Abstract: A method for key management in a field-programmable integrated part of an integrated circuit is disclosed herein. According to the method, a hardware configuration for the field-programmable integrated part is loaded into the field-programmable integrated part. The hardware configuration includes a key derivation functionality. Further, using the key derivation functionality, a cryptographic key is derived based on information provided in the field-programmable integrated part.

Abstract: Provided is a method for configuring a wireless connection between a mobile wireless terminal and a mobile wireless network, in which the mobile wireless network contains at least one first subnetwork, which is accessible with a credential of at least a first type, and contains at least one second subnetwork, which is accessible with a credential of at least a second type, and a first wireless connection to a first subnetwork and a second wireless connection to a second subnetwork have different wireless transmission parameters. In the event of a request for access by the mobile wireless terminal to a selected subnetwork—a predetermined credential is determined for the request for access to the selected subnetwork, the type of the predetermined credential is determined, and—at least one wireless transmission parameter is selected and activated depending on the determined type of the predetermined credential.

Abstract: Various embodiments of the teachings herein include methods and/or systems for checking a configuration of at least one component of an automation installation. An example method includes checking configuration data of the at least one component for admissibility using a checking server different from the at least one component.

Abstract: A block formation device and to a node device for a distributed database system, each having a unit for receiving a timing clock pulse from a time source and determining time slices of prescribed length on the basis of the timing clock pulse is provided. The block formation device is configured to select transactions to be confirmed precisely once within a respective time slice from unconfirmed transactions provided in the database system, to form an unconfirmed block from the selected unconfirmed transactions and to provide the unconfirmed block in the database system. The node device is configured to store a chain of confirmed blocks representing a transaction log of the database system; and, within a respective time slice, to confirm precisely one from unconfirmed blocks provided in the database system in the time slice precisely once and to add it to the chain of confirmed blocks.

Abstract: Various embodiments of the teachings herein include methods for communicating with two or more communication partners using a multi-antenna arrangement designed for directional transmission. An example method includes: operating the multi-antenna arrangement using directional transmission parameters; limiting the directional transmission for parameters a particular communication partner to a subset of the directional transmission parameters, the subset depending on the particular communication partner; and determining the subset by transmitting a cryptographically protected pilot signal from the communication partner.

Abstract: Various embodiments of the teachings herein include a method for assigning a digital model to a physical component of an automation system. An example method includes: consulting a physical component with a piece of link information referring to a digital model of the physical component in a digital twin of the physical component; and using the link information to determine the digital model to which the link information refers and assign said digital model to the physical component.

Abstract: A method reconfigures an IoT device which is connectable to a cloud backend. The method includes: storing an access code that is input locally in the cloud backend and storing the access code or check information formed on the basis thereof on the IoT device. The method further includes reconfiguring the IoT device, requesting the access code from the cloud backend, inputting the requested access code on a local configuration interface of the IoT device or on an input device connected to the local configuration interface of the IoT device, and comparing the input access code against the access code stored on the IoT device, or the check information formed on the basis thereof. The IoT device is enabled for reconfiguration upon a positive comparison of the input access code against the access code stored, or the check information formed on the basis thereof.

Abstract: A method for checking a license for the usage of at least one performance property in an Internet of things device, is provided, having the steps of—ascertaining at least one license condition for the usage of the performance property of the IoT device by at least one attribute contained in a license identifier, —transmitting and storing the license identifier, —checking the license condition by a) generating a pseudo-access which is assigned to the performance property using a pseudo-holding unit and b) checking an authorization for the pseudo-access by checking the attribute of the license identifier using a verification unit, and—activating the at least one performance property if the pseudo-access is confirmed, wherein the license identifier, the pseudo-holding unit, and the verification unit are designed based on a specification for verifiable credentials.

Abstract: A method of onboarding a user device onto an industrial network includes receiving a registration request from the user device. The user device is connected to a gateway device associated with a first wireless network. The registration request includes one or more network access parameters associated with the user device. At least one network access parameter from the network access parameters is indicative of the gateway device and/or the first wireless network. The method includes authenticating the user device based on the received registration request. Authenticating includes verifying validity of network access parameters of the registration request. The method allows for utilization of network access data to evaluate if the user device is indeed an actual user device or an unauthorized device. Accordingly, an overall security associated with the onboarding process is improved.

Abstract: A system, inspection device and method for securely executing control applications, wherein at least one event is defined for at least one control application and the event is triggered upon potential manipulation of program code associated with the control application and/or of at least one peripheral connected to a program flow controller processing the program code, where the program flow controller monitors a flow of the control application for deviations from an expected flow behavior and triggers the defined event upon a deviation, following triggering of the defined event, the program code is processed further by the program flow controller and the event is reported to an inspection device separate from the program flow controller where the inspection device places the control application and control components with an interdependency thereon into a predefined safe operating state upon detecting a flow behavior of the control application that contravenes the inspection rules.

