U.S. patent application number 16/853622 was filed with the patent office on 2021-06-24 for dynamic segmentation in an industrial network based on inventory tags.
The applicant listed for this patent is Cisco Technology, Inc.. Invention is credited to Robert Edgar Barton, Daniel R. Behrens, Laurent Jean Charles Hausermann, Jerome Henry, Ruben Gerald Lobo, Maik Guenter Seewald, Thomas Szigeti.
Application Number | 20210194760 16/853622 |
Document ID | / |
Family ID | 1000004814179 |
Filed Date | 2021-06-24 |
United States Patent
Application |
20210194760 |
Kind Code |
A1 |
Barton; Robert Edgar ; et
al. |
June 24, 2021 |
DYNAMIC SEGMENTATION IN AN INDUSTRIAL NETWORK BASED ON INVENTORY
TAGS
Abstract
According to one or more embodiments of the disclosure, a
service obtains one or more component tags and one or more activity
tags that were assigned to an endpoint device in a network based on
deep packet inspection of traffic associated with the endpoint
device. The service determines an intent of the endpoint device,
using the one or more component tags and the one or more activity
tags that were assigned to the endpoint device. The service
translates the intent of the endpoint device into a network
segmentation policy. The service configures a network overlay in
the network that implements the network segmentation policy.
Inventors: |
Barton; Robert Edgar;
(Richmond, CA) ; Szigeti; Thomas; (Vancouver,
CA) ; Henry; Jerome; (Pittsboro, NC) ; Lobo;
Ruben Gerald; (Raleigh, NC) ; Hausermann; Laurent
Jean Charles; (Lyon, FR) ; Seewald; Maik Guenter;
(Nurnberg, DE) ; Behrens; Daniel R.; (Chardon,
OH) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Cisco Technology, Inc. |
San Jose |
CA |
US |
|
|
Family ID: |
1000004814179 |
Appl. No.: |
16/853622 |
Filed: |
April 20, 2020 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
62951645 |
Dec 20, 2019 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06Q 10/0875 20130101;
H04L 12/4641 20130101; H04L 41/0803 20130101 |
International
Class: |
H04L 12/24 20060101
H04L012/24; G06Q 10/08 20060101 G06Q010/08; H04L 12/46 20060101
H04L012/46 |
Claims
1. A method comprising: obtaining, by a service, one or more
component tags and one or more activity tags that were assigned to
an endpoint device in a network based on deep packet inspection of
traffic associated with the endpoint device; determining, by the
service, an intent of the endpoint device, using the one or more
component tags and the one or more activity tags that were assigned
to the endpoint device; translating, by the service, the intent of
the endpoint device into a network segmentation policy; and
configuring, by the service, a network overlay in the network that
implements the ii network segmentation policy.
2. The method as in claim 1, wherein determining the intent of the
endpoint device comprises: receiving, at the service, an indication
of one or more scalable group tags for the endpoint device; and
associating, by the service, the one or more scalable group tags
with the endpoint device.
3. The method as in claim 2, wherein translating the intent of the
endpoint device into a network segmentation policy comprises:
generating a security group access control list, based on the one
or more scalable group tags associated with the endpoint device;
and wherein configuring the network overlay in the network
comprises: sending the security group access control list to
networking equipment in the network.
4. The method as in claim 2, wherein indication of the one or more
scalable group tags is received via a user interface.
5. The method as in claim 1, wherein the network overlay restricts
the endpoint device to communicating only with a subset of senders
or receivers via the network, and wherein the network overlay
further restricts the endpoint device to sending or receiving only
a specific type of application traffic via the network.
6. The method as in claim 5, wherein the one or more component tags
are indicative of a physical location of the endpoint device, and
wherein one or more of the senders or receivers in the subset are
also located in that physical location.
7. The method as in claim 1, wherein the endpoint device comprises
a programmable logic controller (PLC) or variable-frequency drive
(VFD).
8. The method as in claim 1, wherein the network overlay is
implemented as a Virtual Extensible Local Area Network (VxLAN)
overlay in the network.
9. An apparatus, comprising: one or more network interfaces to
communicate with a network; a processor coupled to the one or more
network interfaces and configured to execute one or more processes;
and a memory configured to store a process that is executable by
the processor, the process when executed configured to: obtain one
or more component tags and one or more activity tags that were
assigned to an endpoint device in a network based on deep packet
inspection of traffic associated with the endpoint device;
determine an intent of the endpoint device, using the one or more
component tags and the one or more activity tags that were assigned
to the endpoint device; translate the intent of the endpoint device
into a network segmentation policy; and is configure a network
overlay in the network that implements the network segmentation
policy.
10. The apparatus as in claim 9, wherein the apparatus determines
the intent of the endpoint device by: receiving an indication of
one or more scalable group tags for the endpoint device; and
associating the one or more scalable group tags with the endpoint
device.
11. The apparatus as in claim 10, wherein the apparatus translates
the intent of the endpoint device into a network segmentation
policy by: generating a security group access control list, based
on the one or more scalable group tags associated with the endpoint
device; and wherein configuring the network overlay in the network
comprises: sending the security group access control list to
networking equipment in the network.
12. The apparatus as in claim 11, wherein indication of the one or
more scalable group tags is received via a user interface.
13. The apparatus as in claim 9, wherein the network overlay
restricts the endpoint device to communicating only with a subset
of senders or receivers via the network, and wherein the network
overlay further restricts the endpoint device to sending or
receiving only a specific type of application traffic via the
network.
14. The apparatus as in claim 13, wherein the one or more component
tags are indicative of a physical location of the endpoint device,
and wherein one or more of the senders or receivers in the subset
are also located in that physical location.
15. The apparatus as in claim 9, wherein the endpoint device
comprises a programmable logic controller (PLC) or
variable-frequency drive (VFD).
16. The apparatus as in claim 9, wherein the network overlay is
implemented as a Virtual Extensible Local Area Network (VxLAN)
overlay in the network.
17. A tangible, non-transitory, computer-readable medium storing
program instructions that cause a service to execute a process
comprising: obtaining, by the service, one or more component tags
and one or more activity tags that were assigned to an endpoint
device in a network based on deep packet inspection of traffic
associated with the endpoint device; determining, by the service,
an intent of the endpoint device, using the one or more component
tags and the one or more activity tags that were assigned to the
endpoint device; translating, by the service, the intent of the
endpoint device into a network segmentation policy; and
configuring, by the service, a network overlay in the network that
implements the network segmentation policy.
