[go: nahoru, domu]

WO2011124257A1 - Authentication and authorization method for process control system - Google Patents

Authentication and authorization method for process control system Download PDF

Info

Publication number
WO2011124257A1
WO2011124257A1 PCT/EP2010/054659 EP2010054659W WO2011124257A1 WO 2011124257 A1 WO2011124257 A1 WO 2011124257A1 EP 2010054659 W EP2010054659 W EP 2010054659W WO 2011124257 A1 WO2011124257 A1 WO 2011124257A1
Authority
WO
WIPO (PCT)
Prior art keywords
security server
user
critical device
database
authentication
Prior art date
Application number
PCT/EP2010/054659
Other languages
French (fr)
Inventor
Anas Benhaddou
Stephen Thompson
Original Assignee
Areva T&D Uk Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Areva T&D Uk Ltd filed Critical Areva T&D Uk Ltd
Priority to PCT/EP2010/054659 priority Critical patent/WO2011124257A1/en
Publication of WO2011124257A1 publication Critical patent/WO2011124257A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • the invention pertains to the field of industrial process control, and more specifically, deals with user authentication, authorization and accounting .
  • the invention also concerns architecture for managing access by a user to a critical device of an industrial control system comprising a security server provided with a database comprising user' s credentials .
  • the Authentication, Authorisation and Accounting (AAA) of users' access to critical devices within the system is often performed by a specific security server which provides these Authentication, Authorisation and Accounting AAA services to all critical devices in the system.
  • the security server is present on the same local area network as the devices that use it, but may also be located remotely from these devices and may be accessed through gateways and routers to a communications infrastructure connected to the process control system's LAN.
  • FIG. 1 schematically illustrates a typical local network (LAN) 2 comprising a critical device 4 and a user station 6 locally connected to the LAN 2, a security server 8 with local connection to the LAN 2.
  • a security server 10 may be remotely connected to the LAN 2 through a public network 12 such as Internet .
  • access to said security servers 8 and 10 may be impractical or impossible.
  • cost or network infrastructure considerations may discourage from permanent connection to the network to access to the security servers 8 and 10.
  • the network supports just a few critical devices, the cost of a permanent connection to the security server 8 may be undesirable.
  • the security servers 8 and 10 may be unavailable due to communication problems or upgrade considerations.
  • the present invention aims at providing an alternative means for Authentication and Authorisation of users in situations where either the local or the remote security server is not permanently available or temporarily unavailable.
  • the invention is based on the idea of Implementing a persistent cache in a non volatile RAM within the critical devices that will have a duplication of a security server information (users, roles%) so that when the security server is not available for any reason, the user will authenticate using said local cache.
  • This aim is achieved y means of a method for managing access by a user to a critical device of an industrial control system comprising at least a security server and a database comprising user' s credentials .
  • the method comprises the step of regularly transferring user' s authentication and authorization data from said database AA to said critical device D to allow authentication of a user by said critical D if the security server becomes temporarily unavailable.
  • the transfer of said user's authentication and authorization from said database AA to said critical device D is performed on demand.
  • said transfer may be performed according to a pre-programmed procedure.
  • the critical device periodically requests the user's authentication and authorization refresh from the security server
  • the security server transfers a security server database 'replica' to said device.
  • the security server may be configured to spontaneously transfer the database 'replica' to connected device whilst connection to said security server is available.
  • the request from the critical device to the security server is supported by an authentication scheme to ensure that the security server only transfers the database replica to suitably authenticated critical device, said database replica being encrypted prior to transfer to said critical device .
  • the database replica transferred from said database AA to said critical device D may be persistent and non-volatile to provide said critical device with permanently available means for authenticating and authorizing users according to security server availability and configuration.
