hierarchical level. At least one component monitoring unit for monitoring at least one network component in the respective segment and/or at least one communication monitoring unit for monitoring communication in the respective segment is/are respectively included for each segment. A central monitoring unit is included in one of the segments in order to evaluate information for detecting attacks. At least one decentralized monitoring unit is respectively included in at least one of the other segments.

Abstract: A device includes at least one first and one second module configured to cooperate to solve a task and/or are configured to communicate with a higher-level apparatus, a certification module configured to issue a cryptographic signature for each of the at least one first and second module, and an identity generation module configured to form a first code as an identity of the first module from a signature of the first module, to form a second code as an identity of the second module from a signature of the second module, and to form an overall code from the first and the second codes. The certification module is further configured to sign the overall code with a key in order to issue a unique certificate for the device, which biuniquely identifies the device.

Abstract: The disclosure relates to a method for configuring a control device of an automation system, comprising: detecting a local access token via an interface of the control device; and modifying at least one parameter of the control device, which is designed to configure a data connection of the control device in response to the detection of the local access token.

Abstract: A method for detecting attacks on a network component of an industrial network uses a component monitoring unit integrated in the network component. The component monitoring unit has at least one checking module for performing a check on the network component and a communication module for the component monitoring unit to communicate with at least one further network component of the industrial network. The component monitoring unit further has a management module for managing a communication between the at least one checking module and the communication module. When a predetermined criterion is satisfied, the at least one checking module collects and/or evaluates information concerning the network component and/or concerning the satisfied criterion for the purpose of checking the network component.

Abstract: A system has at least one machine, including at least one device for exchanging data with another device of the at least one machine or of another machine for a joint solution of a task or with a higher-level device. The system further including a certification device configured to identify the at least one machine with a root certificate and configured to grant a sub-certificate to the at least one device of the machine. The certification device is further configured to sign the sub-certificate with the root certificate of the at least one machine in order to identify the at least one device as belonging to the at least one machine, and the sub-certificate is issued biuniquely for the at least one device.

Abstract: A device includes at least one first and one second module configured to cooperate to solve a task and/or are configured to communicate with a higher-level apparatus, a certification module configured to issue a cryptographic signature for each of the at least one first and second module, and an identity generation module configured to form a first code as an identity of the first module from a signature of the first module, to form a second code as an identity of the second module from a signature of the second module, and to form an overall code from the first and the second codes. The certification module is further configured to sign the overall code with a key in order to issue a unique certificate for the device, which biuniquely identifies the device.

Abstract: A method for enabling access by a first network subscriber to a second network subscriber in a network includes receiving a communication request from the first network subscriber and determining whether the second network subscriber has carried out an authentication of the first network subscriber during a first phase. The second network subscriber allows communication with the first network subscriber when the second network subscriber has carried out authentication of the first network subscriber during the first phase. The second network subscriber receives an access request from the first network subscriber and determines a level of trustworthiness of the first network subscriber. The second network subscriber enables access of the first network subscriber based on the determination of the level of trustworthiness of the first network subscriber.

Abstract: The disclosure relates to a method for configuring a control device of an automation system, comprising: detecting a local access token via an interface of the control device; and modifying at least one parameter of the control device, which is designed to configure a data connection of the control device in response to the detection of the local access token.

Abstract: A method monitors an industrial network. The industrial network is divided into at least two hierarchical levels each with a different hierarchical stage. At least one network component is respectively included for each hierarchical level. Each hierarchical level has at least one segment. Each segment comprises at least one network component of the respective hierarchical level. At least one component monitoring unit for monitoring at least one network component in the respective segment and/or at least one communication monitoring unit for monitoring communication in the respective segment is/are respectively included for each segment. A central monitoring unit is included in one of the segments in order to evaluate information for detecting attacks. At least one decentralized monitoring unit is respectively included in at least one of the other segments.

Abstract: A method for detecting attacks on a network component of an industrial network uses a component monitoring unit integrated in the network component. The component monitoring unit has at least one checking module for performing a check on the network component and a communication module for the component monitoring unit to communicate with at least one further network component of the industrial network. The component monitoring unit further has a management module for managing a communication between the at least one checking module and the communication module. When a predetermined criterion is satisfied, the at least one checking module collects and/or evaluates information concerning the network component and/or concerning the satisfied criterion for the purpose of checking the network component.

Abstract: A method for enabling access by a first network subscriber to a second network subscriber in a network includes receiving a communication request from the first network subscriber and determining whether the second network subscriber has carried out an authentication of the first network subscriber during a first phase. The second network subscriber allows communication with the first network subscriber when the second network subscriber has carried out authentication of the first network subscriber during the first phase. The second network subscriber receives an access request from the first network subscriber and determines a level of trustworthiness of the first network subscriber. The second network subscriber enables access of the first network subscriber based on the determination of the level of trustworthiness of the first network subscriber.