18. The computer-readable medium as in claim 17, wherein
determining the intent of the endpoint device comprises: receiving,
at the service, an indication of one or more scalable group tags
for the endpoint device; and associating, by the service, the one
or more scalable group tags with the endpoint device.
19. The computer-readable medium as in claim 18, wherein
translating the intent of the endpoint device into a network
segmentation policy comprises: generating a security group access
control list, based on the one or more scalable group tags
associated with the endpoint device; and wherein configuring the
network s overlay in the network comprises: sending the security
group access control list to networking equipment in the
network.
20. The computer-readable medium as in claim 19, wherein the
network overlay restricts the endpoint device to communicating only
with a subset of senders or receivers via the network, and wherein
the network overlay further restricts the endpoint device to
sending or receiving only a specific type of application traffic
via the network.
Description
RELATED APPLICATION
[0001] This application claims priority to U.S. Provisional Patent
Application No. 62/951.645, filed on Dec. 20, 2019, entitled
"INTENT-BASED SECURITY FOR INDUSTRIAL IOT DEVICES" by Barton et
al., the contents of which are incorporated by reference
herein.
TECHNICAL FIELD
[0002] The present disclosure relates generally to computer
networks, and, more particularly, to intent-based security for
industrial Internet of Things (IoT) devices.
BACKGROUND
[0003] The Internet of Things, or "IoT" for short, represents an
evolution of computer networks that seeks to connect many everyday
objects to the Internet. Notably, there has been a recent
proliferation of `smart` devices that are Internet-capable such as
thermostats, lighting, televisions, cameras, and the like. In many
implementations, these devices may also communicate with one
another. For example, an IoT motion sensor may communicate with one
or more smart lightbulbs, to actuate the lighting in a room when a
person enters the room. Vehicles are another class of `things` that
are being connected via the IoT for purposes of sharing sensor
data, implementing self-driving capabilities, monitoring, and the
like.
[0004] The nature of the IoT makes network security particularly
challenging, especially in the case of industrial settings, such as
factories, mines, ports, power substations, and the like. Indeed,
these types of networks are typically large scale in nature,
include a variety of legacy devices that do not support
authentication methods (e.g., 802.1x) and lack system patching,
making it very difficult to define adequate security policies for
each device.
BRIEF DESCRIPTION OF THE DRAWINGS
[0005] The embodiments herein may be better understood by referring
to the following description in conjunction with the accompanying
drawings in which like reference numerals indicate identically or
functionally similar elements, of which:
[0006] FIG. 1 illustrate an example network;
[0007] FIG. 2 illustrates an example network device/node;
[0008] FIG. 3 illustrates an example network architecture for an
industrial network;
[0009] FIGS. 4A-4B illustrate example displays of component and
activity tags;
[0010] FIG. 5 illustrates an example screen capture of an asset
profile;
[0011] FIGS. 6A-6B illustrate examples of applying segmentation to
a network; and
[0012] FIG. 7 illustrates an example simplified procedure for
segmenting a network.
DESCRIPTION OF EXAMPLE EMBODIMENTS
Overview
[0013] According to one or more embodiments of the disclosure, a
service obtains one or more component tags and one or more activity
tags that were assigned to an endpoint device in a network based on
deep packet inspection of traffic associated with the endpoint
device. The service determines an intent of the endpoint device,
using the one or more component tags and the one or more activity
tags that were assigned to the endpoint device. The service
translates the intent of the endpoint device into a network
segmentation policy. The service configures a network overlay in
the network that implements the network segmentation policy.
Description
[0014] A computer network is a geographically distributed
collection of nodes interconnected by communication links and
segments for transporting data between end nodes, such as personal
computers and workstations, or other devices, such as sensors, etc.
Many types of networks are available, ranging from local area
networks (LANs) to wide area networks (WANs). LANs typically
connect the nodes over dedicated private communications links
located in the same general physical location, such as a building
or campus. WANs, on the other hand, typically connect
geographically dispersed nodes over long-distance communications
links, such as common carrier telephone lines, optical lightpaths,
synchronous optical networks (SONET), synchronous digital hierarchy
(SDH) links, or Powerline Communications, and others. Other types
of networks, such as field area networks (FANs), neighborhood area
networks (NANs), personal area networks (PANs), etc. may also make
up the components of any given computer network.
[0015] In various embodiments, computer networks may include an
Internet of Things network. Loosely, the term "Internet of Things"
or "IoT" (or "Internet of Everything" or "IoE") refers to uniquely
identifiable objects (things) and their virtual representations in
a network-based architecture. In particular, the IoT involves the
ability to connect more than just computers and communications
devices, but rather the ability to connect "objects" in general,
such as lights, appliances, vehicles, heating, ventilating, and
air-conditioning (HVAC), windows and window shades and blinds,
doors, locks, etc. The "Internet of Things" thus generally refers
to the interconnection of objects (e.g., smart objects), such as
sensors and actuators, over a computer network (e.g., via IP),
which may be the public Internet or a private network.
[0016] Often, IoT networks operate within a shared-media mesh
networks, such as wireless or Powerline Communication networks,
etc., and are often on what is referred to as Low-Power and Lossy
Networks (LLNs), which are a class of network in which both the
routers and their interconnect are constrained. That is, LLN
devices/routers typically operate with constraints, e.g.,
processing power, memory, and/or energy (battery), and their
interconnects are characterized by, illustratively, high loss
rates, low data rates, and/or instability. IoT networks are
comprised of anything from a few dozen to thousands or even
millions of devices, and support point-to-point traffic (between
devices inside the network), point-to-multipoint traffic (from a
central control point such as a root node to a subset of devices
inside the network), and multipoint-to-point traffic (from devices
inside the network towards a central control point).
[0017] Fog computing is a distributed approach of cloud
implementation that acts as an intermediate layer from local
networks (e.g., IoT networks) to the cloud (e.g., centralized
and/or shared resources, as will be understood by those skilled in
the art). That is, generally, fog computing entails using devices
at the network edge to provide application services, including
computation, networking, and storage, to the local nodes in the
network, in contrast to cloud-based approaches that rely on remote
data centers/cloud environments for the services. To this end, a
fog node is a functional node that is deployed close to fog
endpoints to provide computing, storage, and networking resources
and services. Multiple fog nodes organized or configured together
form a fog system, to implement a particular solution. Fog nodes
and fog systems can have the same or complementary capabilities, in
various implementations. That is, each individual fog node does not
have to implement the entire spectrum of capabilities. Instead, the
fog capabilities may be distributed across multiple fog nodes and
systems, which may collaborate to help each other to provide the
desired services. In other words, a fog system can include any
number of virtualized services and/or data stores that are spread
across the distributed fog nodes. This may include a master-slave
configuration, publish-subscribe configuration, or peer-to-peer
configuration.
