(19)
(11)EP 2 939 130 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
26.06.2019 Bulletin 2019/26

(21)Application number: 12891085.8

(22)Date of filing:  31.12.2012
(51)International Patent Classification (IPC): 
G06F 1/26(2006.01)
(86)International application number:
PCT/US2012/072288
(87)International publication number:
WO 2014/105079 (03.07.2014 Gazette  2014/27)

(54)

UNINTERRUPTIBLE POWER SUPPLY COMMUNICATION

UNTERBRECHUNGSFREIE STROMVERSORGUNGSKOMMUNIKATION

COMMUNICATION DE SYSTÈME D'ALIMENTATION SANS COUPURE


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(43)Date of publication of application:
04.11.2015 Bulletin 2015/45

(73)Proprietor: Schneider Electric IT Corporation
West Kingston, RI 02892 (US)

(72)Inventors:
  • COHEN, Daniel, C.
    Newton, MA 02460 (US)
  • MELANSON, Mark, R.
    Chelmsford, MA 01824 (US)
  • SPITAELS, James, S.
    Shrewsbury, MA 01545 (US)

(74)Representative: Murgitroyd & Company 
Scotland House 165-169 Scotland Street
Glasgow G5 8PL
Glasgow G5 8PL (GB)


(56)References cited: : 
WO-A2-2005/091460
US-A1- 2003 033 548
US-A1- 2005 028 017
US-A1- 2008 114 999
US-A1- 2012 032 516
US-A- 4 685 124
US-A1- 2003 233 583
US-A1- 2006 167 569
US-A1- 2010 246 101
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    Field of the Invention



    [0001] The invention relates generally to uninterruptible power supplies.

    BACKGROUND



    [0002] The use of power devices, such as uninterruptible power supplies (UPS), to provide regulated, uninterrupted power for sensitive and/or critical loads, such as computer systems and other data processing systems, is known. A number of different UPS products are available including those identified under the trade name SMART-UPS from APC by Schneider Electric, Inc. of West Kingston, RI. In a typical UPS, a battery is used to provide backup power for a critical load during blackout or brownout conditions. A user of a typical UPS is able to configure and control the UPS either through a computer coupled to the UPS or through a user interface of the UPS itself. There are many different types of protocols for communicating between computer systems and uninterruptible power supplies (UPS) coupled to a communications network. Such networks may be, for example, point-to-point networks, shared networks such as busses, or any other media or network configuration type. Communications with a UPS on a network can include providing commands to the UPS and receiving data from the UPS, for example, monitoring UPS activity. Documents WO2005/091460 and US2003/233583 show examples of method and system for Uninterruptible Power Supply according to available prior art. Document US4685124 discloses a keyswitch providing different levels of security and limiting the type of access allowed by a remote user.

    SUMMARY



    [0003] Some commands received by an uninterruptible power supply (UPS) can be valid commands, for example, commands sent by an authorized user via a computer. Some commands can be malicious instructions, for example, sent by a virus or by a malicious user. In some embodiments, a UPS is configured to disallow or filter commands depending on a configuration of the UPS. For example, the UPS can have a security switch. In some embodiments, when the security switch is turned on, the UPS is configured to not allow one or more remote commands. In other embodiments, the security switch enables filtering of commands, for example, to only allow certain remote commands. In various embodiments, the UPS filters commands to allow remote commands that are properly encrypted or authenticated. The scope of the present invention is defined by the present claims. Embodiments which do not fall within the scope of the claims do not describe part of the present invention.

    [0004] Still other aspects, examples, and advantages of these exemplary aspects and examples, are discussed in detail below. Moreover, it is to be understood that both the foregoing information and the following detailed description are merely illustrative examples of various aspects and embodiments, and are intended to provide an overview or framework for understanding the nature and character of the claimed aspects and embodiments. Any example disclosed herein may be combined with any other example in any manner consistent with at least one of the objects, aims, and needs disclosed herein, and references to "an example," "an embodiment," "some examples," "some embodiments," "other examples," "other embodiments," "an alternate example," "an alternate embodiment," "various examples," "various embodiments," "one example," "one embodiment," "at least one example," "at least one embodiment," "this and other examples," "this and other embodiments" or the like are not necessarily mutually exclusive and are intended to indicate that a particular feature, structure, or characteristic described in connection with the example may be included in at least one example. The appearances of such terms herein are not necessarily all referring to the same example.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0005] The accompanying drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures is represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing.

    [0006] In the drawings,

    FIG. 1 is a block diagram of an example network system;

    FIG. 2 is a block diagram of an example UPS;

    FIG. 3 is a block diagram of an example computer system;

    FIG. 4 is a block diagram of an example UPS and computer system;

    FIG. 5 is a flow chart of an example process implemented by a UPS; and

    FIG. 6 is a flow chart of an example process implemented by a UPS according to embodiments of the present disclosure.


    DETAILED DESCRIPTION



    [0007] In some embodiments, an uninterruptible power supply (UPS) receives commands from a computer system. The UPS can parse and filter the commands. For example, a user and/or developer can designate subsets of commands as unrestricted commands and restricted commands. The unrestricted commands can be allowed and executed as received. The restricted commands can be disallowed and discarded. In some embodiments, the restricted commands are executed if the restricted commands are properly authenticated. In some embodiments, a subset of commands can be designated to never be allowed when received from a computer system. In various embodiments, the filtering of commands is activated and deactivated based on a configuration setting. For example, the user can set a switch to a first position to activate the filtering of commands. Various embodiments are described in greater detail below with reference to the figures.

    [0008] Examples of the methods and apparatuses discussed herein are not limited in application to the details of construction and the arrangement of components set forth in the following description or illustrated in the accompanying drawings. The methods and apparatuses are capable of implementation in other examples and of being practiced or of being carried out in various ways. Examples of specific implementations are provided herein for illustrative purposes only and are not intended to be limiting. In particular, acts, elements and features discussed in connection with any one or more examples are not intended to be excluded from a similar role in any other examples.

