Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate device settings on one or more of the industrial assets to implement the security event management policies, and deploys these instructions to the appropriate assets in order to implement the defined policies.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. When new industrial devices are subsequently installed on the plant floor, the system determines whether a security policy defined by the model is applicable to the new device and commissions the new device to comply with any relevant security policies. This mitigates the necessity for a system administrator to manually configure individual devices to comply with plant-wide security policies.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate device settings on one or more of the industrial assets to implement the security event management policies, and deploys these instructions to the appropriate assets in order to implement the defined policies.

Abstract: An industrial safety architecture integrates employee identity and enterprise-level security policy into plant-floor functional safety systems, allowing control and safety systems on the plant floor to regulate safe interactions with hazardous controlled machinery based on user identity or role. The architecture leverages existing employee identity and security policy data maintained on the corporate level of an industrial enterprise to manage identity- and/or role-based control and safety on the plant level. Safety authority systems at both the corporate level and the plant level of the industrial enterprise obtain employee and security policy data from corporate-level systems and provides this data in as SIL-rated manner to industrial control and safety systems on the plant floor, where the identity and security policy information is used by functional safety systems to control access to industrial systems as a function of user identity, role, certifications, or other qualifications.

Abstract: An industrial safety architecture integrates employee identity and enterprise-level security policy into plant-floor functional safety systems, allowing control and safety systems on the plant floor to regulate safe interactions with hazardous controlled machinery based on user identity or role. The architecture leverages existing employee identity and security policy data maintained on the corporate level of an industrial enterprise to manage identity- and/or role-based control and safety on the plant level. Safety authority systems at both the corporate level and the plant level of the industrial enterprise obtain employee and security policy data from corporate-level systems and provides this data in as SIL-rated manner to industrial control and safety systems on the plant floor, where the identity and security policy information is used by functional safety systems to control access to industrial systems as a function of user identity, role, certifications, or other qualifications.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. When new industrial devices are subsequently installed on the plant floor, the system determines whether a security policy defined by the model is applicable to the new device and commissions the new device to comply with any relevant security policies. This mitigates the necessity for a system administrator to manually configure individual devices to comply with plant-wide security policies.

Abstract: A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define zone-specific security configuration and event management policies for a plant environment at a high-level based on a security model that groups the industrial assets into security zones. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate device settings on one or more of the industrial assets to implement the security event management policies, and deploys these instructions to the appropriate assets in order to implement the defined policies.

Abstract: Techniques to facilitate protection of control system content used in an industrial automation environment are disclosed herein. In at least one implementation, the control system content for use in the industrial automation environment is received, wherein the control system content comprises controller program code that directs an industrial controller to drive a machine system. Content protection instructions for the control system content are also received, wherein the content protection instructions comprise restrictions on execution of the control system content. An execution license that includes process-related constraints for the control system content is generated based on the content protection instructions. The execution license is applied to the control system content to generate protected content, wherein use of the control system content is granted subject to the process-related constraints of the execution license.

Abstract: An automation control system is provided that includes a distributed automation component that receives and processes delta scripts describing state changes to one or more objects of a persistent object model.

Abstract: Techniques to facilitate protection of control system content used in an industrial automation environment are disclosed herein. In at least one implementation, the control system content for use in the industrial automation environment is received, wherein the control system content comprises controller program code that directs an industrial controller to drive a machine system. Content protection instructions for the control system content are also received, wherein the content protection instructions comprise restrictions on execution of the control system content. An execution license that includes process-related constraints for the control system content is generated based on the content protection instructions. The execution license is applied to the control system content to generate protected content, wherein use of the control system content is granted subject to the process-related constraints of the execution license.

Abstract: Techniques to facilitate protection of control system content used in an industrial automation environment are disclosed herein. In at least one implementation, the control system content for use in the industrial automation environment is received, wherein the control system content comprises controller program code that directs an industrial controller to drive a machine system. Content protection instructions for the control system content are also received, wherein the content protection instructions comprise restrictions on execution of the control system content. An execution license that includes process-related constraints for the control system content is generated based on the content protection instructions. The execution license is applied to the control system content to generate protected content, wherein use of the control system content is granted subject to the process-related constraints of the execution license.