[0018] Low power and Lossy Networks (LLNs), e.g., certain sensor
networks, may be used in a myriad of applications such as for
"Smart Grid" and "Smart Cities." A number of challenges in LLNs
have been presented, such as:
[0019] 1) Links are generally lossy, such that a Packet Delivery
Rate/Ratio (PDR) can dramatically vary due to various sources of
interferences, e.g., considerably affecting the bit error rate
(BER);
[0020] 2) Links are generally low bandwidth, such that control
plane traffic must generally be bounded and negligible compared to
the low rate data traffic;
[0021] 3) There are a number of use cases that require specifying a
set of link and node metrics, some of them being dynamic, thus
requiring specific smoothing functions to avoid routing
instability, considerably draining bandwidth and energy;
[0022] 4) Constraint-routing may be required by some applications,
e.g., to establish routing paths that will avoid non-encrypted
links, nodes running low on energy, etc.;
[0023] 5) Scale of the networks may become very large, e.g., on the
order of several thousands to millions of nodes; and
[0024] 6) Nodes may be constrained with a low memory, a reduced
processing capability, a low power supply (e.g., battery).
[0025] In other words, LLNs are a class of network in which both
the routers and their interconnect are constrained: LLN routers
typically operate with constraints, e.g., processing power, memory,
and/or energy (battery), and their interconnects are characterized
by, illustratively, high loss rates, low data rates, and/or
instability. LLNs are comprised of anything from a few dozen and up
to thousands or even millions of LLN routers, and support
point-to-point traffic (between devices inside the LLN),
point-to-multipoint traffic (from a central control point to a
subset of devices inside the LLN) and multipoint-to-point traffic
(from devices inside the LLN towards a central control point).
[0026] An example implementation of LLNs is an "Internet of Things"
network. Loosely, the term "Internet of Things" or "IoT" may be
used by those in the art to refer to uniquely identifiable objects
(things) and their virtual representations in a network-based
architecture. In particular, the next frontier in the evolution of
the Internet is the ability to connect more than just computers and
communications devices, but rather the ability to connect "objects"
in general, such as lights, appliances, vehicles, HVAC (heating,
ventilating, and air-conditioning), windows and window shades and
blinds, doors, locks, etc. The "Internet of Things" thus generally
refers to the interconnection of objects (e.g., smart objects),
such as sensors and actuators, over a computer network (e.g., IP),
which may be the Public Internet or a private network. Such devices
have been used in the industry for decades, usually in the form of
non-IP or proprietary protocols that are connected to IP networks
by way of protocol translation gateways. With the emergence of a
myriad of applications, such as the smart grid advanced metering
infrastructure (AMI), smart cities, and building and industrial
automation, and cars (e.g., that can interconnect millions of
objects for sensing things like power quality, tire pressure, and
temperature and that can actuate engines and lights), it has been
of the utmost importance to extend the IP protocol suite for these
networks.
[0027] FIG. 1 is a schematic block diagram of an example simplified
computer network 100 illustratively comprising nodes/devices at
various levels of the network, interconnected by various methods of
communication. For instance, the links may be wired links or shared
media (e.g., wireless links, powerline communication links, etc.)
where certain nodes, such as, e.g., routers, sensors, computers,
etc., may be in communication with other devices, e.g., based on
connectivity, distance, signal strength, current operational
status, location, etc.
[0028] Specifically, as shown in the example IoT network 100, three
illustrative layers are shown, namely cloud layer 110, fog layer
120, and IoT device layer 130. Illustratively, the cloud 110 may
comprise general connectivity via the Internet 112, and may contain
one or more datacenters 114 with one or more centralized servers
116 or other devices, as will be appreciated by those skilled in
the art. Within the fog layer 120, various fog nodes/devices 122
(e.g., with fog modules, described below) may execute various fog
computing resources on network edge devices, as opposed to
datacenter/cloud-based servers or on the endpoint nodes 132
themselves of the IoT layer 130. For example, fog nodes/devices 122
may include edge routers and/or other networking devices that
provide connectivity between cloud layer 110 and IoT device layer
130. Data packets (e.g., traffic and/or messages sent between the
devices/nodes) may be exchanged among the nodes/devices of the
computer network 100 using predefined network communication
protocols such as certain known wired protocols, wireless
protocols, powerline communication protocols, or other shared-media
protocols where appropriate. In this context, a protocol consists
of a set of rules defining how the nodes interact with each
other.
[0029] Those skilled in the art will understand that any number of
nodes, devices, links, etc. may be used in the computer network,
and that the view shown herein is for simplicity. Also, those
skilled in the art will further understand that while the network
is shown in a certain orientation, the network 100 is merely an
example illustration that is not meant to limit the disclosure.
[0030] Data packets (e.g., traffic and/or messages) may be
exchanged among the nodes/devices of the computer network 100 using
predefined network communication protocols such as certain known
wired protocols, wireless protocols (e.g., IEEE Std. 802.15.4,
Wi-Fi, Bluetooth.RTM., DECT-Ultra Low Energy, LoRa, etc..),
powerline communication protocols, or other shared-media protocols
where appropriate. In this context, a protocol consists of a set of
rules defining how the nodes interact with each other.
[0031] FIG. 2 is a schematic block diagram of an example
node/device 200 that may be used with one or more embodiments
described herein, e.g., as any of the nodes or devices shown in
FIG. 1 above or described in further detail below. The device 200
may comprise one or more network interfaces 210 (e.g., wired,
wireless, etc.), at least one processor 220, and a memory 240
interconnected by a system bus 250, as well as a power supply 260
(e.g., battery, plug-in, etc.).
[0032] Network interface(s) 210 include the mechanical, electrical,
and signaling circuitry for communicating data over links coupled
to the network. The network interfaces 210 may be configured to
transmit and/or receive data using a variety of different
communication protocols, such as TCP/IP, UDP, etc. Note that the
device 200 may have multiple different types of network connections
210, e.g., wireless and wired/physical connections, and that the
view herein is merely for illustration. Also, while the network
interface 210 is shown separately from power supply 260, for
powerline communications the network interface 210 may communicate
through the power supply 260, or may be an integral component of
the power supply. In some specific configurations the powerline
communication signal may be coupled to the power line feeding into
the power supply.