Abstract: Various teachings of the present disclosure include methods for providing cryptographic keys for signing data. The method may include: providing a plurality of keys as leaves of a hash tree structure having at least one first hash tree; evaluating a requirement criterion for a requirement for additional keys and, if the requirement criterion is satisfied, generating a plurality of additional keys available as leaves of a further hash tree; and integrating the further hash tree into the hash tree structure so a respective root of the further hash tree is signed with a leaf of the hash tree structure. A number of hash trees of the hash tree structure is not predetermined.

Abstract: Provided is a method and a system for the tamper-proof storage of information about object-related measures which are contained as transactions in transaction blocks that are interlinked in a transaction block chain of the object to which the measures relate, the transaction block chain being stored in an object data memory allocated to the object.

Abstract: Various embodiments of the teachings herein include a method for checking container applications on a host system for manipulation. An example method includes: starting a respective checking process on the host system for each of at least two of the container applications; and assigning the respective checking process using a data-technology linkage. The checking processes subject the current behavior of at least one of the container applications other than the respective assigned container application to a comparison with a reference behavior of the at least one other container application.

Abstract: Various embodiments of the teachings herein include a method for determining the integrity of data processing of operative data using a trusted execution environment. The method may include: presenting the trusted execution environment with input data including the operative data and test data; processing the input data to produce output data; subjecting that portion of the output data formed by the processed test data to a comparison with reference data; and using the comparison as a basis for determining the integrity of the data processing.

Abstract: A system, template, and method of managing virtual control units in an industrial automation facility are provided. The industrial automation facility includes machines. The method includes generating templates including deployment criteria for the virtual control units. Each of the virtual control units is capable of controlling at least one of the machines. The virtual control units are mapped to one or more compute nodes based on the deployment criteria. The virtual control units are instantiated on the mapped compute nodes when the controlled machines are in operation. The method includes validating that the instantiation of the virtual control units is in accordance with the templates using an attestation that confirms determined deployment parameters after deployment of the virtual control units. The machines perform the industrial process, according to control commands received from at least one of the virtual control units, when the virtual control units are validly instantiated.

Abstract: Provided is a network adapter for unidirectional transmission of a user data stream to a bidirectional network interface, the network adapter including: a first connection unit which is physically connected to a bidirectional network interface of a first device; a second connection unit which is physically connected to a bidirectional network interface of a second device; and a terminating unit which has at least one bit transmission module and which is designed to establish a bidirectional data link to the network interface of the first device, to receive the user data stream from the first device exclusively in a unidirectional fashion via the data link, and not to send a user data stream to the first device.

Abstract: Provided a method for setting up an authorization verification for a first device, for example a field device in an automation system, wherein the first device is configured by configuration data transmitted to the first device from a configuration module that is detachably connected to the first device and, for example, is implemented in the form of an SD card or a USB stick, having: detection of a connection of a configuration module to the first device, reading configuration module-specific device information from the configuration module, requesting configuration module-specific authorization verification for the configuration model-specific device information from the first device in an authorization device, and storing the requested configuration module-specific authorization verification on a security storage unit of the first device.

Abstract: Provided is a device unit, including a module, which can configure the device unit with an operating state from among different operating states during the start-up process and/or during ongoing operation of the device unit, wherein a first protected operating state of the different operating states is designed to allow the execution of at least one operating process which can be predefined and to optionally protect the operating process by means of defined cryptographic means, wherein at least one second operating state of the different operating states is designed to deactivate the first protected operating state and to allow at least one other changeable operating process and to optionally protect the operating process by means of specifiable cryptographic means.

Abstract: A method for authenticating a communication partner on a device is provided, in which method, in addition to a physical device implementation, there is at least one virtual device implementation allocated to the device, the method having the following steps: receiving an access authorization of a communication partner one first of these two device implementations, checking, by the first device implementation, the access authorization and if the access authorization is deemed permissible, providing an authorization verification from the first device implementation to the communication partner, and permitting an access to the second device implementation of these two device implementations by the communication partner by the authorization verification.

Abstract: The invention relates to a computer-implemented method for connecting a network component to a network, in particular a mobile communications network, with an extended network access identifier. The method involves a receiving of the extended network access identifier from the network component via a network access server, wherein the extended network access identifier comprises at least one network access restriction for connecting the network component to the network. The method also involves a receiving of a requested user access profile from a user profile server via the network access server, wherein the user access profile comprises access authorisations for connecting the network component to the network. The network component is authenticated in the network via the network access server, if the received extended network access identifier fulfills thre access authorisations of the received user access profile.