    [0009] Also, the phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. Any references to examples or elements or acts of the apparatus and methods herein referred to in the singular may also embrace examples including a plurality of these elements, and any references in plural to any example or element or act herein may also embrace examples including only a single element. References in the singular or plural form are not intended to limit the presently disclosed systems or methods, their components, acts, or elements. The use herein of "including," "comprising," "having," "containing," "involving," and variations thereof is meant to encompass the items listed thereafter and equivalents thereof as well as additional items. References to "or" may be construed as inclusive so that any terms described using "or" may indicate any of a single, more than one, and all of the described terms. Any references to front and back, left and right, top and bottom, upper and lower, and vertical and horizontal are intended for convenience of description, not to limit the present apparatus and methods or their components to any one positional or spatial orientation.

    [0010] Figure 1 is a block diagram of an example network system of some embodiments. In particular, the system 100 includes one or more systems connected by one or more networks. In the example shown, a system 102 is coupled to a proxy system 101 over a network 103. According to some embodiments, the proxy system 101 has a capability for communicating to the system 102 using a communication protocol. Communication with the system 102 may be useful, for example, for monitoring or managing a system 104 by the system 102. In an alternative configuration (not shown), the system 102 may be coupled directly to another system (e.g., system 104) or via a network (e.g., network 105). For example, in some embodiments, the system 102 is a computer and the system 104 is a UPS.

    [0011] Further, according to some embodiments, the proxy system 101 translates requests from one or more systems (e.g., system 102) to requests that may be processed by the system 104. These requests may be, for example, messages generated by an application program executing on system 102. One example application program that may generate such requests is a management program that is provided for managing one or more systems (e.g., system 104). These requests may include control data used to control and configure system 104, requests for performance and/or status information from system 104, among others. To this end, proxy 101 may be capable of translating received management requests to messages that are capable of being processed by system 104. Although proxy 101 may be capable of communicating management data, it should be appreciated that proxy 101 may be capable of translating any type of request having any type of data.

    [0012] In some embodiments, the proxy system 101 is coupled to more than one system. In one example, the proxy system 101 is coupled to two or more networks (e.g., network 103 and network 105). To this end, proxy 101 may have more than one network interface. Proxy 101 may also be capable of communicating using one or more communication protocols. Proxy 101 may also be incorporated in the system 104.

    [0013] System 100 is merely an illustrative embodiment of a communication system in accordance with one embodiment. Any of numerous other implementations of the system (e.g., variations of 100 having more or less systems) are possible and are intended to fall within the scope of embodiments.

    [0014] Various embodiments may be implemented on one or more computer systems. These computer systems may be, for example, general-purpose computers such as those based on Intel PENTIUM-type processor, Motorola PowerPC, Sun UltraSPARC, Hewlett-Packard PA-RISC processors, or any other type of processor. In one specific embodiment, various aspects of a communication protocol are provided that may be used by computer systems such as micro-controllers or micro-processors. Such controllers may be embedded in one or more systems, such as, for example, an Uninterruptible Power Supply (UPS) or one of its components.

    [0015] In some embodiments, system 104 is a UPS. Figure 2 shows an on-line UPS 104 used to provide regulated, uninterrupted power in accordance with one example in accordance with the present invention. The UPS 104 includes an input circuit breaker/filter 212, a rectifier 214, a control switch 215, a controller 216, a battery 218, an inverter 220, an isolation transformer 222, a DC/DC converter 228, a user interface (UI) 230, data storage 232 and external system interface 234. The UPS also includes an input 224 for coupling to an AC power source, and an outlet 226 for coupling to a load.

    [0016] The UPS 104 operates as follows. The circuit breaker/filter 212 receives input AC power from the AC power source through the input 224, filters the input AC power and provides filtered AC power to the rectifier 214. The rectifier 214 rectifies the input voltage. The DC/DC converter 228 regulates DC power from the battery 218. The control switch 215 receives the rectified power and also receives the DC power from the DC/DC converter 228. The controller 216 determines whether the power available from the rectifier 214 is within predetermined tolerances, and if so, controls the control switch 215 to provide the power from the rectifier 214 to the inverter 220. If the power from the rectifier 214 is not within the predetermined tolerances, which may occur because of "brown out" or "black out" conditions, or due to power surges, then the controller 216 controls the control switch 215 to provide the DC power from the DC/DC converter 228 to the inverter 220.

    [0017] The inverter 220 of the UPS 104 receives DC power and converts the DC power to AC power and regulates the AC power to predetermined specifications. The inverter 220 provides the regulated AC power to the isolation transformer 222. The isolation transformer 222 is used to increase or decrease the voltage of the AC power from the inverter 220 and to provide isolation between a load and the UPS 104. The isolation transformer 222 is an optional device, the use of which is dependent on UPS output power specifications. Depending on the capacity of the battery 218 and the power requirements of the load, the UPS 104 can provide power to the load during brief power source dropouts or for extended power outages.

    [0018] Specific examples in accordance with the present invention include several variations of the UPS 104. For instance, in one example, the UPS 104 is configured to accept and distribute polyphase power, such as three phase power. In some examples, the outlet 226 includes a plurality of physical outlet groups, each of which includes a plurality of physical outlets. In other examples, the UPS 104 is configured to monitor and record, in data storage 232, the amount of power supplied via these outlet groups and outlets. In other examples, the UPS 104 is a standby UPS. In other examples, the UPS 104 is a line interactive UPS.

    [0019] Returning to the example of Figure 2, the controller 216 monitors and controls operation of the UPS 104. Using data stored in associated memory, the controller 216 also performs one or more instructions that may result in manipulated data. In some examples, the controller 216 may include one or more processors or other types of controllers. In one example, the controller 216 is a commercially available, general purpose processor. In another example, the controller 216 performs a portion of the functions disclosed herein on a general purpose processor and performs another portion using an application-specific integrated circuit (ASIC) tailored to perform particular operations. As illustrated by these examples, examples in accordance with the present invention may perform the operations described herein using many specific combinations of hardware and software and the invention is not limited to any particular combination of hardware and software components.