[0033] The memory 240 comprises a plurality of storage locations
that are addressable by the processor(s) 220 and the network
interfaces 210 for storing software programs and data structures
associated with the embodiments described herein. The processor 220
may comprise necessary elements or logic adapted to execute the
software programs and manipulate the data structures 245. An
operating system 242 (e.g., the Internetworking Operating System,
or IOS.RTM., of Cisco Systems, Inc., another operating system,
etc.), portions of which are typically resident in memory 240 and
executed by the processor(s), functionally organizes the node by,
inter alia, invoking network operations in support of software
processors and/or services executing on the device. These software
processors and/or services may comprise a network security process
248.
[0034] It will be apparent to those skilled in the art that other
processor and memory types, including various computer-readable
media, may be used to store and execute program instructions
pertaining to the techniques described herein. Also, while the
description illustrates various processes, it is expressly
contemplated that various processes may be embodied as modules
configured to operate in accordance with the techniques herein
(e.g., according to the functionality of a similar process).
Further, while processes may be shown and/or described separately,
those skilled in the art will appreciate that processes may be
routines or modules within other processes.
[0035] In general, network security process 248 may be configured
to perform any or all of the following tasks: [0036] 1. Identifying
and classifying devices in the network--this may entail, for
example, determining the make, model, software configuration, type,
etc. of a given device. [0037] 2. Discerning operational insights
about a device--for example, network security process 248 may
assess the traffic of a particular device, to determine what the
device is doing, or attempting to do, via the network. Such
information may take the form of device details and communication
maps for the device. In further cases, the device functions and
application flows may be converted into tags and/or events for
presentation to a user interface. Further, process 248 may also
track variable changes, to monitor the integrity of the industrial
workflow. [0038] 3. Detecting anomalies--network security process
248 may also assess the behaviors of a device on the network, to
determine whether its behaviors are anomalous. In various
embodiments, this may entail network security process 248
determining whether the behavior of the device has changed
significantly over time and/or does not fit the expected behavioral
pattern for its classification. For example, if the device is
identifies as being a temperature sensor that periodically sends
temperature measurements to a supervisory service, but the device
is instead communicating data elsewhere, process 248 may deem this
behavior anomalous.
[0039] In various embodiments, network security process 248 may
employ any number of machine learning techniques, to assess the
gathered telemetry data regarding the traffic of the device. In
general, machine learning is concerned with the design and the
development of techniques that receive empirical data as input
(e.g., telemetry data regarding traffic in the network) and
recognize complex patterns in the input data. For example, some
machine learning techniques use an underlying model M, whose
parameters are optimized for minimizing the cost function
associated to M, given the input data. For instance, in the context
of classification, the model M may be a straight line that
separates the data into two classes (e.g., labels) such that
M=a*x+b*y+c and the cost function is a function of the number of
misclassified points. The learning process then operates by
adjusting the parameters a,b,c such that the number of
misclassified points is minimal. After this optimization/learning
phase, network security process 248 can use the model M to classify
new data points, such as information regarding new traffic flows in
the network. Often, M is a statistical model, and the cost function
is inversely proportional to the likelihood of M, given the input
data.
[0040] In various embodiments, network security process 248 may
employ one or more supervised, unsupervised, or semi-supervised
machine learning models. Generally, supervised learning entails the
use of a training set of data, as noted above, that is used to
train the model to apply labels to the input data. For example, the
training data may include sample telemetry data that is "normal,"
or "suspicious." On the other end of the spectrum are unsupervised
techniques that do not require a training set of labels. Notably,
while a supervised learning model may look for previously seen
attack patterns that have been labeled as such, an unsupervised
model may instead look to whether there are sudden changes in the
behavior of the network traffic. Semi-supervised learning models
take a middle ground approach that uses a greatly reduced set of
labeled training data.
[0041] Example machine learning techniques that network security
process 248 can employ may include, but are not limited to, nearest
neighbor (NN) techniques (e.g., k-NN models, replicator NN models,
etc.), statistical techniques (e.g., Bayesian networks, etc.),
clustering techniques (e.g., k-means, mean-shift, etc.), neural
networks (e.g., reservoir networks, artificial neural networks,
etc.), support vector machines (SVMs), logistic or other
regression, Markov models or chains, principal component analysis
(PCA) (e.g., for linear models), multi-layer perceptron (MLP) ANNs
(e.g., for non-linear models), replicating reservoir networks
(e.g., for non-linear models, typically for time series), random
forest classification, or the like.
[0042] The performance of a machine learning model can be evaluated
in a number of ways based on the number of true positives, false
positives, true negatives, and/or false negatives of the model. For
example, the false positives of the model may refer to the number
of traffic flows that are incorrectly classified as
malware-generated, anomalous, etc. Conversely, the false negatives
of the model may refer to the number of traffic flows that the
model incorrectly classifies as normal, when actually
malware-generated, anomalous, etc. True negatives and positives may
refer to the number of traffic flows that the model correctly
classifies as normal or malware-generated, etc., respectively.
Related to these measurements are the concepts of recall and
precision. Generally, recall refers to the ratio of true positives
to the sum of true positives and false negatives, which quantifies
the sensitivity of the model. Similarly, precision refers to the
ratio of true positives the sum of true and false positives.
[0043] In some cases, network security process 248 may assess the
captured telemetry data on a per-flow basis. In other embodiments,
network security process 248 may assess telemetry data for a
plurality of traffic flows based on any number of different
conditions. For example, traffic flows may be grouped based on
their sources, destinations, temporal characteristics (e.g., flows
that occur around the same time, etc.), combinations thereof, or
based on any other set of flow characteristics.
[0044] As noted above, the very nature of the IoT presents certain
challenges, from a security standpoint. Indeed, the diversity of
the various devices in the network in terms of their hardware,
software, and purposes (e.g., sensing, controlling, etc.), as well
as the specific configuration of the network (e.g., cells in an
industrial network, etc.), can make enforcing network security
particularly challenging.