  • the method according to the invention is implemented by means of an architecture comprising means for regularly transferring user's authentication and authorization data from said database AA to said critical device D to allow authentication of a user by said critical D if the security server becomes temporarily unavailable, or if the performance constraints require instant availability of said security server, or if the communications infrastructure does not permit permanent connection to said security server.
  • Said critical device comprises means for periodically requesting the user' s authentication and authorization refresh from the security server, and the security server comprises means for transferring an AAA database 'replica' to said device.
  • FIG. 1 schematically schematically illustrates a typical architecture of a local network comprising a critical device in an industrial site
  • FIG. 2 schematically illustrates an authentication flow chart based on the method according to the invention.
  • a critical device 2 is being accessed by a user station 6 in an industrial site in which the critical device 2, the user station 6 are interconnected to a local or remote security server (8, 10) via a Local Network.
  • Figure 2 illustrates different scenarios for authenticating the user station 6 directly using a cache of the user credentials previously stored in the critical device or through a connection to the security server (8, 10) to get the user credentials stored therein, or through a combination of the both methods.
  • a user logon attempt 20 is shown at either the user station 6 or the critical device 4.
  • the scenario of the user authentication to be applied depends on the priority configuration established between the critical device and security server (8, 10) and on the respective behavior of these two elements.
  • the critical device 4 forwards ( flow 24) said request to the security server (8, 10) if the latter has priority for performing the user authentication process.
  • the security server (8, 10) authenticates the user and confirms (flow 26) the authentication back to the critical device 4 which then forwards (flow 28) the confirmation to the User Station 6.
  • the critical device 4 forwards (flow 30) the request to the security server (8, 10) which authenticates the user and confirms (flow 26) the authentication back to the critical device 4 which then forwards (flow 28) the confirmation to the User Station 6.
  • a critical device may be configured to act as an authentication, authorization and accounting (AAA) server for other critical devices in its local network and thus its cache may also contain extracts relevant to those critical devices too. This means that a critical device has the capability of requesting cache extracts for critical devices other than itself. An authentication, authorization and accounting (AAA) server will only release such extracts if the requesting critical device is authorised to make such requests.
  • AAA authentication, authorization and accounting
  • critical device may receive cache requests from any of the critical devices it is serving and will respond accordingly subject to satisfactory authentication and authorisation of the critical device requests.
  • a critical device When a critical device receives a new cache from a server, whether after a request or spontaneously, and the critical device has had modifications made to its cache, it performs a synchronisation activity to ensure that conflicts which may exist between the local cache and the downloaded cache are resolved correctly.
  • the resolution of such conflicts will be done according to the critical device's cache priority configuration as follows:
  • the downloaded cache takes precedence.
  • the security server (8, 10) has priority
  • the local cache takes precedence. In this scenario if an entry for a user in the downloaded cache is in conflict with the entry for the same user in the local cache then the downloaded cache entry will be discarded.
  • AAA services are temporarily provided by a laptop computer, acting as a Virtual Server, connected to the network, whilst connected, critical devices may request a cache refresh, or the server (laptop) may initiate a spontaneous cache refresh.
  • the connection to the laptop is not permanent and may be disconnected after a period of time. Re-connection may occur at any time.
  • cache downloaded to critical device may be time-limited. After the time period has elapsed, or after a specified date/time has been reached, the cache is invalidated. In this instance the default (initially configured) cache entries are reactivated.
  • the cache held within critical device is thus multi-layered in that it has a configured permanent section and a temporal section that is provided by cache downloads and refreshes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention concerns a method for managing access by a user station to a critical device of an industrial control system comprising a security server and a database comprising user's credentials, said method characterized by regularly transferring user's authentication and authorization data from said database to said critical device to allow authentication of a user by said critical if the security server becomes temporarily unavailable.