    [0020] The data storage 232 stores computer readable information required for the operation of the UPS 104. This information may include, among other information, data subject to manipulation by the controller 216 and instructions that are executable by the controller 216 to manipulate data. Thus, in some embodiments, the data storage 232 can receive and store or retrieve and provide this computer readable information. The data storage 232 may include relatively high performance, volatile, random access memory such as a dynamic random access memory (DRAM) or static memory (SRAM) or may include a nonvolatile storage medium such as read-only memory (ROM), magnetic disk, flash memory, CD, DVD or one or more electrical switches, such as a dip switch. In one example, the data storage 232 includes both volatile and non-volatile storage. Various examples in accordance with the present invention can organize the data storage 232 into particularized and, in some cases, unique structures to perform the aspects and functions disclosed herein. In addition, these data structures may be specifically configured to conserve storage space or increase data exchange performance.

    [0021] In one example, the data storage 232 includes data structures that house system information regarding the UPS 104 and devices coupled to it. Examples of system information are discussed below and include, among other information, configuration management information and performance information. The devices that may be coupled to the UPS 104 include any electronic device that requires power to function, such as, among others, computers, printers, routers, switches, automatic transfer switches and air conditioning units. Some devices may also include communication components, such as Ethernet or USB interfaces, that can be coupled to the UPS 104 via external system interface 234 to allow for enhanced communication between the device and the UPS 104.

    [0022] Configuration management information may be any information that can be used to indentify attributes of the UPS 104 or other devices. Examples of configuration management information specific to a device include, among other information, manufacturer, model, serial number and version. In addition, configuration management information may also include manufacturer, model, serial number and version information for components included in the device, such as software installed on the device or identifiable hardware elements within the device.

    [0023] Performance information may be any information that characterizes the operation of the UPS 104 or other devices. Examples of performance information include, among other information, device uptime information, operational logs and power consumption information. Power consumption information may include listed, i.e. nameplate, values and actual measured values for power consumption of the device.

    [0024] The external system interface 234 exchanges data with one or more external devices. These external devices may include any device configured to communicate using standards and protocols supported by the UPS 104. Examples of specific standards and protocols that the external system interface 234 may support include parallel, serial, and USB interfaces. Other examples of these supported protocols and standards include networking technologies such as UDP, TCP/IP and Ethernet technologies. In at least some examples, the external system interface 234 includes a network management card (NMC) and a USB interface. In these examples, the external system interface 234 can receive or transmit data using either or both of these conduits.

    [0025] The user interface 230 includes a display screen and a set of keys through which a user of the UPS 104 can monitor, control and configure operation of the UPS 104. In some embodiments, the user interface 230 includes a power button, a replace battery indicator, a warning indicator, an on-battery power indicator, an on-line power indicator, an interface display, a scroll up button, a scroll down button, an enter button, and an escape button.

    [0026] Referring to Figure 3, a general-purpose computer system according to some embodiments is configured to perform any of the functions described herein including, but not limited to, communicating between computer systems and/or relaying data to other systems (e.g., system 306). The system may perform other functions, and the embodiments are not limited to having any particular function or set of functions. Various entities such as, for example, systems 102, 104 and proxy 101 may be general-purpose computer systems that implement various communication functions according to various embodiments.

    [0027] For example, various embodiments may be implemented as specialized software executing in a general-purpose computer system 102 such as that shown in Figure 3. The computer system 102 may include a processor 301 connected to one or more memory devices 302, such as a disk drive, memory, or other device for storing data. Memory 302 is typically used for storing programs and data during operation of the computer system 102. Components of the computer system 102 may be coupled by an interconnection mechanism (e.g., network 304), which may include one or more busses (e.g., between components that are integrated within a same machine) and/or a network (e.g., between components that reside on separate machines).

    [0028] The interconnection mechanism 304 enables communications (e.g., data, instructions) to be exchanged between system components of system 102. System 102 also includes one or more I/O devices 303 (e.g., ports, devices, systems, etc.) for inputting and outputting data. In addition, system 102 may contain one or more interfaces 305 that connect computer system 102 to a communication network 307.

    [0029] According to some embodiments, interface 305 may be a serial-type interface that is used to communicate to an attached device. The interface 305 may be capable of communicating using various embodiments. Such an interface 305 may use one or more serial-type transport layer protocols including, but not limited to, TTL serial, RS-232, RS-422, RS-485, I2C, CAN, USB, or any other transport layer capable of moving packets between systems. In some embodiments, the interface 305 may be an Ethernet interface. In some embodiments, the interface 305 may be a wireless interface.

    [0030] Figure 4 shows a block diagram 400 including the UPS 104. In some embodiments, the computer system 102 communicates with the UPS 104 to monitor and manage the UPS 104. As discussed above, the computer system 102 can be connected directly to the UPS 104, via a network, and/or via other intervening systems. The computer system 102 transmits commands to be executed by the UPS 104 and receives messages and data from the UPS 104. The messages can include acknowledgment messages from the UPS 104, for example, when the UPS 104 successfully receives or executes a command transmitted by the computer system 102. The data can include UPS environment data, for example, information used by the computer system 102 to monitor the UPS 104 and how the UPS 104 is operating. For example, the UPS environment data can include information such as remaining battery capacity, input power source, power quality, power output, temperature, and other information that can be provided by a UPS to a user.

    [0031] In some embodiments, the UPS 104 includes a communication stack 402. The communication stack 402 can include various ports, hardware, software, and protocols that allow the UPS 104 to communicate with external systems. The communication stack 402 can include the external system interface 234 described above with reference to Figure 2. For example, the communication stack can include a serial port, a USB port, an Ethernet port, a wireless connection, and/or other appropriate ports, along with corresponding software and protocols to communicate with the computer system 102.