[0045] Best practices for Industrial IoT security typically follow
standardized models, such as IEC 62443. This security model
implements both operational technology (OT) and information
technology (IT) security levels and establishes how security should
be designed in industrial systems. Furthermore, it describes how
security between levels is accomplished through the use of
controlled conduits. However, industrial security remains very
difficult to enforce, as evidenced by recent industrial attacks
where this model was in place. A superior approach would be to
leverage intent-based networking, complete with abstraction,
automation and analytics, to define, enforce and assure IoT
security policies.
[0046] It is also important to recognize that IoT devices typically
follow a well prescribed communication profile (e.g., to which
devices they should be communicating, on what protocol, and what
the protocol should be doing). For instance, a supervisory control
and data acquisition (SCADA) slave should only ever communicate to
a SCADA master on an established port and should only execute
allowable commands. However, it remains very difficult to both 1.)
verify that the things, such as intelligent electronic devices,
programmable logic controllers (PLCs), variable-frequency drive
(VFD), human-machine interfaces (HMIs), input/output (I/O)
controllers, etc., are communicating in the expected way and 2.)
control their behaviors such that any unexpected network attacks
are isolated.
[0047] Even when the communications between endpoints are seemingly
innocuous, there has been a recent trend in malware taking
advantage of these communications to mo damage equipment. In these
forms of attacks, an infected endpoint can send control commands to
another endpoint, with whom communication is allowed, that can
damage or disrupt the operations of the equipment and, potentially,
the industrial environment as a whole. For example, malicious SCADA
commands to a PLC could cause the PLC to drive a motor in an unsafe
way, cause power to be turned off or on to a circuit (e.g., a
feeder in an electrical power station), or the like.
Dynamic Segmentation in an Industrial Network Based on Inventory
Tags
[0048] The techniques herein introduce a network architecture
whereby devices are automatically discovered and classified, to
drive intent-based network segmentation in a dynamic manner. In
some aspects, endpoint devices in the network can be tagged
according to their component and activity types, allowing for easy
identification of the intent of the device and translation of the
intent into a corresponding network overlay.
[0049] Illustratively, the techniques described herein may be
performed by hardware, software, and/or firmware, such as in
accordance with the network security process 248, which may include
computer executable instructions executed by the processor 220 (or
independent processor of interfaces 210) to perform functions
relating to the techniques described herein.
[0050] Specifically, according to various embodiments, a service
obtains one or more component tags and one or more activity tags
that were assigned to an endpoint device in a network based on deep
packet inspection of traffic associated with the endpoint device.
The service determines an intent of the endpoint device, using the
one or more component tags and the one or more activity tags that
were assigned to the endpoint device. The service translates the
intent of the endpoint device into a network segmentation policy.
The service configures a network overlay in the network that
implements the network segmentation policy.
[0051] Operationally, FIG. 3 illustrates an example network
architecture 300 for an industrial network, according to various
embodiments. As shown, architecture 300 may include industrial
equipment 304 connected to a controller 306, such as a PLC, a VFD,
or the like, that controls the operations of industrial equipment
304. In turn, controller 306 for industrial equipment 304 may be
connected to an HMI 310 via networking equipment 308, allowing a
human user to interface with it (e.g., to visualize the industrial
process, issue commands, etc.). In addition, networking equipment
308 may also provide connectivity via the greater network 302 to
any number of network services 312-320 provided in the local
network of networking equipment 308 and/or remotely. For example,
services 312-320 may be implemented in the local network via
dedicated equipment or virtualized across any number of devices
(e.g., networking equipment 308). In other cases, services 312-320
may be provided by servers in a remote data center, the cloud, or
the like.
[0052] As would be appreciated, industrial equipment 304 may
differ, depending on the industrial setting in which architecture
300 is implemented. In many cases, industrial equipment 304 may
comprise an actuator such as, but not limited to, a motor, a pump,
a solenoid, or the like. In other cases, industrial equipment 304
may include a circuit and controller 306 may control the powering
of the circuit.
[0053] Industrial equipment 304 may also include any number of
sensors configured to take measurements regarding the physical
process implemented by industrial equipment 304. For example, such
sensors may take temperature readings, distance measurements,
humidity readings, voltage or amperage measurements, or the like,
and provide them to controller 306 for industrial equipment 304.
During operation, controller 306 may use the sensor data from
industrial equipment 304 as part of a control loop, thereby
allowing controller 306 to adjust the industrial process as
needed.
[0054] HMI 310 may include a dedicated touch screen display or may
take the form of a workstation, portable tablet or other handheld,
or the like. Thus, during operation, visualization data may be
provided to HMI 310 regarding the industrial process performed by
industrial equipment 304. For example, such visualizations may
include a graphical representation of the industrial process (e.g.,
the filling of a tank, etc.), the sensor data from industrial
equipment 304, the control parameter values used by controller 306,
or the like. In some embodiments, HMI 310 may also allow for the
reconfiguration of controller 306, such as by adjusting its control
parameters for industrial equipment 304 (e.g., to shut down the
industrial process, etc.).
[0055] Networking equipment 308 may include any number of switches,
routers, firewalls, telemetry exporters and/or collectors,
gateways, bridges, and the like. In some embodiments, these
networking functions may be performed in a
virtualized/containerized manner. For example, a telemetry exporter
may take the form of a containerized application installed to
networking equipment 308, to collect and export telemetry regarding
the operation networking equipment 308 (e.g., queue state
information, memory or processor resource utilization, etc.) and/or
network 302 (e.g., measured delays, drops, jitter, etc.).
[0056] In some embodiments, at least a portion of network 302 may
be implemented as a software-defined network (SDN). In such
implementations, control plane decisions by the networking
equipment of network 302, such as networking equipment 308, may be
centralized with an SDN controller. For example, rather than
networking equipment 308 establishing routing paths and making
other control decisions, individually, such decisions can be
centralized with an SDN controller (e.g., network supervisory
service 312, etc.).
[0057] During operation, network supervisory service 312 may
function to monitor the status and health of network 302 and
networking equipment 308. An example of such a network supervisory
service is DNA-Center by Cisco Systems, Inc. For example, in some
implementations, network supervisory service 312 may take the form
of a network assurance service that assesses the health of network
302 and networking equipment 308 through the use of heuristics,
rules, and/or machine learning models. In some cases, this
monitoring can also be predictive in nature, allowing network
supervisory service 312 to predict failures and other network
conditions before they actually occur. In either case, network
supervisory service 312 may also provide control over network 302,
such as by reconfiguring networking equipment 308, adjusting
routing in network 302, and the like. As noted above, network
supervisory service 312 may also function as an SDN controller for
networking equipment 308, in some embodiments.
