Production process knowledge-based intrusion detection for industrial control systems
First Claim
Patent Images
1. A system for threat detection in an industrial production environment, the system comprising:
- a programmable logic controller comprising;
a program with executable instructions that control one or more field devices using process data associated with the one or more field devices, the program comprising;
collecting physical byproduct data associated with the one or more field devices;
extracting behavioral information relevant to cyberattacks from the physical byproduct data;
collecting fieldbus sensor data;
fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset;
performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;
applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and
generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for threat detection in an industrial production environment comprises a programmable logic controller. This programmable logic controller includes a process image updated according to a scan cycle with process data associated with one or more field devices, a program configured to operate the one or more field devices using the process data, and one or more function blocks. These function blocks are configured to monitor the process data in the process image during each scan cycle, and identify a possible cyberattack based on the process data.
-
Citations
18 Claims
-
1. A system for threat detection in an industrial production environment, the system comprising:
a programmable logic controller comprising; a program with executable instructions that control one or more field devices using process data associated with the one or more field devices, the program comprising; collecting physical byproduct data associated with the one or more field devices; extracting behavioral information relevant to cyberattacks from the physical byproduct data; collecting fieldbus sensor data; fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset; performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data; applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method for cyberattack detection in an industrial production environment, the method comprising:
-
operating, by the programmable logic controller, the one or more field devices using process data associated with the one or more field devices; collecting physical byproduct data associated with the one or more field devices; extracting behavioral information relevant to cyberattacks from the physical byproduct data; collecting fieldbus sensor data; fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset; performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data; applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An article of manufacture for intrusion detection in an industrial production environment, the article of manufacture comprising a non-transitory, tangible computer-readable medium holding computer-executable instructions for performing a process comprising:
-
operating the one or more field devices using process data associated with the one or more field devices; collecting physical byproduct data associated with the one or more field devices; extracting behavioral information relevant to cyberattacks from the physical byproduct data; collecting fieldbus sensor data; fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset; performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data; applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.
-
Specification