Method of accessing functions of an embedded device
地域:
Marktheidenfeld
摘要
A method for accessing functions of an embedded device, for example a controller programmable from memory, wherein function blocks of the embedded device are assigned to at least two hierarchically superimposed levels, an access to a function block of the embedded device occurs from outside of the embedded device by a data interface, and for access an authentication must occur for the level to which the respective function block is assigned, and again for each individual level above the level to which the function block is assigned, to permit execution of a function of the function block, wherein the functions of the function blocks permit access to a firmware of the embedded device.
說明書
The present invention relates to a method of accessing functions of an embedded device, in particular of a programmable logic controller.
Embedded devices, i.e., for example, programmable logic controllers (PLCs), are used in a plurality of fields to control machinery and plant. Such embedded devices in particular control automated processes such as production lines, power plants or water supply systems.
The embedded devices typically themselves have no safety mechanisms or only very slight safety mechanisms that prevent access of unauthorized persons to the embedded devices. Such access can, for example, take place by means of a data connection using remote access. To achieve a certain protection of the embedded devices, the embedded devices are conventionally protected by means of a separate firewall or by completely walled-off data networks.
Disadvantageously, an attacker e.g. only has to overcome the firewall to be able to access embedded devices “behind” the firewall. Defending against such threats is in particular becoming more and more important with respect to the increasing networking of embedded devices and the further increasing number of attacks over the internet or over data networks.
It is therefore the object underlying the invention to provide an embedded device and a method for accessing such an embedded device that ensure increased security of the embedded device.
This object is satisfied by a method in accordance with claim 1 and in particular in that
- (a) functional blocks of the embedded device are associated with at least two levels disposed above one another hierarchically;
權利要求
The invention claimed is:1. A method of accessing functions of an embedded device, the method comprising:(a) associating functional blocks of the embedded device with at least two levels disposed above one another hierarchically; (b) accessing to a functional block of the embedded device from outside the embedded device by a data interface; and (c) authenticating during the accessing for a level with which the respective functional block is associated, and subsequently and serially performing an authentication for every level above the level associated with the functional block to permit an execution of a function of the functional block, each authentication performed being a prerequisite for a subsequent authentication, wherein the functions of the functional blocks permit access to firmware of the embedded device, for each level of the at least two levels, successful authentication permits access to associated functional blocks, and authentication for each of the at least two levels includes transmission of a one-time-use value to a device requesting access, receipt of an encrypted value from the device requesting access, decryption of the encrypted value to generate a decrypted value, determining whether the decrypted value matches the one-time-use value, and determination that authentication is successful when the decrypted value matches the one-time-use value. 2. The method in accordance with claim 1 ,wherein the embedded device is a programmable logic controller. 3. The method in accordance with claim 1 ,wherein the functions of the functional blocks also permit access to an application program executed on the embedded device. 4. The method in accordance with claim 1 ,wherein the authentication for different levels takes place by different keys. 5. The method in accordance with claim 1 ,wherein the embedded device uses a key-based cryptographic process for authentication for a level. 6. The method in accordance with claim 1 ,wherein a first functional block that permits direct access to hardware of the embedded device is arranged in a first level that is a lowest level. 7. The method in accordance with claim 6 ,wherein a function belonging to the first functional block permits direct access to a network interface. 8. The method in accordance with claim 6 ,wherein a second functional block that permits direct access to an operating system kernel of the embedded device is arranged in a second level that is disposed above the first level. 9. The method in accordance with claim 8 ,wherein a function belonging to the second functional block permits direct access to a file system. 10. The method in accordance with claim 8 ,wherein a third functional block that permits access to the executed application program is arranged in a third level that is disposed above the second level. 11. The method in accordance with claim 10 ,wherein a function belonging to the second functional block permits a monitoring of the executed application program. 12. The method in accordance with claim 10 ,wherein a fourth functional block that permits access to a web server of the embedded device is arranged in a fourth level that is disposed above the third level. 13. The method in accordance with claim 2 ,wherein a function belonging to the fourth functional block permits a data input and a data output at the web server. 14. The method in accordance with claim 1 ,wherein access to functions of the embedded device is checked by a firewall of the embedded device. 15. The method in accordance with claim 1 ,wherein a user management is used in which users are stored to whom authentication for predefined functional blocks is permitted. 16. An embedded device comprising:a data interface; a processing device; and a memory device; wherein the processing device is configured to: a) associate functional blocks of the embedded device with levels disposed above one another hierarchically; b) carry out an authentication during access to a functional block of the embedded device from outside the embedded device by the data interface for a level with which the functional block is associated, and subsequently and serially carry out an authentication for every level disposed above the level associated with the functional block before an execution of a function of the functional block is permitted, each authentication performed being a prerequisite for a subsequent authentication,wherein functions of the functional blocks permit access to firmware of the embedded device, for each level of the at least two levels, successful authentication permits access to associated functional blocks, and authentication for each of the at least two levels includes transmission of a one-time-use value to a device requesting access, receipt of an encrypted value from the device requesting access, decryption of the encrypted value to generate a decrypted value, determining whether the decrypted value matches the one-time-use value, and determination that authentication is successful when the decrypted value matches the one-time-use value. 17. The embedded device in accordance with claim 16 , wherein the functions of the functional blocks that permit access to firmware of the embedded device also permit access to an application program executed on the embedded device. 18. The embedded device in accordance with claim 17 , wherein the embedded device is a programmable logic controller. 19. The embedded device in accordance with claim 16 ,wherein the embedded device is configured to execute a real-time application. 20. The embedded device in accordance with claim 16 ,further comprising a fieldbus connector and the embedded device is operable at a voltage of 24 volts.
意見反饋