[0058] As shown, architecture 300 may also include SCADA service
314 which supervises the operation of the industrial process. More
specifically, SCADA service 314 may communicate with controller
306, to receive data regarding the industrial process (e.g., sensor
data from industrial equipment 304, etc.) and provide control over
controller 306, such as by pushing new control routines, software
updates, and the like, to controller 306.
[0059] As would be appreciated, SCADA service 314, controller 306,
and/or HMI 310 may communicate using an automation protocol.
Examples of such protocols may include, but are not limited to,
Profibus, Modbus, DeviceNet, HART, DNP3, IEC 61850, IEC 60870-5,
and the like. In addition, different protocols may be used within
network 102 and among networking equipment 308, depending on the
specific implementation of architecture 300. Further, different
portions of network 302 may be organized into different cells or
other segmented areas that are distinct from one another and
interlinked via networking equipment 308.
[0060] Architecture 300 may also include a policy service 316 that
is responsible for creating and managing security and access
policies for endpoints in network 302. An example of such a policy
service 316 is the Identity Services Engine (ISE) by Cisco Systems,
Inc. In various embodiments, as detailed below, policy service 316
may also be configured to identify the types of endpoints present
in network 302 (e.g., HMI 310, controller 306, etc.) and their
corresponding actions/functions. In turn, this information can be
used to drive the policies that policy service 316 creates.
[0061] Security service 318 is configured to enforce the various
policies created and curated by policy service 316 in the network.
For example, such policies may be implemented by security service
318 as access control lists (ACLs), firewall rules, or the like,
that are distributed to networking equipment 308 for
enforcement.
[0062] According to various embodiments, architecture 300 may also
include asset inventory service 320 that is used to collect
information about learned assets/endpoints in network 302 and
maintain an inventory of these various devices in network 302. In
various embodiments, asset inventory service 320 may do so by
embedding sensing modules in networking equipment 308 which
passively analyze communications between endpoints. The sensors may
use deep packet inspection (DPI) to not only identify the protocols
in use by a given packet (e.g., the automation protocol used
between HMI 310, controller 306, and SCADA service 314), but also
understand the action(s) that are being communicated and to
classify both the type of device/component and its application
behavior.
[0063] For example, when a sensor module executed by networking
equipment 308 identifies the use of an automation protocol by a
packet, it may examine the payload of each flow to identify any or
all of the following: [0064] The device type (e.g., based on
passive scan of traffic and matching a known criterion, the device
is classified). [0065] The software and/or hardware versions of the
device. [0066] MAC and IP addresses of all devices with which the
discovered device is communicating. [0067] The activity profile of
the device (e.g., how is it trying to communicate), and the
protocol(s) it is using. [0068] The commands that are being passed
(e.g., SCADA commands, etc.), down to the specific control
parameter values.
[0069] The sensor modules of networking equipment 308 then then
organize the collected information into meaningful tags. In
general, these tags are simply a way to categorize devices and
their behaviors, similar to the same way a human may look at a pen
or a pencil and categorize them as writing instruments. Each device
can also have multiple tags associated with it, such as the
following: [0070] Component Tags--these tags identify device
specific details (e.g., Device ID, SCADA station, PLC, Windows
device, etc.). [0071] Activity Tags--these tags identify what the
device is doing at the protocol level (Programming CPU, Heartbeat,
Emergency Break, Data Push). [0072] User-Defined Tags--these could
be custom tags to supply additional context (e.g. "Cell 1 Tag").
[0073] Dynamically Generated Tags--these could be added dynamically
(e.g., using ML) to signify whether the behavior of the device is
normal or anomalous, or for other dynamic conditions. [0074]
Scalable Group Tags--These tags are applied to specific packet
flows between a defined group of devices/services in the network.
For example, in the case shown, HMI 310, controller 306, and SCADA
service 314 may be tagged as belonging to a particular group.
[0075] The sensor modules embedded in networking equipment 308 may
also collect metadata about the communicating devices/endpoints,
including its network identifiers (e.g., IP and MAC addresses),
vendor, device-type, firmware version, the switch ID and port where
the device is connected, etc. As the sensor module learns details
of a new device/endpoint in network 302, it may send its collected
metadata about that device, along with its tags, to the asset
inventory service 320.
[0076] In this manner, asset inventory service 320 may maintain an
inventory of each of the endpoint devices in network 302, their
associated tags, and their metadata. Thus, as new devices are
discovered in network 302, their profile information is added to
the live inventory of devices maintained by asset inventory service
320. As noted above, the various tags applied by the sensor modules
deployed to networking equipment 308 and used by asset inventory
service 320 may be predefined or may, via a user interface (not
show) be user-defined.
[0077] FIGS. 4A-4B illustrate example displays 400, 410,
respectively, showing component and activity tags, in some
embodiments. As shown, the various component tags can be used to
identify a particular endpoint or other device in the network by
its type (e.g., PLC, SCADA station, etc.), its software (e.g.,
CodeSys, Windows, etc.). In addition, analysis of the traffic of
the device can also lead to various activity tags being applied to
that device, as well. For example, such activity tags may
distinguish between control system behaviors (e.g., insert program,
device init., etc.) and IT behaviors (e.g., host config., ping,
etc.).
[0078] Referring again to FIG. 3, to facilitate the labeling of
devices in network 302 using tags, asset inventory service 320 may
also leverage device classification functions provided by policy
service 316, to identify the component and activity tags of a
particular device in network 302 under scrutiny. In general, device
classification (also known as "device profiling") has traditionally
used static rules and heuristics for the determination. In further
embodiments, the device classification by policy service 316 can be
achieved by applying a trained machine learning-based classifier to
the captured telemetry data from networking equipment 308. Such
telemetry data can also take the form of information captured
through active and/or passive probing of the device. Notably, this
probing may entail policy service 316 sending any or all of the
following probes via networking equipment 308: [0079] Dynamic Host
Configuration Protocol (DHCP) probes with helper addresses [0080]
SPAN probes, to get messages in INIT-REBOOT and SELECTING states,
use of ARP cache for IP/MAC binding, etc. [0081] Netflow probes
[0082] HyperText Transfer Protocol (HTTP) probes to obtain
information such as the operating system (OS) of the device, Web
browser information, etc. [0083] Remote Authentication Dial-In User
Service (RADIUS) probes. [0084] Simple Network Management Protocol
(SNMP) to retrieve Management Information Base (MIB) object or
receives traps. [0085] Domain Name System (DNS) probes to get the
Fully Qualified Domain Name (FQDN) [0086] etc.
