Abstract: An industrial topology discovery system autonomously discovers and documents industrial automation system topologies using orchestrated discovery agents of various types. The topology discovery system can reside on a cloud platform or another high level network and deploy discovery agents on plant networks and devices within an industrial facility. These discovery agents can implement different strategies for discovering system information, and can include agents configured to monitor and report on communication traffic across respective types of networks, agents configured to probe respective device types for identity and configuration information, and other types of agents.

Abstract: An enterprise-level security policy management tool receives, via a graphical user interface (GUI), inputs defining a security policy configured to be deployed within an enterprise that operates one or more operational technology (OT) networks, generates the security policy based on the inputs, and transmits the security policy to one or more computing devices running respective other instantiations of the enterprise-level security policy management tool, wherein the respective other instantiations of the enterprise-level security policy management tool are configured to facilitate enforcement of the security policy within the one or more OT networks operated by the enterprise.

Abstract: An industrial topology discovery system autonomously discovers and documents industrial automation system topologies using orchestrated discovery agents of various types. The topology discovery system can reside on a cloud platform or another high level network and deploy discovery agents on plant networks and devices within an industrial facility. These discovery agents can implement different strategies for discovering system information, and can include agents configured to monitor and report on communication traffic across respective types of networks, agents configured to probe respective device types for identity and configuration information, and other types of agents.

Abstract: A method includes receiving, from an enterprise network, data associated with one or more industrial automation systems operated by an enterprise, wherein the data includes design artifacts of the one or more industrial automation systems, run time data collected from the one or more industrial automation systems, or both, inputting the data to a machine learning-based security policy development engine to generate a set of recommended security policies for the enterprise based on the data, receiving the set of recommended security policies for the one or more industrial automation systems output by the security policy development engine, wherein the set of recommended security policies define access, use, or both, of the one or more industrial automation systems operated by the enterprise; and transmitting the set of recommended security policies to the enterprise.

Abstract: Performing multi-layer network discovery of an operational technology (OT) network includes receiving a plurality of discovery data sets, each identifying a respective subset of a plurality of nodes within an OT network having a plurality of network layers, wherein the respective subset of the plurality of nodes for a first discovery data set are disposed within at least two network layers of the plurality of network layers, identifying a set of nodes within the OT network that appear in two or more of the plurality of discovery data sets, generating a holistic discovery data set for the OT network based on the plurality of discovery data sets and the identified set of nodes within the OT network that appear in the two or more of the plurality of discovery data sets, and generating a visualization of the plurality of nodes within the OT network based on the holistic discovery data set.

Abstract: A centralized industrial catalog system aggregates product information from disparate sources and globally synchronizes updated catalog information to local versions of the product catalog at customer sites. The catalog system can execute as a service on a cloud platform accessible to end user applications or local catalogs. The catalog system serves as a scalable global authority for known product information for either a single product vendor or for multiple vendors. The industrial catalog system can ensure that local versions of product catalog content is synchronized with high-level sources.

Abstract: A security device includes one or more processors and a memory that includes instructions, that when executed by the processors, cause the processors to perform operations. The operations include monitoring data traffic between industrial automation devices in an industrial system and one or more devices in an external network, determining that a first industrial automation device does not include native security features for receiving secure data from the devices in the external network or transmitting secure data to the devices in the external network, and implementing one or more security techniques in response to determining that the first industrial automation device does not include the native security features.

Abstract: A system includes a first computing node of a cluster of computing nodes that are part of a container orchestration system, a control system for controlling one or more operations of an operation technology (OT) component, and a second node of the cluster of computing nodes. The control system is communicatively coupled to the first computing node and the OT component. The second computing node may transmit a pod to the first computing node. The pod may cause the first computing node to perform operations that include deploying a container as a digital representation of the OT component, testing a security update on the digital representation, determining that the security update is ready for implementation in the OT component, and transmitting an indication that the security update is available for implementation to the OT component after determining that the security update is ready for implementation.

Abstract: An automation control system is provided that includes one or more components. The components include an embedded execution engine that is configured to execute one or more commands based upon data communicated to the one or more components from another component of the automation control system. The data is representative of a change to an object in the control system.

Abstract: A device may include a communication component that may communicatively couple to a first network. The device may also include a processor that may transmit a first signal via the communication component to a network address translation (NAT) system, the first signal including a first request to discover a server device. The NAT system may communicatively couple to the first network and a second network, such that the first network is inaccessible to the second network. The processor may then receive location data associated with the server device and transmit a second signal addressed to the server device based on the location data. The second signal is transmitted to the NAT system, such that the second signal may include a second request for a security policy from the server device. The processor may then receive the security policy via the NAT system and adjust one or more communication operations based on the security policy.

