Abstract: A network access control system includes a communication device and an authorization system. The communication device is configured to communicate time-critical messages through a time-sensitive network during scheduled time windows. The communication device is further configured to be communicatively connected to a candidate device and to receive a network access request from the candidate device while blocking the candidate device from communicating through the time-sensitive network. The authorization system is communicatively connected to the communication device and configured to authorize the candidate device via a multi-factor authentication protocol that requires a user of the candidate device to successfully provide multiple identification factors. In response to the authorization system authorizing the candidate device, the communication device is configured to grant the candidate device restricted access to one or more of send or receive approved messages through the time-sensitive network.

Abstract: An apparatus is provided. The apparatus including a plurality of network interfaces, including a first network interface and a second network interface. The apparatus also includes a processor with two or more independent processing units, including a first independent processing unit and a second independent processing unit. The apparatus further includes a memory having first instructions and second instructions stored thereon. Execution of the first instructions, cause the first independent processing unit to execute operations associated with a first operating system and communicate, via the first network interface, over a bi-direction communication, with one or more platform computing devices. Execution of the second instructions, cause the second independent processing unit to execute real-time operations associated with a second operating system and communicate, via the second network interface, with one or more computing devices each having one or more sensors thereon.

Abstract: A secure communication path device includes a first secure communication validator providing a one-way communication path from a security domain by implementing a secure protocol parser, a second secure communication validator providing a one-way communication path from a second security domain by implementing a secure second protocol parser. Each validator including respective serial/de-serializer units providing a unidirectional communication path from their respective security domain. The device hardware segregating respective communications of the security domains within the secure communication path device.

Abstract: A secure communication path device includes a first secure communication validator providing a one-way communication path from a security domain by implementing a secure protocol parser, a second secure communication validator providing a one-way communication path from a second security domain by implementing a secure second protocol parser. Each validator including respective serial/de-serializer units providing a unidirectional communication path from their respective security domain. The device hardware segregating respective communications of the security domains within the secure communication path device.

Abstract: A network access control system includes a communication device and an authorization system. The communication device is configured to communicate time-critical messages through a time-sensitive network during scheduled time windows. The communication device is further configured to be communicatively connected to a candidate device and to receive a network access request from the candidate device while blocking the candidate device from communicating through the time-sensitive network. The authorization system is communicatively connected to the communication device and configured to authorize the candidate device via a multi-factor authentication protocol that requires a user of the candidate device to successfully provide multiple identification factors. In response to the authorization system authorizing the candidate device, the communication device is configured to grant the candidate device restricted access to one or more of send or receive approved messages through the time-sensitive network.

Abstract: Provided are a device and method for allocating system resources. In one example, the method includes identifying resources that are available from a plurality of devices included in a system, allocating available resources of the plurality of devices to a plurality of components operating in the system, the allocating comprising reserving a set of resources from the plurality of devices in the system for each respective component, from among the plurality of components, based on operating requirements included in the metadata of the respective component, and managing the system based on the allocated resources. By allocating resources to components executing in the system, in advance, and preventing other components from consuming those resources, the system can operate with improved stability.

Abstract: The example embodiments are directed to a system and method for secure provisioning of secrets into MPSoC devices using untrusted third-party systems. In one example, the method includes generating a random number sequence from a true random number generator to produce secret information, storing the secret information in an on-chip secure storage, encrypting, in a device and using public key encryption, the secret information to generate an encrypted message, and transmitting the encrypted message to a third-party system.

Abstract: According to some embodiments, a system may include a communication port to exchange information with a client device associated with an industrial control system. A network security server coupled to the communication port may include a computer processor adapted to provide a network security service for the client device. The computer processor may further be adapted to record security information about the client device via a blockchain verification process (e.g., by registering a validation result within a distributed ledger). The network security service might comprise, for example, an integrity attestation service providing software verification for the client device.

Abstract: The example embodiments are directed to a system and method for secure provisioning of secrets into MPSoC devices using untrusted third-party systems. In one example, the method includes generating a random number sequence from a true random number generator to produce secret information, storing the secret information in an on-chip secure storage, encrypting, in a device and using public key encryption, the secret information to generate an encrypted message, and transmitting the encrypted message to a third-party system.

Abstract: Provided are a device and method for allocating system resources. In one example, the method includes identifying resources that are available from a plurality of devices included in a system, allocating available resources of the plurality of devices to a plurality of components operating in the system, the allocating comprising reserving a set of resources from the plurality of devices in the system for each respective component, from among the plurality of components, based on operating requirements included in the metadata of the respective component, and managing the system based on the allocated resources. By allocating resources to components executing in the system, in advance, and preventing other components from consuming those resources, the system can operate with improved stability.