    [0032] In some embodiments, the communication stack receives the command and relays the command to a command processor 404. The command processor 404 can include a general-purpose processor, as described above. The UPS 104 also includes a local interface 406. The local interface 406 can include the user interface 230 described above with reference to Figure 2. The UPS 104 can receive information via the local interface 406 to determine whether or not to filter commands. The local interface 406 can be used to modify a configuration setting to determine whether the UPS 104 filters commands. For example, the local interface may include a switch 408 and the configuration setting can be modified by the switch 408. The user can turn on filtering by setting the switch 408 to a first position (e.g., an on position). The switch 408 can be a hardware switch (e.g., a dip switch) or a software switch. In some embodiments, the local interface 406 is not coupled to any networks and external systems. The switch 408 can be configured to be accessible only via the local interface 406, such that malicious users, software, viruses, or commands cannot modify or access the switch setting remotely. In some embodiments, the switch 408 is a key switch such that even with physical access to the UPS 104, a fitting key is needed to change the setting of the switch 408. Other appropriate access control methods can be used to prevent unauthorized changing of the configuration setting, such as usernames and username-password combinations.

    [0033] In some embodiments, the UPS 104 also includes a received command configuration 410, which the UPS 104 can use to determine whether a received command is authorized. The received command configuration 410 is a configuration that can be determined by the user or a developer. In some embodiments, the received command configuration 410 includes a subset of commands that are authorized. For example, in some embodiments, the UPS 104 can disallow a shutdown command and allow all other commands. In some embodiments, the UPS 104 can disallow a subset of commands deemed mission critical by a user and allow all other commands. In some embodiments, the received command configuration 410 authorizes no commands. In some embodiments, the received command configuration 410 authorizes all commands. Commands include UPS-specific commands, such as self-testing, testing a battery, routing power from different power sources, shutting off power to a load, changing configuration settings (e.g., acceptable power quality settings). Commands also include requests for information, such as environment data.

    [0034] The received command configuration 410 allows commands that are properly encrypted or authenticated. For example, the received command configuration 410 can authorize commands received with an authentication code and/or encrypted using an authentication code. The authentication code can be a password determined by the user and/or a code found on the UPS 104, such that users with physical access to the UPS 104 can obtain the code. In some embodiments, the authentication code can be requested by the UPS 104 upon receiving a command in a subset of commands requiring proper authentication. In some embodiments, the UPS 104 can provide a time window in which the user can provide the authentication code. In some embodiments, the UPS 104 can disallow the command for a time period upon one or more failed attempts to provide the authentication code. The time period can be constant or varying with multiple failures and/or require a local reset.

    [0035] The received command configuration 410 can allow commands based on the interface through which the command was received. For example, the received command configuration 410 can allow commands received via the local interface 406 and the USB and serial ports and not allow commands received through Ethernet.

    [0036] The received command configuration 410 can use a combination of these configurations. For example, the received command configuration 410 can allow a first subset of commands and allow a second subset of commands only if the command is properly authenticated and disallow a third subset of commands. In various embodiments, other appropriate combinations and/or configurations can be determined by the user. In some embodiments, the UPS 104 can provide a plurality of predetermined configurations with varying levels of security for the user to select as the received command configuration 410. For example, the switch 408 can have multiple settings, which correspond to each of the predetermined configurations of varying levels of security. Alternatively or additionally, each of the switch settings can correspond to customized configurations. In some embodiments, the number of settings of the switch is configurable by the user.

    [0037] In some embodiments, the UPS 104 includes a transmitted command configuration 412, which the UPS 104 can use to determine whether responses generated by the UPS 104 are authorized to be transmitted. Transmissions can include responses, such as acknowledgement of commands and confirming execution of commands. Transmissions can also include reports, such as load information and time of day. Transmissions can be restricted to prevent private information from being reported and/or intercepted by malicious users. The transmitted command configuration 412 can operate with the UPS 104 in a similar manner as the received command configuration 410. In some embodiments, the transmitted command configuration 412 allows all transmissions, including responses and reports. In some embodiments, the transmitted command configuration 412 allows a subset of transmissions and disallows a second subset of transmissions. In some embodiments, the transmitted command configuration 412 can request an authentication code to allow all or a subset of transmissions. In some embodiments, the transmitted command configuration 412 can allow transmissions to a subset of interfaces and disallow transmissions to a second subset of interfaces. In some embodiments, combinations of these configurations are used.

    [0038] Figure 5 shows an example process 500, which can be executed, for example, on the UPS 104. The UPS 104 receives a command from the computer system 102 at act 502. The command can be received by the communication stack 402 of the UPS 104.

    [0039] The communication stack 402 can route the command to the command processor 404, where the command is interpreted at act 504. A configuration setting can determine whether commands are filtered. When the configuration setting is set to not filtering (e.g., the switch 408 is set to an off position or a second position), the command processor 404 allows all commands. When the command interpreter allows all commands, the command processor 404 can route the commands directly to appropriate modules for execution by the UPS 104.

    [0040] When the configuration setting is set for filtering commands, the command is filtered at act 506. In these embodiments, the command is parsed and a subset of commands is executed by the UPS 104 at act 512. For example, a subset of commands can be predetermined to be unrestricted and always allowable. Unrestricted commands can include commands determined not to affect critical operations of the UPS 104. In some embodiments, unrestricted commands include commands such as requesting data, blinking light emitting diode (LED) indicators on the UPS 104. In other embodiments, the subset of unrestricted commands includes no commands. The commands that are considered unrestricted can be determined by a developer. In some embodiments, the UPS 104 can provide a plurality of predetermined subsets with varying levels of security for the user to select as the subset of commands that are unrestricted, restricted (subject to authentication), and restricted (not subject to authentication). The predetermined subsets can be selected by setting a switch with multiple positions, each position corresponding to one of the plurality of predetermined subsets of commands.

