| 摘要 |
<p>The present invention is concerned with security zoning or clustering, i.e. the task of defining a set of non-overlapping security zones and assigning each node or resource of an Industrial Automation and Control System (IACS) to exactly one zone. The invention is based on deterministic, engineered information about network nodes of the IACS as retrieved from an IACS system description file or equivalent representation of the system configuration. The invention suggests an automated, structured and repeatable approach for segmenting the network of an IACS to better provide cyber security functionalities in an IACS installation, to decrease the risk for unintentional errors and to provide traceable documentation on the network segregation. The invention allows for more thorough zoning than that performed manually by engineers, especially when dealing with complex network topologies, and reduces the time that engineers need to spend in designing an optimal solution that meets all the security zoning requirements and rules.</p> |