Abstract: Aspects describe multiple interface support that provides dynamic switching between new and old interface revisions. A first interface application is selected from a set of alternative interface applications for an industrial automation system. Support for each interface application included in the set of alternative interface applications is provided. A second interface application is downloaded and associated with the first interface application. The second interface application is enabled during runtime. If needed, the second interface application can be selectively disabled and an operation resumed with the first interface application.

Abstract: An improved system for establishing rules in a firewall for an industrial network is disclosed. Rules are established at an application level, identifying, for example, actions to occur between two devices. The action may be, for example, read data table or get attribute, and each action may require multiple message packets to be transmitted between the two devices in order to complete. A network device executing the firewall is configured to receive message packets from a sending device and to inspect the message packets to determine which action the sending device is requesting to perform. If the action corresponds to a rule in the database, the network device manages communications between the two devices until all message packets have been transmitted. Thus, a single action, or application, may be defined in the rules database to permit multiple data packets to be communicated between the devices.

Abstract: An automation control system is provided that includes a distributed automation component that receives and processes delta scripts describing state changes to one or more objects of a persistent object model.

Abstract: An automation control system is provided that includes delta scripts that describe one or more changes of the stored state information. The delta scripts may be useful to enable one or more other components of the control system and the one or more other components apply the one or more delta scripts to update state information stored on the one or more other components based upon the one or more changes.

Abstract: An automation control and monitoring system is provided that includes chainable plug-ins that may work in combination with one another to transform data or generate events. Resources of the automation control and monitoring system may be polymorphically defined based upon a generalized object model. The chainable plug-ins may be chained to make use of and/or affect a resource of any type.

Abstract: An automation control system is provided that includes a first component that stores state information of an object of the automation control system. Additionally, the first component generates one or more delta scripts that describe one or more changes of the stored state information. Further, the first component transmits the one or more delta scripts to one or more other components of the control system and the one or more other components apply the one or more delta scripts to update state information stored on the one or more other components based upon the one or more changes.

Abstract: Aspects of the present invention provide machines, systems, and methods in which industrial control systems may be secured from compromise and/or disruption via authentication and firewall. In particular, an industrial controller may: randomly generate an exchange key and send the exchange key to a client device in response to a transaction request originating from the client device; combine the exchange key with a locally stored pass key to produce an authentication code; and compare a challenge key received from the client device to the authentication code to determine a match between the challenge key and the authentication code. A successful match between the challenge key and the authentication code may allow the client device to further access the industrial controller using a common industrial protocol (CIP), and a failed match between the challenge key and the authentication code may prevent the client device from further access to the industrial controller.

Abstract: Techniques to facilitate protection of control system content used in an industrial automation environment are disclosed herein. In at least one implementation, the control system content for use in the industrial automation environment is received, wherein the control system content comprises controller program code that directs an industrial controller to drive a machine system. Content protection instructions for the control system content are also received, wherein the content protection instructions comprise restrictions on execution of the control system content. An execution license that includes process-related constraints for the control system content is generated based on the content protection instructions. The execution license is applied to the control system content to generate protected content, wherein use of the control system content is granted subject to the process-related constraints of the execution license.

Abstract: A control and monitoring system is provided that includes an automation controller. The system includes a distributed model stored on the automation controller. Changes to the distributed model are provided via delta scripts that define only the changes to the model. Further, the control and monitoring system 24 includes distributed execution engines that execute commands based upon trigger events determined in the system. a plurality of automation control components networked together and with the automation controller, wherein the plurality of automation control components are capable of load balancing among the plurality of automation control components in response to performance demands of the control and monitoring system. These features of the control and monitoring system enable load balancing, data and processing redundancy, and collaborative design within the control and monitoring system.