    [0041] If the command is filtered at act 506 and determined to be in a subset of restricted commands, at act 508 the UPS 104 determines whether the command is authorized based on the received command configuration 410. The filtering of commands and the authorizing of commands can be combined. For example, commands that are unrestricted can be considered a subset of commands that are always authorized by the UPS 104.

    [0042] If the UPS 104 disallows a command, the command is discarded at act 510. The command can be discarded by ignoring the command. In some embodiments, the UPS 104 can record discarded commands, for example, to a file. The UPS 104 can provide the file of recorded discarded commands to a user upon user request and/or at periodic intervals.

    [0043] In some embodiments, the UPS 104 includes an attack detection algorithm. The attack detection algorithm can include viewing the recorded discarded commands for an indication that the UPS 104 is being attacked by a malicious entity. The indication can include a pattern of received commands, a number of received commands, a frequency of received commands, failed authentication attempts, and/or other signs that the UPS 104 is under attack. For example, the pattern of received commands can include one or more of predetermined sequences of commands, a regularity in periodicity of received commands, sources of commands, and/or other appropriate patterns. In some embodiments, the attack detection algorithm notifies the user of a suspected attack when an attack is detected. In some embodiments, the attack detection algorithm changes the received command configuration 410 if an attack is detected. The attack detection algorithm can change the received command configuration 410 to allow no commands when the UPS 104 is determined to be under attack. Alternatively or additionally, the attack detection algorithm can change the received command configuration 410 to configurations of varying levels of security depending on the perceived threat and/or the current configuration setting. In some embodiments, the attack detection algorithm can restore the received command configuration 410 to an original setting based on determining that the attack has ended. In some embodiments, the attack detection algorithm can restore the received command configuration 410 to an original setting after a predetermined time period. In some embodiments, a local reset can be required. The local reset can include an entering of a password and/or authentication code at the local interface 406. The local reset can include a resetting of the switch or configuration setting, and/or other appropriate access control methods.

    [0044] If the UPS 104 allows a command, the command is executed at act 312. The UPS 104 can generate responses to commands and other data reports, such as environment data. Figure 6 shows an example process 600, which can be executed, for example, on the UPS 104. At act 602, the UPS 104 can generate a report. The report can include environment information, such as information about loads and power provided by the UPS 104. At act 604, the report is filtered. The UPS 104 can determine whether the response is authorized based on the transmitted command configuration 412. In some embodiments, the transmitted command configuration 412 can change corresponding to the security level of the received command configuration 410, for example, if an attack is detected.

    [0045] If the transmission is allowed, at act 606, the response is relayed to the communication stack 402 of the UPS 104, which transmits the response to the computer system 102. If the transmission is disallowed, at act 608, the transmission is discarded. Discarded transmissions can be ignored or recorded, such as in a memory or to a file on a physical memory store. The discarded transmissions can also be used by the attack detection algorithm to determine indications of attacks by malicious entities.

    [0046] While the system has been described with reference to users and developers, the actions described to be performed by users can be taken by developers and vice versa. In some embodiments, users and developers can refer to the same entities.

    [0047] System 102 includes a storage mechanism as a part of memory 302 or other storage that includes computer readable and writeable nonvolatile recording media in which signals are stored that define a program to be executed by the processor or information stored on or in the medium to be processed by the program. The medium may, for example, be a disk, flash memory, EEPROM, RAM, or the like. In operation, the processor causes data to be read from the nonvolatile recording medium into another memory that allows for faster access to the information by the processor than does the medium. This memory is typically a volatile, random access memory such as a dynamic random access memory (DRAM) or static memory (SRAM). This memory may be located in a storage system, or in memory system 302.

    [0048] The processor 301 generally manipulates the data within the memory and then copies the data to the medium after processing is completed. A variety of mechanisms are known for managing data movement between the medium and the memory elements, and embodiments are not limited thereto. It should be appreciated that embodiments are not limited to a particular memory system or storage system.

    [0049] The computer system may include specially-programmed, special-purpose hardware, for example, an application-specific integrated circuit (ASIC). Embodiments may be implemented in software, hardware or firmware, or any combination thereof. Further, such methods, acts, systems, system elements and components thereof may be implemented as part of the computer system described above or as an independent component.

    [0050] Although computer system 102 is shown by way of example as one type of computer system upon which various embodiments may be practiced, it should be appreciated that aspects are not limited to being implemented on the computer system as shown in Figure 3. Various aspects may be practiced on one or more computers having a different architecture or components that that shown in Figure 3.

    [0051] System 102 may be a general-purpose computer system that is programmable using a high-level computer programming language. System 102 may be also implemented using specially programmed, special purpose hardware. In the computer system 102, processor 301 is typically a commercially available processor such as the well-known Pentium class processor available from the Intel Corporation. Many other processors are available. Such a processor usually executes an operating system which may be, for example, the Windows NT, Windows 2000 (Windows ME) or Windows XP operating systems available from the Microsoft Corporation, MAC OS System X available from Apple Computer, the Solaris Operating System available from Sun Microsystems, Linux, or UNIX available from various sources. Many other operating systems may be used.

    [0052] The processor and operating system together define a computer platform for which application programs in high-level programming languages are written. It should be understood that embodiments are not limited to a particular computer system platform, processor, operating system, or network. Also, it should be apparent to those skilled in the art that embodiments are not limited to a specific programming language or computer system. Further, it should be appreciated that other appropriate programming languages and other appropriate computer systems could also be used.

    [0053] It should be appreciated that embodiments are not limited to executing on any particular system or group of systems. Also, it should be appreciated that embodiments are not limited to any particular distributed architecture, network, or communication protocol.

    [0054] Various embodiments may be programmed using an object-oriented programming language, such as SmallTalk, Java, C++, Ada, or C# (C-Sharp). Other object-oriented programming languages may also be used. Alternatively, functional, scripting, and/or logical programming languages may be used. Various aspects may be implemented as programmed or non-programmed elements, or any combination thereof.

