| CPC G06F 21/629 (2013.01) [G06F 9/45558 (2013.01); G06F 2009/45562 (2013.01); G06F 2009/4557 (2013.01)] | 12 Claims |
|
1. A method of granting access rights to control applications of an industrial automation system, the method comprising:
providing first control applications via software containers which are loaded into and executed in a container runtime environment installed on a host operating system, the software containers for the first control applications each being at least one of (i) migratable from one automation device having a container runtime environment to another automation device having a container runtime environment for execution there and (ii) executable simultaneously on a plurality of automation devices having a container runtime environment;
monitoring and configuring the first control applications via an application management system;
detecting, by the application management system, at least one of creation, deletion and modification of the software containers, and registering, by the application management system, the software containers with their respective execution status, at least one of the creation, deletion and modification of the software containers each comprising allocating or releasing resources in a respective automation device having a container runtime environment;
authenticating the first control applications via the application management system;
executing and cryptographically authenticating second control applications directly on a host operating system; and
authorizing data traffic from at least one of (i) the first and the second control applications to target devices and (ii) target applications following successful authentication in each case via an at least temporarily valid access key inserted into the data traffic;
wherein the first and second control applications are installed on automation devices which comprise a secured subnetwork which is assigned to the industrial automation system; and
wherein the first and the second control applications are accessed from outside the secured subnetwork only following authorization by the application management system.
|