Abstract: An industrial security policy configuration system generates and implements security policies for industrial automation systems based on design data for the industrial systems generated by device manufacturers, system integrators, original equipment manufacturers, or the owners of the industrial assets during the design of the industrial systems. the collected design data to a security rule set defining device-level communication privileges. The system translates the collected design data to a security rule set defining device-level communication privileges, which are then translated to a comprehensive set of security policies customized to the requirements of the industrial systems represented by the design data. By leveraging the rich set of available design data to identify or infer security requirements and generate suitable security configurations, the system can mitigate the need to manually configure security policies based on human judgments regarding normal and abnormal network traffic.

Abstract: A device may include a communication component that may communicatively couple to a first network. The device may also include a processor that may transmit a first signal via the communication component to a network address translation (NAT) system, the first signal including a first request to discover a server device. The NAT system may communicatively couple to the first network and a second network, such that the first network is inaccessible to the second network. The processor may then receive location data associated with the server device and transmit a second signal addressed to the server device based on the location data. The second signal is transmitted to the NAT system, such that the second signal may include a second request for a security policy from the server device. The processor may then receive the security policy via the NAT system and adjust one or more communication operations based on the security policy.

Abstract: A secure method for establishing communications to provision modules in an industrial control system generates a certificate signing request to obtain a signed security certificate. A mobile device is located proximate to the module with the certificate signing request, and the mobile device has previously established itself as a secure communication interface on the network. The mobile device establishes a first connection between the module and the mobile device via a short-range protocol and a s second connection between the mobile device and a signing server via a network. The mobile device retrieves the certificate signing request via the first connection and transmits the certificate signing request to the signing server via the second connection. Because the mobile device has previously established itself as a secure interface, the transmission of the certificate signing request to the signing server may be made via a secure connection.

Abstract: Industrial controller modules are configured with security components that implement backplane-level security protocols, thereby preventing installation of unauthorized modular devices on the backplane of an industrial controller. When a modular device is installed in the controller's chassis and interface with the backplane, security components in the processor module or other supervisory module initiates exchange of authentication data with the modular device via the backplane. The authentication data can comprise one or more security challenges to which the modular device must respond correctly before the modular device is permitted to operate on the backplane. These backplane-level security protocols can prevent installation of rogue modules that may be used to collect proprietary control data or interfere with control processes.

Abstract: An industrial security policy configuration system generates and implements security policies for industrial automation systems based on design data for the industrial systems generated by device manufacturers, system integrators, original equipment manufacturers, or the owners of the industrial assets during the design of the industrial systems. the collected design data to a security rule set defining device-level communication privileges. The system translates the collected design data to a security rule set defining device-level communication privileges, which are then translated to a comprehensive set of security policies customized to the requirements of the industrial systems represented by the design data. By leveraging the rich set of available design data to identify or infer security requirements and generate suitable security configurations, the system can mitigate the need to manually configure security policies based on human judgments regarding normal and abnormal network traffic.

Abstract: A secure method for establishing communications to provision modules in an industrial control system generates a certificate signing request to obtain a signed security certificate. A mobile device is located proximate to the module with the certificate signing request, and the mobile device has previously established itself as a secure communication interface on the network. The mobile device establishes a first connection between the module and the mobile device via a short-range protocol and a s second connection between the mobile device and a signing server via a network. The mobile device retrieves the certificate signing request via the first connection and transmits the certificate signing request to the signing server via the second connection. Because the mobile device has previously established itself as a secure interface, the transmission of the certificate signing request to the signing server may be made via a secure connection.

Abstract: Industrial controller modules are configured with security components that implement backplane-level security protocols, thereby preventing installation of unauthorized modular devices on the backplane of an industrial controller. When a modular device is installed in the controller's chassis and interface with the backplane, security components in the processor module or other supervisory module initiates exchange of authentication data with the modular device via the backplane. The authentication data can comprise one or more security challenges to which the modular device must respond correctly before the modular device is permitted to operate on the backplane. These backplane-level security protocols can prevent installation of rogue modules that may be used to collect proprietary control data or interfere with control processes.

Abstract: An automation control system is provided that includes one or more components. The components include an embedded execution engine that is configured to execute one or more commands based upon data communicated to the one or more components from another component of the automation control system. The data is representative of a change to an object in the control system.

Abstract: An automation control system is provided that includes one or more components. The components include an embedded execution engine that is configured to execute one or more commands based upon data communicated to the one or more components from another component of the automation control system. The data is representative of a change to an object in the control system.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define security policies for a plant environment at a high-level by grouping the industrial assets into security zones, and defining any additional communication permissions in terms of asset-to-asset, asset-to-zone, or zone-to-zone conduits. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate security settings on one or more of the industrial assets, and deploys these instructions to the appropriate assets in order to implement the defined security policy.