Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.

Abstract: Time Sensitive Networking (TSN) in wireless environments may be provided. First, a Radio Frequency (RF) profile associated with a station may be received by a computing device. Next, a number of Transmit Opportunities (TxOPs) to use for transmitting data between an Access Point (AP) and the station based on the received RF profile may be determined. The determined number of TxOPs may then be provided to a wireless controller associated with the AP.

Abstract: A network controller automatically adjusts a computer network based on the operational information of an industrial device. The network controller receives a notification from a network element in the computer network that the industrial device attached to the network element has an administrative shell. The administrative shell includes operational information describing the operation of the industrial device. The network controller retrieves the administrative shell from the industrial device. The network controller parses the operational information in the administrative shell to determine an intent for the industrial device, and adjusts the computer network based on the intent of the industrial device.

Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.

Abstract: The disclosed technology provides solutions that enable scalable and secure data retrieval between microservices by using microservice attributes to encrypt container based data stores. A process of the technology can include steps for: instantiating a first microservice and a second microservice in a cloud environment, wherein the first microservice is associated with a first attribute label and the second microservice is associated with a second attribute label, generating a first key based on the first attribute label and a second key based on the second attribute label, associating a first data store with the first microservice, wherein the first data store is encrypted using the first key, and associating a second data store with the second microservice, wherein the second data store is encrypted using the second key. Systems and machine readable media are also provided.

Abstract: Time Sensitive Networking (TSN) in wireless environments may be provided. First, a Radio Frequency (RF) profile associated with a station may be received by a computing device. Next, a number of Transmit Opportunities (TxOPs) to use for transmitting data between an Access Point (AP) and the station based on the received RF profile may be determined. The determined number of TxOPs may then be provided to a wireless controller associated with the AP.

Abstract: According to one or more embodiments of the disclosure, a device in a network identifies a packet sent via the network towards an endpoint as being a control packet for the endpoint. The device extracts one or more control parameter values from the control packet. The device compares the one or more control parameter values to a policy associated with the endpoint. The device initiates a corrective measure, based on a determination that the one or more control parameter values violate the policy associated with the endpoint.

Abstract: According to one or more embodiments of the disclosure, a networking device receives a policy for an endpoint in a network. The policy specifies one or more component tags and one or more activity tags that were assigned to the endpoint based on deep packet inspection of traffic associated with the endpoint. The networking device identifies a set of tags for a particular traffic flow in the network associated with the endpoint. The set of tags comprises one or more component tags or activity tags associated with the particular traffic flow. The networking device makes a determination that the particular traffic flow violates the policy based on the set of tags comprising a tag that is not in the policy. The networking device initiates, based on the determination that the particular traffic flow violates the policy, a corrective measure with respect to the particular traffic flow.

Abstract: According to one or more embodiments of the disclosure, a service obtains one or more component tags and one or more activity tags that were assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device. The service determines an intent of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint device. The service translates the intent of the endpoint device into a network segmentation policy. The service configures a network overlay in the network that implements the network segmentation policy.

Abstract: The disclosed technology provides solutions that enable scalable and secure data retrieval between microservices by using microservice attributes to encrypt container based data stores. A process of the technology can include steps for: instantiating a first microservice and a second microservice in a cloud environment, wherein the first microservice is associated with a first attribute label and the second microservice is associated with a second attribute label, generating a first key based on the first attribute label and a second key based on the second attribute label, associating a first data store with the first microservice, wherein the first data store is encrypted using the first key, and associating a second data store with the second microservice, wherein the second data store is encrypted using the second key. Systems and machine readable media are also provided.

Abstract: In one embodiment, a network policy engine obtains a substation configuration description for a substation, indicative of intelligent electronic devices (IEDs), associated network communication devices, and related communication configuration information. The network policy engine then creates a mapping of the IEDs and the associated network communication devices based on the substation configuration description, associating each of the IEDs to a corresponding network port of the associated network communication devices. The network policy engine may then further create network control parameters based on the substation configuration description, which comprise defined communication flows for the IEDs and associated security group tags (SGTs) for the defined communication flows.

Abstract: Time Sensitive Networking (TSN) in wireless environments may be provided. First, a Radio Frequency (RF) profile associated with a station may be received by a computing device. Next, a number of Transmit Opportunities (TxOPs) to use for transmitting data between an Access Point (AP) and the station based on the received RF profile may be determined. The determined number of TxOPs may then be provided to a wireless controller associated with the AP.