    [0055] According to some embodiments, UPSs communicate to a management entity using a directly-connected link (e.g., a serial communication cable or a USB cable) or are provided what is referred herein as a network management card (NMC), interface card, or other devices that communicate to the device using the native language of the device, and this device translates data to one or more other systems or devices using network protocols such as HTTP (e.g., over one or more networks). Ethernet and/or other local area networks can be interfaced directly to the UPS or indirectly through a proxy such as the NMC or other devices.

    [0056] Products such as UPSs and other devices can communicate to other devices over an Ethernet-based network through either of two methods. First, an interface card (e.g., an NMC), communicates to the UPS or other device in the native language of the UPS or other device, translates this data to client-friendly terminology and vocabulary, and communicates over the Ethernet-based network to one or more other devices (e.g., a client) using one of many protocols such as HTTP, Telnet, SNMP and others. A client interpreting the translated data can be a human using a network browser or an application programmed to implement processes in response to the UPS or other devices' state of condition. The interface card may also be integrated with the UPS controller. Another way by which a connection is formed includes a software application installed in a computer that connects to the UPS or other device through a serial connection, translates the UPS or other device data to client-friendly terms and makes that data available to other devices through an Ethernet-based network connection.

    [0057] Having thus described several aspects of at least one embodiment of this invention, it is to be appreciated that various alterations, modifications and improvements will readily occur to those skilled in the art. Accordingly, the foregoing description is by way of example only.


    Claims

    1. An uninterruptible power supply, "UPS", (104) comprising:

    an input (224) configured to receive input power;

    a backup power source (218) configured to provide backup power;

    an output (226) configured to provide output power from at least one of the input power and the backup power; and

    a controller (216) coupled to the input, the backup power source, and the output, the controller configured to:
    receive a plurality of commands from an external entity;

    characterized in that the controller is further configured to:

    detect a selection of a configuration setting corresponding to one of a filtering mode and a non-filtering mode;

    responsive to detecting the selection of the configuration setting corresponding to the non-filtering mode:

    allowing execution of all the received commands; and

    responsive to detecting the selection of the configuration setting corresponding to the filtering mode:

    identify that a first subset of the plurality of commands comprises unrestricted commands and a second subset of the plurality of commands comprises restricted commands; wherein the unrestricted commands are allowed and executed as received and the restricted commands are disallowed and discarded if not authenticated;

    execute the unrestricted commands responsive to identifying the unrestricted commands;

    determine whether or not the restricted commands are received with an authentication code and whether or not the authentication code is authenticated;

    in response to the determining, execute commands of the restricted commands which are received with an authentication code and are authenticated; and

    in response to the determining, discard commands of the restricted commands which are not authenticated.


     
    2. The UPS of claim 1, further comprising a hardware switch (215) coupled to the controller, and wherein the configuration setting corresponds to a position of the hardware switch.
     
    3. The UPS of claim 1, further comprising a local user interface coupled to the controller, and wherein the configuration setting corresponds to a selection on the local user interface.
     
    4. The UPS of claim 1, wherein one of the first subset of commands and the second subset of commands comprises each command of the plurality of commands.
     
    5. The UPS of claim 1, wherein the second subset of the plurality of commands comprises commands that are authenticated.
     
    6. The UPS of claim 1, wherein the second subset of the plurality of commands comprises at least one of: a shutdown command, a command that changes the output power of the UPS, a command to change one or more configuration settings of the UPS, and a command to transmit information from the UPS.
     
    7. The UPS of claim 1, the controller further configured to:

    store the second subset of the plurality of commands; and

    analyze the stored commands to identify an attack on the UPS.


     
    8. The UPS of claim 7, wherein analyzing the stored commands comprises at least one of detecting a pattern in the stored commands and receiving at least a threshold number of unauthorized commands.
     
    9. A method for controlling an uninterruptible power supply, "UPS", the method comprising:

    receiving commands at the UPS, from an external entity;

    characterized in that the method further comprises:

    detecting a selection of a configuration setting corresponding to one of a filtering mode and a non-filtering mode;

    responsive to detecting the selection of the configuration setting corresponding to the non-filtering mode:

    allowing execution of all the received commands; and responsive to detecting selection of the configuration setting corresponding to the filtering mode:

    identifying a first subset of the commands that are unrestricted commands and a second subset of the commands that are restricted commands; wherein the unrestricted commands are allowed and executed as received and the restricted commands are disallowed and discarded if not authenticated;

    responsive to identifying the unrestricted commands, executing the unrestricted commands;

    determining whether or not the restricted commands are received with an authentication code and whether or not the authentication code is authenticated;

    in response to the determining, executing commands of the restricted commands which are received with an authentication code and are authenticated; and

    in response to the determining, discarding commands of the restricted commands which are not authenticated.


     
    10. The method of claim 9, further comprising configuring the configuration setting by setting a position of a hardware switch on the UPS.
     
    11. The method of claim 9, further comprising:

    storing the second subset of commands; and

    analyzing the stored commands to identify an attack on the UPS.


     
    12. The method of claim 11, wherein analyzing the stored commands comprises at least one of detecting a pattern in the stored commands and receiving at least a threshold number of unauthorized commands.
     