Abstract: Provided are a device and method for allocating system resources. In one example, the method includes identifying resources that are available from a plurality of devices included in a system, allocating available resources of the plurality of devices to a plurality of components operating in the system, the allocating comprising reserving a set of resources from the plurality of devices in the system for each respective component, from among the plurality of components, based on operating requirements included in the metadata of the respective component, and managing the system based on the allocated resources. By allocating resources to components executing in the system, in advance, and preventing other components from consuming those resources, the system can operate with improved stability.

Abstract: According to some embodiments, an overall chain-of-trust may be established for an industrial control system. Secure hardware may be provided, including a hardware security module coupled to or integrated with a processor of the industrial control system to provide a hardware root-of-trust. Similarly, secure firmware associated with a secure boot mechanism such that the processor executes a trusted operating system, wherein the secure boot mechanism includes one or more of a measured boot, a trusted boot, and a protected boot. Objects may be accessed via secure data storage, and data may be exchanged via secure communications in accordance with information stored in the hardware security model.

Abstract: A digital rights management (DRM) scheme enables a user having a valid license to digital content to create one or more copies of the content. The number of copies is limited by the DRM scheme. However, if the user is not connected or connectable to the content provider or licensing party when additional copies are desired, the user is permitted to create one or more additional copies without deleting or disabling other copies even though the additional copies exceed the number otherwise permitted by the DRM scheme. The number of such “float” copies may be limited. Rights to such additional copies may be withdrawn during a subsequent connection session between the user and the content provider.

Abstract: According to some embodiments, a system may include a communication port to exchange information with a client device associated with an industrial control system. A network security server coupled to the communication port may include a computer processor adapted to provide a network security service for the client device. The computer processor may further be adapted to record security information about the client device via a blockchain verification process (e.g., by registering a validation result within a distributed ledger). The network security service might comprise, for example, an integrity attestation service providing software verification for the client device.

Abstract: Provided are a device and method for allocating system resources. In one example, the method includes identifying resources that are available from a plurality of devices included in a system, allocating available resources of the plurality of devices to a plurality of components operating in the system, the allocating comprising reserving a set of resources from the plurality of devices in the system for each respective component, from among the plurality of components, based on operating requirements included in the metadata of the respective component, and managing the system based on the allocated resources. By allocating resources to components executing in the system, in advance, and preventing other components from consuming those resources, the system can operate with improved stability.

Abstract: According to some embodiments, an overall chain-of-trust may be established for an industrial control system. Secure hardware may be provided, including a hardware security module coupled to or integrated with a processor of the industrial control system to provide a hardware root-of-trust. Similarly, secure firmware associated with a secure boot mechanism such that the processor executes a trusted operating system, wherein the secure boot mechanism includes one or more of a measured boot, a trusted boot, and a protected boot. Objects may be accessed via secure data storage, and data may be exchanged via secure communications in accordance with information stored in the hardware security model.

Abstract: A system and method for controlling processor instruction execution. In one example, a method for synchronizing a number of instructions performed by processors includes instructing a first processor to iteratively execute instructions via a first set of iterations until a predetermined time period has elapsed. A number of instructions executed in each iteration of the first set of iterations is less than a number of instructions executed in a prior iteration of the first set of iterations. The method also includes instructing a second processor to iteratively execute instructions via a second set of iterations until the predetermined time period has elapsed. A number of instructions executed in each iteration of the second set of iterations is less than a number of instructions executed in a prior iteration of the second set of iterations. The method includes determining whether additional instructions are to be executed.

Abstract: A system and method for controlling processor instruction execution. In one example, a method for controlling a total number of instructions executed by a processor includes instructing the processor to iteratively execute instructions via multiple iterations until a predetermined time period has elapsed. A number of instructions executed in each iteration of the iterations is less than a number of instructions executed in a prior iteration of the iterations. The method also includes determining the total number of instructions executed during the predetermined time period.

Abstract: A system and method for controlling processor instruction execution. In one example, a method for controlling a total number of instructions executed by a processor includes instructing the processor to iteratively execute instructions via multiple iterations until a predetermined time period has elapsed. A number of instructions executed in each iteration of the iterations is less than a number of instructions executed in a prior iteration of the iterations. The method also includes determining the total number of instructions executed during the predetermined time period.

Abstract: The acceleration of peer-to-peer downloads of content files wherein a tracker performs a condition based peer selection that is dynamically adjustable. A further feature relates to the use of enhanced message scheme for communications. One embodiment is a system in a swarm having at least one origin seed capable of at least initially storing the content files with at least one tracker maintaining a list of peers wherein the tracker uses at least one dynamically adjusting peer selection algorithm to generate a condition based peer-list and provides the condition based peer-list to a requesting peer.