[0087] Further information that may be captured by networking
equipment 308 and reported via telemetry data to policy service 316
may include traffic behavioral characteristics of the traffic of a
device, such as the communication protocols used, flow information,
timing and pattern data, and the like. In addition, the telemetry
data may be indicative of the operational intent of the endpoint
device (e.g., controller 306, HMI 310, etc.).
[0088] According to various embodiments, additional information
that policy service 316 and asset inventory service 320 may use to
tag the various devices/components in network 302 may include any
or all of the following: [0089] Manufacturer's Usage Description
(MUD) information--As proposed in the Internet Engineering Task
Force (IETF) draft entitled, "Manufacturer Usage Description
Specification," devices may be configured by their manufacturers to
advertise their device specifications. Such information may also
indicate the intended communication patterns of the devices. [0090]
Asset Administration Shell data--this is an Industry 4.0 method to
express how an IoT device should behave, including expected
communication patterns. [0091] IEC 61850 Substation Configuration
Language (SCL) data--this is a language that is used primarily in
the utility industry to express Intelligent Electronic Device (IED)
intent. [0092] Open Platform Communication Unified Architecture
(OPC UA) data--such data provides industrial models used in
manufacturing contexts.
[0093] Thus, policy service 316, asset inventory service 320, and
the sensor nodules and telemetry exporters of networking equipment
308 may operate in conjunction with one another to apply various
tags to the devices in network 302 and their traffic flows.
[0094] FIG. 5 illustrates an example screen capture 500 of an asset
profile, in some embodiments. Notably, the techniques herein have
been implemented as part of a prototype system and screen capture
500 is from that prototype system. As can be seen, a particular
asset has been identified as a Yokogawa device and has been tagged
with various component and activity tags (e.g., PLC, CodeSys,
Citect Report, etc.). This profile may be stored by the asset
inventory service (e.g., service 320 in FIG. 3) and provide to a
user interface, allowing the user to quickly learn information
about the device. Such information can also be automatically
updated over time, using the techniques herein.
[0095] Referring again to FIG. 3, according to various embodiments,
the various tags associated with a particular asset/device
connected to network 302 may be used to segment network 302
according to the needs and intent of that device. In general,
network segmentation involves dividing a network into smaller parts
such that only a subset of the devices on the network can
communicate with each other.
[0096] Network segmentation can be achieved in a number of
different ways. In some cases, the network can be segmented by
distributing firewalls throughout the network and propagating the
appropriate access control lists (ACLs) to them. Doing so would
effectively block a given device in the network from communicating
with other devices or services outside of its allowed set. In other
cases, network segmentation can be achieved through the use of
virtual LAN (VLAN) configurations pushed to the networking
equipment of the network, such as networking equipment 308. In
further cases, network segmentation can be implemented through the
use of software-defined access technologies by grouping and tagging
network traffic, accordingly.
[0097] Micro-segmentation is a relatively new form of network
segmentation that provides even more granularity to the
segmentation of a network. For example, micro-segmentation may take
into account application-layer information, allowing different for
to segmentations to occur on a per-application basis, even for the
same device.
[0098] To leverage the various tags assigned to a device for
purposes of (micro-)segmenting network 302, policy service 316 may
collects the inventory of the discovered devices from asset
inventory service 320, according to various embodiments. Using the
techniques above, policy service 316 may have any number of
policies defined that distinguish between normal/acceptable and
abnormal/unacceptable behavior of a device. For example, controller
306 during its normal operation. may communicate with SCADA service
314 and HMI 310, via network 302, but should not communicate with
other controllers or devices outside of its cell/area zone. Such a
segmentation policy can be defined within policy service 316 based
on the tags associated with controller 306 that policy service 316
retrieves from asset inventory service 320.
[0099] In various cases, a segmentation policy constructed by
policy service 316 may be on a per-device basis or may be more
generic in nature. For example, assume that architecture 600 is
implemented in a factory setting in which there are any number of
controllers 306 and HMIs 310 in various locations throughout the
factory. For example, a more generic network segmentation policy
may be of the form: [0100] IF the device is a PLC AND is in CELL-1
THEN it may communicate with device-x
[0101] More specifically, such a policy may be defined as a logical
combination of tags. For example, [0102] IF
<component_tag=PLC> AND <user_tag=Cell-1> THEN it may
communicate with device-x Such a policy could be reused and applied
to all PLC's within Cell-1 of the factory to allow them to
communicate with a particular device or service (e.g., HMI 310,
SCADA service 314, etc.).
[0103] In further embodiments, a segmentation policy may be
generated by policy service 316 by grouping together similar
devices that should communicate with each other based on their
function, location, and/or context, as defined by the specific
combinations of tags associated with them. To facilitate this,
asset inventory service 320 (or any of the other services 312-314,
318) may communicate additional information to policy service 316
regarding the various communications attempted by the TO devices
connected to network 302. For example, such information may
indicate the set of devices to which SCADA service 314 is
attempting to communicate.
[0104] To aid in defining a. network segmentation policy, policy'
service 316 may provide data to a user interface regarding the
various tags associated with component of architecture 600 as well
as, potentially, data regarding the traffic involving it. This
allows an administrator to easily compare the attempted
communications of a given device or service to its expected
behavior. For instance, such a comparison can answer the question,
"is HMI 310 communicating with controller 306 as it should be, or
is it attempting to communicate elsewhere in network 302, as well?"
Once the administrator codifies this into a formal network
segmentation policy, this type of comparison can be made
automatically within network 302 (e.g., by networking equipment
308), to identify policy violations and take corrective measures,
as needed. For example, when HMI 310 attempts to communicate with a
controller outside of its area, networking equipment 308 may block
the connection and/or raise a security alert.
[0105] In various embodiments, the network segmentation may
leverage network overlay tags, to create a network overlay fabric.
For example, as shown in FIG. 6A, a segmentation policy can be used
to implement a network overlay 602 that limits controller 306 to
communicating only with HMI 310 and SCADA service 314. In some
embodiments, this can be achieved by tagging controller 306, HMI
310, and SCADA service 314, and/or their corresponding traffic,
with scalable group tags. In further embodiments, this can be
achieved through the use of Virtual Extensible LAN (VxLAN)
encapsulation with VxLAN Network Identifiers (VNIDs).