Abstract: In one embodiment, a method comprises: storing, by a computing device in a non-deterministic data network, a plurality of data packets originated by a source device into a mass storage medium associated with the computing device; receiving, by the computing device, a data request originated by an access point device providing deterministic reachability to a deterministic device in a deterministic data network providing reachability to multiple deterministic devices, the request specifying one or more deterministic constraints associated with reaching the deterministic device; and supplying, by the computing device, a selected one of the data packets to the access point device for delivery of data stored therein to the deterministic device according to the one or more deterministic constraints.

Abstract: A methodology includes determining a first delay between a first relay and a first label edge router, a second delay between a second relay and a second label edge router, and a third delay of a label-switched path between the first label edge router and the second label edge router. Based on the first, second, and third delays, it is determined whether an end-to-end latency between the first relay and the second relay exceeds an end-to-end latency threshold.

Abstract: In one embodiment, a network policy engine obtains a substation configuration description for a substation, indicative of intelligent electronic devices (IEDs), associated network communication devices, and related communication configuration information. The network policy engine then creates a mapping of the IEDs and the associated network communication devices based on the substation configuration description, associating each of the IEDs to a corresponding network port of the associated network communication devices. The network policy engine may then further create network control parameters based on the substation configuration description, which comprise defined communication flows for the IEDs and associated security group tags (SGTs) for the defined communication flows.

Abstract: A server, in communication with a plurality of microservices in a microservices mesh environment, obtains data about inbound communications to a first microservice and outbound communications from the first microservice of the plurality of microservices. The server analyzes the data to learn an operational behavior of the first microservice and determine a firewall rule set to be applied associated with the first microservice based on the operational behavior learned for the first microservice. The server causes a micro-firewall to be instantiated for the first microservice. The micro-firewall is configured to apply the firewall rule set to inbound communications to the first microservice and outbound communications from the first microservice.

Abstract: The disclosed technology provides solutions that enable scalable and secure data retrieval between microservices by using microservice attributes to encrypt container based data stores. A process of the technology can include steps for: instantiating a first microservice and a second microservice in a cloud environment, wherein the first microservice is associated with a first attribute label and the second microservice is associated with a second attribute label, generating a first key based on the first attribute label and a second key based on the second attribute label, associating a first data store with the first microservice, wherein the first data store is encrypted using the first key, and associating a second data store with the second microservice, wherein the second data store is encrypted using the second key. Systems and machine readable media are also provided.

Abstract: A method for teleprotection over a segment routed network comprises receiving network requirements for communication between a first teleprotection relay and a second teleprotection relay, the first teleprotection relay associated with a first router of the segment routed network, and the second teleprotection relay associated with a second router of the segment routed network, identifying a primary path from the first router to the second router satisfying the network requirements, determining a congruent reverse of the primary path satisfies the network requirements, sending, to the first router, the primary path, the first router routing traffic from the first teleprotection relay to the second teleprotection relay using the primary path, and sending, to the second router, the congruent reverse of the primary path, the second router routing traffic from the second teleprotection relay to the first teleprotection relay using the congruent reverse of the primary path.

Abstract: A method for teleprotection over a segment routed network comprises receiving network requirements for communication between a first teleprotection relay and a second teleprotection relay, the first teleprotection relay associated with a first router of the segment routed network, and the second teleprotection relay associated with a second router of the segment routed network, identifying a primary path from the first router to the second router satisfying the network requirements, determining a congruent reverse of the primary path satisfies the network requirements, sending, to the first router, the primary path, the first router routing traffic from the first teleprotection relay to the second teleprotection relay using the primary path, and sending, to the second router, the congruent reverse of the primary path, the second router routing traffic from the second teleprotection relay to the first teleprotection relay using the congruent reverse of the primary path.

Abstract: In one embodiment, a method comprises a topology processor generating a power grid topology model of a power grid topology controlled via a communications network having a corresponding communications architecture overlying the power grid topology. The topology processor generates a communications architecture model of the communications architecture. In response to receiving a request for executing a change in at least a portion of the power grid topology, the topology processor identifies power grid topology model data associated with the portion of the power grid topology, and identifies communications architecture model data identifying a corresponding portion of the communications architecture associated with the portion of the power grid topology.