Description

AUTHENTICATION AND AUTHORIZATION METHOD FOR PROCESS
CONTROL SYSTEM
TECHNICAL DOMAIN
The invention pertains to the field of industrial process control, and more specifically, deals with user authentication, authorization and accounting .
The invention also concerns architecture for managing access by a user to a critical device of an industrial control system comprising a security server provided with a database comprising user' s credentials . STATE OF PRIOR ART
In industrial process control system, such as a sub-station, the Authentication, Authorisation and Accounting (AAA) of users' access to critical devices within the system is often performed by a specific security server which provides these Authentication, Authorisation and Accounting AAA services to all critical devices in the system. Typically the security server is present on the same local area network as the devices that use it, but may also be located remotely from these devices and may be accessed through gateways and routers to a communications infrastructure connected to the process control system's LAN.
Figure 1, schematically illustrates a typical local network (LAN) 2 comprising a critical device 4 and a user station 6 locally connected to the LAN 2, a security server 8 with local connection to the LAN 2. A security server 10 may be remotely connected to the LAN 2 through a public network 12 such as Internet .
Under normal conditions, all accesses to the critical device 4 by the user station 6 will first be routed to the security server 8 or to the security server 10 for authentication and authorisation to be performed. The security servers 8 and 10 record the user access in an accounting log for future audit purposes .
In some conditions, access to said security servers 8 and 10 may be impractical or impossible. For example, cost or network infrastructure considerations may discourage from permanent connection to the network to access to the security servers 8 and 10. For example if the network supports just a few critical devices, the cost of a permanent connection to the security server 8 may be undesirable. It is also possible that the security servers 8 and 10 may be unavailable due to communication problems or upgrade considerations.
The present invention aims at providing an alternative means for Authentication and Authorisation of users in situations where either the local or the remote security server is not permanently available or temporarily unavailable.
PRESENTATION OF THE INVENTION
The invention is based on the idea of Implementing a persistent cache in a non volatile RAM within the critical devices that will have a duplication of a security server information (users, roles...) so that when the security server is not available for any reason, the user will authenticate using said local cache.
This aim is achieved y means of a method for managing access by a user to a critical device of an industrial control system comprising at least a security server and a database comprising user' s credentials .
According to the invention, the method comprises the step of regularly transferring user' s authentication and authorization data from said database AA to said critical device D to allow authentication of a user by said critical D if the security server becomes temporarily unavailable.
In a first variant of the invention, the transfer of said user's authentication and authorization from said database AA to said critical device D is performed on demand.
In another variant of the invention, said transfer may be performed according to a pre-programmed procedure.
In both variants, whilst connection to the security server is available:
- the critical device periodically requests the user's authentication and authorization refresh from the security server,
the security server transfers a security server database 'replica' to said device.
The security server may be configured to spontaneously transfer the database 'replica' to connected device whilst connection to said security server is available. Preferably, the request from the critical device to the security server is supported by an authentication scheme to ensure that the security server only transfers the database replica to suitably authenticated critical device, said database replica being encrypted prior to transfer to said critical device .
Moreover, the database replica transferred from said database AA to said critical device D may be persistent and non-volatile to provide said critical device with permanently available means for authenticating and authorizing users according to security server availability and configuration.
The method according to the invention further comprises a priority configuration according to which :
- if the security server has priority, all user authentication and authorization is performed by said security server,
- if critical device has priority, all user authentication and authorization is performed by said critical device using the database replica
The method according to the invention is implemented by means of an architecture comprising means for regularly transferring user's authentication and authorization data from said database AA to said critical device D to allow authentication of a user by said critical D if the security server becomes temporarily unavailable, or if the performance constraints require instant availability of said security server, or if the communications infrastructure does not permit permanent connexion to said security server.
Said critical device comprises means for periodically requesting the user' s authentication and authorization refresh from the security server, and the security server comprises means for transferring an AAA database 'replica' to said device.
BRIEF DESCRIPTION OF THE FIGURES
The forgoing summary, as well as the following detailed description, will be better understood when read in conjunction with the appended figures illustrating an exemplary embodiment of the invention in which:
- figure 1 schematically schematically illustrates a typical architecture of a local network comprising a critical device in an industrial site,
- figure 2 schematically illustrates an authentication flow chart based on the method according to the invention.
DESCRIPTION OF A DETAILED EMBODIMENT OF THE INVENTION
