Abstract: A modular security control device for controlling an apparatus or an installation includes a basic control apparatus which is configured such that an apparatus or an installation which is at least connectable to the basic control apparatus is at least controllable via a sequence of a control program in the basic control apparatus, and includes a security module which is configured to provide or perform a cryptographic functionality for the basic control apparatus, where the security module is connected to the basic control apparatus by a data connection via a data interface, the basic control apparatus is configured to interact with the security module to achieve a security function of the security control device, and where the basic control apparatus is configured to query an identity and/or authenticity of the security module.

Abstract: A device for detecting a manipulation to a program code wherein the program code is configured to be executed from an execution environment on a computing system, is provided. The device includes a comparator unit which is configured to compare data of the program code with reference data in order to produce a comparison result to compare, if the execution environment conveys a termination command to the program code, and a detection unit which is configured to detect a manipulation of the program code on the basis of the comparison result. The device can prevent data, which is produced or used during the execution of a program code, from continuing to be used after termination of the program code if an attack or manipulation of the program code has occurred. A method is further proposed for detecting a manipulation to a program code.

Abstract: Monitoring the integrity of industrial automation systems is provided. For example, a negative impact on integrity caused by unauthorized access should be identified. This is made possible by comparing state data which describe the operating state of the industrial automation system, with sensor data which describe an environmental influence of the automation system.

Abstract: A method for securely providing a receiver unit with a replica pseudo-random noise code is provided. The replica pseudo-random noise code is provided in a restricted manner based on a result of an admissibility check. In order to carry out the admissibility check, values are recorded and are compared with predefined threshold values.

Abstract: Provided is a method for monitoring a blockchain including the following steps: evaluating a characteristic of a physical infrastructure on which the blockchain is based; comparing the determined evaluation to a predetermined parameter; and outputting a signal if the evaluation is less than the predetermined parameter.

Abstract: Provided is a method and a security module for determining or providing a device-specific private key for an asymmetrical cryptographic process. A device-specific private primary seed is reproducibly formed from a device-specific secret piece of data, and the device-specific private key is determined from the device-specific private primary seed.

Abstract: Provided is a method for testing a blockchain in a computer-aided manner, having the following method steps: generating a specified transaction and/or a specified smart contract, the specified transaction and/or the specified smart contract being paired with a respective specification value; adding the specified transaction and/or the specified smart contract into the blockchain; carrying out the specified transaction and/or the specified smart contract, a measurement value of the specified transaction and/or the specified smart contract being detected; and testing the measurement value using the specification value, wherein a control signal is provided in the event of a deviation from the specification value.

Abstract: Provided is a transmission device for feedback-free unidirectional transmission of data from a first network zone into a second network zone for evaluation at a remote application server, containing: a data export device which is arranged in the first network zone and is designed to detect the data transmitted in a network data format in the first network zone and to transform the data from the network data format into a transport data format, a unidirectional data transmission unit, which is designed to transmit the data in the transport data format into the second network zone unidirectionally, a data import device which is designed to transform the data from the transport data format back into the network data format and to transmit the data to an application server, wherein the data import device and the application server are arranged in a second network zone remote from the first zone.

Abstract: Provided is a device unit, including a module, which can configure the device unit with an operating state from among different operating states during the start-up process and/or during ongoing operation of the device unit, wherein a first protected operating state of the different operating states is designed to allow the execution of at least one operating process which can be predefined and to optionally protect the operating process by means of defined cryptographic means, wherein at least one second operating state of the different operating states is designed to deactivate the first protected operating state and to allow at least one other changeable operating process and to optionally protect the operating process by means of specifiable cryptographic means.

Abstract: Provided is a method and a system for the tamper-proof storage of information about object-related measures which are contained as transactions in transaction blocks that are interlinked in a transaction block chain of the object to which the measures relate, the transaction block chain being stored in an object data memory allocated to the object.

Abstract: There is a need for coupling, for example within an automation area, particularly critical subareas with less critical subareas of the automation area. The invention relates to a method and a network filtering device for filtering a data packet between a first network and a second network. According to the invention, a data packet is checked several times in parallel by means of a multiplier and a plurality of filtering devices.