    Ansprüche

    1. Eine unterbrechungsfreie Stromversorgung, "USV", (104), beinhaltend:

    einen Eingang (224), der konfiguriert ist, um Eingangsleistung zu empfangen;

    eine Backup-Leistungsquelle (218), die konfiguriert ist, um Backup-Leistung bereitzustellen;

    einen Ausgang (226), der konfiguriert ist, um Ausgangsleistung von mindestens einer von der Eingangsleistung und der Backup-Leistung bereitzustellen; und

    eine Steuervorrichtung (216), die mit dem Eingang, der Backup-Leistungsquelle und dem Ausgang gekoppelt ist, wobei die Steuervorrichtung für Folgendes konfiguriert ist:

    Empfangen einer Vielzahl von Befehlen von einer externen Einheit;

    dadurch gekennzeichnet, dass die Steuervorrichtung ferner für Folgendes konfiguriert ist:

    Detektieren einer Auswahl einer Konfigurationseinstellung entsprechend einem von einem Filtermodus und einem Nichtfiltermodus;

    als Reaktion auf das Detektieren, dass die Auswahl der Konfigurationseinstellung dem Nichtfiltermodus entspricht:

    Freigeben der Ausführung aller empfangenen Befehle; und

    als Reaktion auf das Detektieren, dass die Auswahl der Konfigurationseinstellung dem Filtermodus entspricht:

    Identifizieren, dass ein erster Teilsatz der Vielzahl von Befehlen unbeschränkte Befehle beinhaltet und ein zweiter Teilsatz der Vielzahl von Befehlen beschränkte Befehle beinhaltet; wobei die unbeschränkten Befehle freigegeben und ausgeführt werden, wie empfangen, und die beschränkten Befehle nicht freigegeben werden und verworfen werden, wenn sie nicht authentifiziert sind;

    Ausführen der unbeschränkten Befehle als Reaktion auf das Identifizieren der unbeschränkten Befehle;

    Bestimmen, ob die beschränkten Befehle mit einem Authentifizierungscode empfangen werden oder nicht und ob der Authentifizierungscode authentifiziert ist oder nicht;

    als Reaktion auf das Bestimmen, Ausführen von Befehlen der beschränkten Befehle, die mit einem Authentifizierungscode empfangen werden und authentifiziert sind; und

    als Reaktion auf das Bestimmen, Verwerfen von Befehlen der beschränkten Befehle, die nicht authentifiziert sind.


     
    2. USV gemäß Anspruch 1, ferner beinhaltend einen Hardwareschalter (215), der mit der Steuervorrichtung gekoppelt ist, und wobei die Konfigurationseinstellung einer Position des Hardwareschalters entspricht.
     
    3. USV gemäß Anspruch 1, ferner beinhaltend eine lokale Benutzerschnittstelle, die mit der Steuervorrichtung gekoppelt ist, und wobei die Konfigurationseinstellung einer Auswahl an der lokalen Benutzerschnittstelle entspricht.
     
    4. USV gemäß Anspruch 1, wobei einer von dem ersten Teilsatz von Befehlen und dem zweiten Teilsatz von Befehlen jeden Befehl der Vielzahl von Befehlen beinhaltet.
     
    5. USV gemäß Anspruch 1, wobei der zweite Teilsatz der Vielzahl von Befehlen Befehle beinhaltet, die authentifiziert sind.
     
    6. USV gemäß Anspruch 1, wobei der zweite Teilsatz der Vielzahl von Befehlen mindestens eines von Folgendem beinhaltet: einen Abschaltungsbefehl, einen Befehl, der die Ausgangsleistung der USV ändert, einen Befehl zum Ändern einer oder mehrerer Konfigurationseinstellungen der USV und einen Befehl zum Übertragen von Informationen von der USV.
     
    7. USV nach Anspruch 1, wobei die Steuereinheit ferner für Folgendes konfiguriert ist:

    Speichern des zweiten Teilsatzes der Vielzahl von Befehlen; und

    Analysieren der gespeicherten Befehle zum Identifizieren eines Angriffs auf die USV.


     
    8. USV gemäß Anspruch 7, wobei das Analysieren der gespeicherten Befehle mindestens eines von Folgendem beinhaltet: Detektieren eines Musters in den gespeicherten Befehlen und Empfangen mindestens einer Schwellenanzahl nicht autorisierter Befehle.
     
    9. Ein Verfahren zum Steuern einer unterbrechungsfreien Stromversorgung, "USV", wobei das Verfahren Folgendes beinhaltet:

    Empfangen von Befehlen an der USV von einer externen Einheit;

    dadurch gekennzeichnet, dass das Verfahren ferner Folgendes beinhaltet:

    Detektieren einer Auswahl einer Konfigurationseinstellung entsprechend einem von einem Filtermodus und einem Nichtfiltermodus;

    als Reaktion auf das Detektieren, dass die Auswahl der Konfigurationseinstellung dem Nichtfiltermodus entspricht:

    Freigeben der Ausführung aller empfangenen Befehle; und

    als Reaktion auf das Detektieren, dass die Auswahl der Konfigurationseinstellung dem Filtermodus entspricht:

    Identifizieren eines ersten Teilsatzes der Befehle, die unbeschränkte Befehle sind, und eines zweiten Teilsatzes der Befehle, die beschränkte Befehle sind; wobei die unbeschränkten Befehle freigegeben und ausgeführt werden, wie empfangen, und die beschränkten Befehle nicht freigegeben werden und verworfen werden, wenn sie nicht authentifiziert sind;

    als Reaktion auf das Identifizieren der unbeschränkten Befehle, Ausführen der unbeschränkten Befehle;

    Bestimmen, ob die beschränkten Befehle mit einem Authentifizierungscode empfangen werden oder nicht und ob der Authentifizierungscode authentifiziert ist oder nicht;

    als Reaktion auf das Bestimmen, Ausführen von Befehlen der beschränkten Befehle, die mit einem Authentifizierungscode empfangen werden und authentifiziert sind; und

    als Reaktion auf das Bestimmen, Verwerfen von Befehlen der beschränkten Befehle, die nicht authentifiziert sind.


     
    10. Verfahren gemäß Anspruch 9, ferner beinhaltend das Konfigurieren der Konfigurationseinstellung durch das Einstellen einer Position eines Hardwareschalters an der USV.
     
    11. Verfahren gemäß Anspruch 9, ferner beinhaltend:

    Speichern des zweiten Teilsatzes von Befehlen; und

    Analysieren der gespeicherten Befehle zum Identifizieren eines Angriffs auf die USV.