In the following description, identical reference signs will designate elements common to figure 1 illustrating a typical LAN in an industrial site and figure 2 illustrating the method of the invention .
Referring now to figure 2, a critical device 2, is being accessed by a user station 6 in an industrial site in which the critical device 2, the user station 6 are interconnected to a local or remote security server (8, 10) via a Local Network.
Figure 2 illustrates different scenarios for authenticating the user station 6 directly using a cache of the user credentials previously stored in the critical device or through a connection to the security server (8, 10) to get the user credentials stored therein, or through a combination of the both methods. In figure 2 a user logon attempt 20 is shown at either the user station 6 or the critical device 4.
The scenario of the user authentication to be applied depends on the priority configuration established between the critical device and security server (8, 10) and on the respective behavior of these two elements.
For example, when an authentication request is sent (flow 22) from the user station 6 to the critical device 4 after user login attempt 20, the critical device 4 forwards ( flow 24) said request to the security server (8, 10) if the latter has priority for performing the user authentication process. The security server (8, 10) authenticates the user and confirms (flow 26) the authentication back to the critical device 4 which then forwards (flow 28) the confirmation to the User Station 6.
Otherwise, if it is the critical device 4 that has priority to authenticate users, it handles the request internally, authenticates the user against the user's credentials stored therein, and confirms (flow 28) the authentication back to User Station 6. if it is the critical device 4 has no connection to the security server (8,10), then it also handles the user authentication using the user credentials stored therein, and confirms (flow 28) the authentication back to User Station 6.
If it is the critical device 4 that has priority to authenticate users but the user credentials are not stored in the the critical device 4, after the attempt of the user station 6 to logon to the critical device 4, the latter attempts to authenticate the user but fails because the user credentials are not stored therein. In this case, the critical device 4 forwards (flow 30) the request to the security server (8, 10) which authenticates the user and confirms (flow 26) the authentication back to the critical device 4 which then forwards (flow 28) the confirmation to the User Station 6.
If it is the security server (8, 10) that has priority to authenticate users but the user credentials are not stored in the database of said security server (8, 10), after the attempt of the user station 6 to logon to the critical device 4, the latter forwards (flow 24) the request to the security server (8, 10) which try to authenticates the user but fails because the user credentials are not stored therein. In this case, the security server (8, 10) forwards (flow 26) a failure notification to the critical device 4. The latter authenticates the user using the user credentials stored therein and confirms (flow 2) authentification back to user station 6. It is to be noted that for any specific critical device, the cache will contain extracts from the security server (8, 10) database relevant to that entity only. However, a critical device may be configured to act as an authentication, authorization and accounting (AAA) server for other critical devices in its local network and thus its cache may also contain extracts relevant to those critical devices too. This means that a critical device has the capability of requesting cache extracts for critical devices other than itself. An authentication, authorization and accounting (AAA) server will only release such extracts if the requesting critical device is authorised to make such requests.
If critical device is acting as an AAA server then it may receive cache requests from any of the critical devices it is serving and will respond accordingly subject to satisfactory authentication and authorisation of the critical device requests.
While acting as an AAA server, a critical device may have modifications made to its cache to add or remove users, or existing user's accounts may be modified through local updates and/or operator (administrator) commands, especially where no remote security server (8, 10) is permanently connected.
When a critical device receives a new cache from a server, whether after a request or spontaneously, and the critical device has had modifications made to its cache, it performs a synchronisation activity to ensure that conflicts which may exist between the local cache and the downloaded cache are resolved correctly. The resolution of such conflicts will be done according to the critical device's cache priority configuration as follows:
- if the security server (8, 10) has priority, then the downloaded cache takes precedence. In this scenario if a critical device for a user in the downloaded cache is in conflict with the entry for the same user in the local cache then the local cache entry will be replaced by the downloaded entry,
- if the cache has priority, then the local cache takes precedence. In this scenario if an entry for a user in the downloaded cache is in conflict with the entry for the same user in the local cache then the downloaded cache entry will be discarded.
When AAA services are temporarily provided by a laptop computer, acting as a Virtual Server, connected to the network, whilst connected, critical devices may request a cache refresh, or the server (laptop) may initiate a spontaneous cache refresh. The connection to the laptop is not permanent and may be disconnected after a period of time. Re-connection may occur at any time.
Note that cache downloaded to critical device may be time-limited. After the time period has elapsed, or after a specified date/time has been reached, the cache is invalidated. In this instance the default (initially configured) cache entries are reactivated. The cache held within critical device is thus multi-layered in that it has a configured permanent section and a temporal section that is provided by cache downloads and refreshes.