Abstract: Provided is a detection device which is suitable for receiving a service within a network assembly, having the following:—means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device,—means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device,—means for providing the generated and/or determined network access configuration data to the network access device.

Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.

Abstract: A security unit which is suitable for a device, in particular an IOT device, for running one or more applications for a secure data exchange with one or more servers which provide web services is provided. The security unit is designed with the following:—means for imaging original data onto corresponding replacement data and/or vice versa, wherein the original and/or replacement data forms a respective original and/or replacement key and/or can be used to form same—means for detecting a replacement key which is supplied by an application being ran and which corresponds to an original key, and—means for providing a required original key which corresponds to the replacement key using the imaging means in order to allow the original key to be used for the secure data exchange with the server.

Abstract: Provided is a method for the computer-assisted provision of security-protected time information, including the method steps: acquiring first time information from one or more time sources. Storing transactions, wherein the transactions comprise the first time information and or first check sums for the first time information are calculated and the transactions include the first check sums. Creating the security-protected time information by generating elements of a block chain, wherein the elements each comprise at least one of the transactions and the elements are linked with one another to form the block chain.

Abstract: Provided is an apparatus (TFDC) for operating a software-configured processing unit (SDS) for a device, in particular a field device (TFD), wherein the apparatus, according to a prescribed and/or prescribable architecture, includes at least one processor (CPU) and a number of hardware units, having: a security unit (IOS; MS) configured to cause a change in the arrangement of the data bit sequence of at least one data stream provided and/or routed to the processing unit (SDS) to protect the hardware units from manipulation. The processing unit is trustworthy, i.e., is protected from manipulation and attack from the outside. The data stream arrives at the device. A “number” here and above denotes a number of one or more.

Abstract: A device for protecting a security module from manipulation attempts in a field device. A control device is configured to control the field device, a security module is configured to provide cryptographic key data which is to be used by the control device, and an interface device is connected to the control device. The security module is configured to allow the control device access to the cryptographic key data in the security module and to prevent access to the cryptographic key data in the event of a manipulation attempt on the field device.

Abstract: A programmable hardware security module, a method for securing a private key of a cryptographic key pair, and a method for securely providing a private key of a cryptographic key pair on a programmable hardware security module, wherein with the described devices and methods, a decentralised PKI is built, via which device keys and device certificates can be generated and target devices can be provided securely, where in this regard, the key-pair-specific transport key plays a central role in protecting the generated private key that is to be transferred, and where this is linked to the particular key pair intended for a target device via a key derivation from a master key utilizing a key-pair-specific derivation parameter.

Abstract: Automatically and dynamically ascertain by means of autoconfiguration whether used or activated and usable cipher suites and/or key lengths are sufficiently strong for current cryptographic protection of the control communication and/or other service access by virtue of 1) “cipher-suite”-based/-specific information available in the network/system being called up to ascertain reference cipher suites and/or 2) block chain information available in the network/system, containing data records referred to as “proof of work” for solving complex computation tasks, being called up or ascertained, with the ascertainment of block chain difficulty parameters as key length estimation parameters to ascertain appropriate reference key lengths, in particular reference minimum key lengths required for cryptoalgorithms, and 3) the ascertained reference cipher suites and/or the reference key lengths ascertained by the key length estimation parameters being compared with the used or activated and usable cipher suites and/or key

Abstract: Provided is a method for the secure, computer-aided execution of program instructions of an application, including the following method steps. The method includes a step of switching on a learning mode of an execution environment. The method includes a further step of performing the application in the execution environment while the learning mode is switched on, wherein program instructions of the application are performed for a selected predetermined application scenario and the execution environment assigns a first application scenario-specific validity information to the performed program instructions. The method includes a step of switching on a working mode of the execution environment, wherein, in the working mode, the execution environment checks the first validity information of the program instructions, and wherein the execution environment executes the program instructions as a function of their validity information.