     
    12. Verfahren gemäß Anspruch 11, wobei das Analysieren der gespeicherten Befehle mindestens eines von Folgendem beinhaltet: Detektieren eines Musters in den gespeicherten Befehlen und Empfangen mindestens einer Schwellenanzahl nicht autorisierter Befehle.
     


    Revendications

    1. Une alimentation sans interruption, « ASI » (UPS), (104) comprenant :

    une entrée (224) configurée pour recevoir une puissance d'entrée ;

    une source de puissance de secours (218) configurée pour fournir une puissance de secours ;

    une sortie (226) configurée pour fournir de la puissance de sortie à partir d'au moins une puissance parmi la puissance d'entrée et la puissance de secours ; et

    un dispositif de contrôle (216) couplé à l'entrée, la source de puissance de secours, et la sortie, le dispositif de contrôle étant configuré pour :

    recevoir une pluralité de commandes à partir d'une entité externe ;

    caractérisé en ce que le dispositif de contrôle est en outre configuré pour :

    détecter une sélection d'un réglage de configuration correspondant à un mode parmi un mode de filtrage et un mode de non filtrage ;

    en réaction à la détection de la sélection du réglage de configuration correspondant au mode de non filtrage :

    autoriser l'exécution de toutes les commandes reçues ; et

    en réaction à la détection de la sélection du réglage de configuration correspondant au mode de filtrage :

    identifier qu'un premier sous-ensemble de la pluralité de commandes comprend des commandes non restreintes et qu'un deuxième sous-ensemble de la pluralité de commandes comprend des commandes restreintes ; les commandes non restreintes étant autorisées et exécutées comme elles sont reçues et les commandes restreintes étant refusées et rejetées si elles ne sont pas authentifiées ;

    exécuter les commandes non restreintes en réaction à l'identification des commandes non restreintes ;

    déterminer si les commandes restreintes sont reçues avec un code d'authentification ou non et si le code d'authentification est authentifié ou non ;

    en réponse à la détermination, exécuter des commandes parmi les commandes restreintes qui sont reçues avec un code d'authentification et qui sont authentifiées ; et

    en réponse à la détermination, rejeter des commandes parmi les commandes restreintes qui ne sont pas authentifiées.


     
    2. L'ASI de la revendication 1, comprenant en outre un commutateur matériel (215) couplé au dispositif de contrôle, et dans laquelle le réglage de configuration correspond à une position du commutateur matériel.
     
    3. L'ASI de la revendication 1, comprenant en outre une interface utilisateur locale couplée au dispositif de contrôle, et dans laquelle le réglage de configuration correspond à une sélection sur l'interface utilisateur locale.
     
    4. L'ASI de la revendication 1, dans laquelle un sous-ensemble parmi le premier sous-ensemble de commandes et le deuxième sous-ensemble de commandes comprend chaque commande de la pluralité de commandes.
     
    5. L'ASI de la revendication 1, dans laquelle le deuxième sous-ensemble de la pluralité de commandes comprend des commandes qui sont authentifiées.
     
    6. L'ASI de la revendication 1, dans laquelle le deuxième sous-ensemble de la pluralité de commandes comprend au moins une commande parmi : une commande d'arrêt, une commande qui change la puissance de sortie de l'ASI, une commande pour changer un ou plusieurs réglages de configuration de l'ASI, et une commande pour transmettre des informations à partir de l'ASI.
     
    7. L'ASI de la revendication 1, le dispositif de contrôle étant en outre configuré pour :

    stocker le deuxième sous-ensemble de la pluralité de commandes ; et

    analyser les commandes stockées afin d'identifier une attaque à l'encontre de l'ASI.


     
    8. L' ASI de la revendication 7, dans laquelle l'analyse des commandes stockées comprend au moins une action parmi la détection d'un schéma dans les commandes stockées et la réception d'au moins un nombre seuil de commandes non autorisées.
     
    9. Un procédé pour contrôler une alimentation sans interruption, « ASI », le procédé comprenant :
    la réception de commandes au niveau de l'ASI, à partir d'une entité externe :
    caractérisé en ce que le procédé comprend en outre :

    la détection d'une sélection d'un réglage de configuration correspondant à un mode parmi un mode de filtrage et un mode de non filtrage ;

    en réaction à la détection de la sélection du réglage de configuration correspondant au mode de non filtrage :

    l'autorisation d'exécuter toutes les commandes reçues ; et

    en réaction à la détection de la sélection du réglage de configuration correspondant au mode de filtrage :

    l'identification d'un premier sous-ensemble des commandes qui sont des commandes non restreintes et un deuxième sous-ensemble des commandes qui sont des commandes restreintes ;

    les commandes non restreintes étant autorisées et exécutées comme elles sont reçues et les commandes restreintes étant refusées et rejetées si elles ne sont pas authentifiées ;

    en réaction à l'identification des commandes non restreintes, l'exécution des commandes non restreintes ;

    la détermination quant à savoir si les commandes restreintes sont reçues avec un code d'authentification ou non et si le code d'authentification est authentifié ou non ;

    en réponse à la détermination, l'exécution de commandes parmi les commandes restreintes qui sont reçues avec un code d'authentification et qui sont authentifiées ; et

    en réponse à la détermination, le rejet de commandes parmi les commandes restreintes qui ne sont pas authentifiées.


     
    10. Le procédé de la revendication 9, comprenant en outre la configuration du réglage de configuration en réglant une position d'un commutateur matériel sur l'ASI.
     
    11. Le procédé de la revendication 9, comprenant en outre :

    le stockage du deuxième sous-ensemble de commandes ; et

    l'analyse des commandes stockées afin d'identifier une attaque à l'encontre de l'ASI.


     
    12. Le procédé de la revendication 11, dans lequel l'analyse des commandes stockées comprend au moins une action parmi la détection d'un schéma dans les commandes stockées et la réception d'au moins un nombre seuil de commandes non autorisées.
     




    Drawing























    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description