Claims

1. A method for managing access by a user station (6) to a critical device (4) of an industrial control system comprising a security server (8, 10) provided with a database comprising user's credentials, said method characterized by regularly transferring user's authentication and authorization data from said database to said critical device (4) to allow authentication of a user by said critical (4) if the security server (8, 10) becomes temporarily unavailable .
2. A method according to claim 1 wherein the transfer of said user's authentication and authorization from said database to said critical device (4) is performed on demand or according to a pre-programmed procedure.
3. A method according to claim 2 wherein, whilst connection to the security server (8, 10) is available :
- the critical device (4) periodically requests the user's authentication and authorization refresh from the security server (8, 10),
the security server (8, 10) transfers a replica of the database to said device (4) .
4. A method according to claim 2 wherein the security server (8, 10) is configured to spontaneously transfer said database replica to connected critical devices (4) whilst connection to said security server (8, 10) is available.
5. A method according to claim 3 or 4 wherein the request from the critical device (4) to the security server (8,10) is supported by an authentication scheme to ensure that the security server (8,10) only transfers the database replica to suitably authenticated critical device (4).
6. A method according to claim 5 wherein said database replica is encrypted prior to transfer to said critical device (4).
7. A method according to claim wherein the database replica transferred from said database to said critical device (4) may be persistent and non-volatile to provide said critical device (4) with permanently available means for authenticating and authorizing users according to security server (8,10) availability and configuration.
8. A method according to claim 7 further comprising a priority configuration wherein:
- if the security server (8, 10) has priority to authenticate the user, all user authentication and authorization is performed by said security server (8, 10) ,
if critical device (4) has priority to authenticate the user, all user authentication and authorization is performed by said critical device using the database replica.
9. An architecture for managing access by a user station (6) to a critical device (4) of an industrial control system comprising a security server (8,10) provided with a database comprising user's credentials, said architecture characterized by means for regularly transferring user' s credentials from said database AA to said critical device (4) to allow authentication of a user by said critical (4) on behalf of said security server (8,10) if the security server (8,10) becomes temporarily unavailable, or if the performance constraints require instant availability of said security server (8,10), or if the communications infrastructure does not permit permanent connexion to said security server (8,10) .
10. Architecture according to claim 10, wherein the critical device (4) comprises means for periodically requesting the user' s authentication and authorization refresh from the security server ( 8 , 10 ) , and the security server (8,10) comprises means for transferring a database replica to said critical device (4) .
PCT/EP2010/054659 2010-04-08 2010-04-08 Authentication and authorization method for process control system WO2011124257A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/054659 WO2011124257A1 (en) 2010-04-08 2010-04-08 Authentication and authorization method for process control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/054659 WO2011124257A1 (en) 2010-04-08 2010-04-08 Authentication and authorization method for process control system

Publications (1)

Publication Number Publication Date
WO2011124257A1 true WO2011124257A1 (en) 2011-10-13

Family

ID=42734681

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2010/054659 WO2011124257A1 (en) 2010-04-08 2010-04-08 Authentication and authorization method for process control system