[0106] Thus, the network segmentation policies may be implemented
through application of any or all of the following, in various
embodiments: [0107] Metadata gathered by sensors performing deep
packet inspection of industrial protocols, which are then
associated with components, activities, and variables by means of
component, activity, user-defined, and/or dynamic tags. [0108]
Scalable Group Tags are then assigned to specific packet flows from
devices, using the other tags, either in isolation or by logical
combination. [0109] Scalable Group Tags are presented in a
high-level user-interface for an operator to express intent on
which devices may/may not communicate with each other. [0110] An
intent-based policy is then enforced throughout the network
infrastructure via the automated deployment of security group
access control lists (SGACLs) to the networking equipment.
[0111] As the network sensors are able to evaluate traffic in
network 302 all the way to the application layer, this allows their
corresponding tags to drive micro-segmentation policies, as well.
By way of example, assume that all devices with SCADA tags are
assigned a SCADA scalable group tag at the network edge in
networking equipment 308. In turn, an operator may then express a
policy via policy service 316 such that only devices with a SCADA
scalable group tag may be permitted to communicate with the SCADA
service in the industrial data center. Thus, by a combination of
their tags, flow information, and policy, micro-segments are
defined for industrial devices that need to communicate with each
other. Devices of the same micro-segment are assigned a scalable
group tag which will allow them to be isolated as a virtual overlay
in the network.
[0112] In the case of network 302 utilizing software-defined
networking (SDN) the scalable group tags may be shared with network
supervisory service 312, which functions as the SUN controller for
network 302. In turn, the SDN controller communicates to the edge
switches in networking equipment 308 where the devices are
connected and implements the policy to tag all traffic from the
devices with the appropriate scalable group tags, so that they are
placed in the SDN overlay, accordingly.
[0113] In some embodiments, the micro-segmentation at the
application level may take into account the sender-receiver pair,
the protocol(s) used by the packet, as well as the specific
parameter values in the payload of the packet. Indeed, since the
sensors to embedded in networking equipment 308 perform deep packet
inspection (DPI) on the packets between devices in network 302, and
packets in an industrial setting are typically unencrypted, the
sensors can also extract out the specific data actually being sent,
as well.
[0114] For instance, as shown in FIG. 6B, assume that HMI 310 is to
only provide visualizations of the industrial process performed by
industrial equipment 304 and provide no control over the process.
Since the sensors embedded in networking equipment 308 are able to
evaluate the traffic to and from controller 306 down to the
specific parameter values in the payloads of the packets, another
potential micro-segmentation of network 302 may be to allow control
traffic 604 from SCADA service 314 to controller 306 and only
display traffic 606 between TIMI 310 and controller 306.
[0115] FIG. 7 illustrates an example simplified procedure for
segmenting a network, in accordance with one or more embodiments
described herein. In various embodiments, a non-generic,
specifically configured device (e.g., device 200) may perform
procedure 700 by executing stored instructions (e.g., process 248),
to provide a service to a network. The procedure 700 may start at
step 705, and continues to step 710, where, as described in greater
detail above, the service may obtain one or more component tags and
one or more activity tags that were assigned to an endpoint device
in a network, based on DPI of the traffic associated with the
endpoint device. For example, a PLC installed in the network may be
tagged with a PLC component tag and an activity tag that indicates
that the PLC communicates with a SCADA service.
[0116] At step 715, as detailed above, the service may determine an
intent of the endpoint device, using the one or more component tags
and the one or more activity tags. For example, once a PLC, VFD, or
other endpoint device has been tagged according to its traffic, the
service may determine the purpose of the endpoint device in the
network and how it should behave (e.g., the applications that it
may use, the senders or receivers with which it should communicate,
etc.). In some embodiments, the service may do so in part by
receiving an indication of one or more scalable group tags for the
endpoint device and associating those tag(s) with the endpoint
device. For instance, the service may provide the details regarding
the device to a user interface and, in return, receive the
indication of the scalable group tag(s) via the user interface.
[0117] At step 720, the service may translate the intent of the
endpoint device into a network segmentation policy, as described in
greater detail above. In some embodiments, the service may do so by
generating a security group access control list, based on the one
or more scalable group tags associated with the endpoint device. In
further embodiments, the intent may be translated into a VxLAN
configuration for the network.
[0118] At step 725, as detailed above, the service may configure a
network overlay in the network that implements the network
segmentation policy. In some embodiments, the service may do so by
sending the security group access control list or VxLAN
configuration to networking equipment in the network. In various
embodiments, the network overlay restricts the endpoint device to
communicating only with a subset of senders or receivers via the
network and, in some cases, may further restrict the endpoint
device to sending or receiving only a specific type of application
traffic via the network. For instance, assume that one or more of
the component tags associated with the endpoint device are
indicative of a physical location of the device. In such a case,
the network overlay may restrict the endpoint to communicating with
a particular sender or receiver also located in the same physical
location as the endpoint device. Procedure 700 then ends at step
730.
[0119] The techniques described herein, therefore, allow for
intent-based security to be implemented in an IoT network through
the use of network segmentation. In some aspects, by learning the
intent of an endpoint in the network, policies can be put into
place that ensure that the endpoint does not deviate from its
expected behavior.
[0120] While there have been shown and described illustrative
embodiments for intent-based network segmentation, it is to be
understood that various other adaptations and modifications may be
made within the intent and scope of the embodiments herein. For
example, while specific endpoint device types are described, the
techniques can be applied to any number of different types of
devices. Further, while the techniques herein are described as
being performed at certain locations within a network, the
techniques herein could also be performed at other locations, as
desired (e.g., fully in the cloud, fully within the local network,
etc.).
[0121] The foregoing description has been directed to specific
embodiments. It will be apparent, however, that other variations
and modifications may be made to the described embodiments, with
the attainment of some or all of their advantages. For instance, it
is expressly contemplated that the components and/or elements
described herein can be implemented as software being stored on a
tangible (non-transitory) computer-readable medium (e.g.,
disks/CDs/RAM/EEPROM/etc.) having program instructions executing on
a computer, hardware, firmware, or a combination thereof.
Accordingly, this description is to be taken only by way of example
and not to otherwise limit the scope of the embodiments herein.
Therefore, it is the object of the appended claims to cover all
such variations and modifications as come within the true intent
and scope of the embodiments herein.
* * * * *