Country Status (1)

Country Link
WO (1) WO2011124257A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015224838A1 (en) * 2015-12-10 2017-06-14 Volkswagen Aktiengesellschaft Apparatus, information system, method and computer program for testing an authentication feature
CN118245996A (en) * 2024-05-23 2024-06-25 青岛盈智科技有限公司 Four-way shuttle identity authentication method and system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080066166A1 (en) * 2002-06-27 2008-03-13 Lenovo (Singapore) Pte. Ltd. Remote authentication caching on a trusted client or gateway system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080066166A1 (en) * 2002-06-27 2008-03-13 Lenovo (Singapore) Pte. Ltd. Remote authentication caching on a trusted client or gateway system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI GONG: "INCREASING AVAILABILITY AND SECURITY OF AN AUTHENTICATION SERVICE", IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, IEEE SERVICE CENTER, PISCATAWAY, US LNKD- DOI:10.1109/49.223866, vol. 11, no. 5, 1 June 1993 (1993-06-01), pages 657 - 662, XP000399661, ISSN: 0733-8716 *
MARTIN NAEDELE ED - ANONYMOUS: "An Access Control Protocol for Embedded Devices", INDUSTRIAL INFORMATICS, 2006 IEEE INTERNATIONAL CONFERENCE ON, IEEE, PI, 1 August 2006 (2006-08-01), pages 565 - 569, XP031003414, ISBN: 978-0-7803-9700-2 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015224838A1 (en) * 2015-12-10 2017-06-14 Volkswagen Aktiengesellschaft Apparatus, information system, method and computer program for testing an authentication feature
DE102015224838B4 (en) 2015-12-10 2024-03-21 Volkswagen Aktiengesellschaft Devices, information system, method and computer program for checking an authentication feature
CN118245996A (en) * 2024-05-23 2024-06-25 青岛盈智科技有限公司 Four-way shuttle identity authentication method and system

Similar Documents

Publication Publication Date Title
US9571494B2 (en) Authorization server and client apparatus, server cooperative system, and token management method
US9608814B2 (en) System and method for centralized key distribution
CN104754582B (en) Safeguard the client and method of BYOD safety
CN102859935A (en) System And Methods For Remote Maintenance Of Multiple Clients In An Electronic Network Using Virtual Machines
KR20110012722A (en) A system for managing unregistered terminals with sharing authentication information and a method thereof
WO2007131415A1 (en) System and method to manage home network
JP5002337B2 (en) Communication system for authenticating or relaying network access, relay device, authentication device, and communication method
WO2016188224A1 (en) Service authorization method, apparatus, system and router
JP2009258917A (en) Proxy server, authentication server, and communication system
JP7100561B2 (en) Authentication system, authentication server and authentication method
CN108243413A (en) A kind of method and system of wireless access railway information network
KR100842276B1 (en) Wireless RFID Medical Device Access Control Method Using WLAN Security Standard Technology
CN101640685A (en) Method and system for delivering private attribute information
US8914870B2 (en) Methods and arrangements for security support for universal plug and play system
WO2013182126A1 (en) Unified management and control method and platform for ubiquitous terminal
WO2011124257A1 (en) Authentication and authorization method for process control system
CN107534674A (en) The method for managing the access to service
US10298588B2 (en) Secure communication system and method
JP4377120B2 (en) Service provision system based on remote access authentication
JP5534473B2 (en) Internet connection authentication system, Internet connection authentication method and program
CN115361685A (en) End-to-end roaming authentication method and system
JP2008160384A (en) Wireless lan terminal, electronic certificate updating method and program thereof, and wireless lan system
WO2013010426A1 (en) Method for managing ftp users, and ftp user logon method and device
JP6055546B2 (en) Authentication apparatus, authentication method, and program
KR100687722B1 (en) Authenticating server and method for user authentication using the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10713627

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10713627

Country of ref document: EP

Kind code of ref document: A1