Production process knowledge-based intrusion detection for industrial control systems

US 10,027,699 B2
Filed: 03/10/2016
Issued: 07/17/2018
Est. Priority Date: 03/10/2016
Status: Active Grant

First Claim

Patent Images

1. A system for threat detection in an industrial production environment, the system comprising:

a programmable logic controller comprising;

a program with executable instructions that control one or more field devices using process data associated with the one or more field devices, the program comprising;

collecting physical byproduct data associated with the one or more field devices;

extracting behavioral information relevant to cyberattacks from the physical byproduct data;

collecting fieldbus sensor data;

fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset;

performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;

applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and

generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for threat detection in an industrial production environment comprises a programmable logic controller. This programmable logic controller includes a process image updated according to a scan cycle with process data associated with one or more field devices, a program configured to operate the one or more field devices using the process data, and one or more function blocks. These function blocks are configured to monitor the process data in the process image during each scan cycle, and identify a possible cyberattack based on the process data.

Citations

18 Claims

1. A system for threat detection in an industrial production environment, the system comprising:
- a programmable logic controller comprising;
  
  a program with executable instructions that control one or more field devices using process data associated with the one or more field devices, the program comprising;
  
  collecting physical byproduct data associated with the one or more field devices;
  
  extracting behavioral information relevant to cyberattacks from the physical byproduct data;
  
  collecting fieldbus sensor data;
  
  fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset;
  
  performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;
  
  applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and
  
  generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the program further comprises:
    - in response to the prediction, transmitting a message with information related to the possible cyberattack to one or more other field devices.
  - 3. The system of claim 2, further comprising:
    - a human-machine interface (HMI) configured to receive the message and display an alert indicative of the possible cyberattack.
  - 4. The system of claim 1, wherein the program further comprises:
    - identifying limits of physical variables used by the programmable logic controller in execution of the program;
      
      determining current values of the physical variables based on the process data;
      
      identifying the possible cyberattack if the current values of the physical variables exceed the limits of the physical variables.
  - 5. The system of claim 4, wherein the program further comprises:
    - maintaining a state model indicative of a current operational state of the programmable logic controller,wherein the limits of physical variables used by the programmable logic controller are based on the state model.
  - 6. The system of claim 5, wherein the state model is similar to the Organization of Machine Automation and Control'"'"'s Package Machine Language State Model.
  - 7. The system of claim 1, wherein the program further comprises:
    - over a plurality of scan cycles, monitoring a rate of change associated with a physical variable used by the programmable logic controller in execution of the program; and
      
      identifying the possible cyberattack if the rate of change exceeds an expected rate of change for the plurality of scan cycles.
  - 8. The system of claim 1, wherein the program further comprises:
    - over a plurality of scan cycles, monitoring a rate of change associated with a physical variable used by the programmable logic controller in execution of the program; and
      
      identifying, based on a reference curve, the possible cyberattack if the rate of change is less than an expected rate of change for the plurality of scan cycles.
  - 9. The system of claim 8, wherein the system comprises a simulation-based application used to generate the reference curve.
  - 10. The system of claim 1, wherein the one or more function blocks includes a correlation-based intrusion detection function block having intrusion detection functionality that comprises:
    - monitoring a first process information variable to yield a first variable history;
      
      monitoring a second process information variable to yield a second variable history;
      
      identifying the possible cyberattack based on a correlation between the first variable history and the second variable history.

11. A method for cyberattack detection in an industrial production environment, the method comprising:
- operating, by the programmable logic controller, the one or more field devices using process data associated with the one or more field devices;
  
  collecting physical byproduct data associated with the one or more field devices;
  
  extracting behavioral information relevant to cyberattacks from the physical byproduct data;
  
  collecting fieldbus sensor data;
  
  fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset;
  
  performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;
  
  applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and
  
  generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising:
    - identifying limits of physical variables used by the programmable logic controller in operating the one or more field devices;
      
      determining current values of the physical variables based on the process data; and
      
      identifying the possible cyberattack if the current values of the physical variables exceed the limits of the physical variables.
  - 13. The method of claim 11, wherein identification of the possible cyberattack comprises:
    - monitoring a rate of change associated with a physical variable used by the programmable logic controller in operating the one or more field devices;
      
      identifying the possible cyberattack if the rate of change deviates from an expected rate of change.
  - 14. The method of claim 11, wherein identification of the possible cyberattack comprises:
    - monitoring a first process information variable to yield a first variable history;
      
      monitoring a second process information variable to yield a second variable history;
      
      identifying the possible cyberattack based on a correlation between the first variable history and the second variable history.
  - 15. The method of claim 11, further comprising:
    - reducing production speed in response to the prediction of the possible cyberattack.
  - 16. The method of claim 11, further comprising:
    - responding to the prediction of the possible cyberattack by completing production of a current batch and thereafter stopping production.
  - 17. The method of claim 11, further comprising:
    - performing one or more operations to stop production immediately in response to the prediction of the possible cyberattack.

18. An article of manufacture for intrusion detection in an industrial production environment, the article of manufacture comprising a non-transitory, tangible computer-readable medium holding computer-executable instructions for performing a process comprising:
- operating the one or more field devices using process data associated with the one or more field devices;
  
  collecting physical byproduct data associated with the one or more field devices;
  
  extracting behavioral information relevant to cyberattacks from the physical byproduct data;
  
  collecting fieldbus sensor data;
  
  fusing the behavioral information and the fieldbus sensor data into a synchronized time series dataset;
  
  performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;
  
  applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack distinguishable from a malfunction; and
  
  generating a prediction of a possible cyberattack by contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Wei, Dong, Pfleger de Aguiar, Leandro, Martinez Canedo, Arquimedes
Primary Examiner(s)
Brown, Anthony D
Assistant Examiner(s)
Corum, Jr., William A

Application Number

US15/066,289
Publication Number

US 20170264629A1
Time in Patent Office

859 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/058   Safety, monitoring

G05B 23/0232   based on qualitative trend ...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

Production process knowledge-based intrusion detection for industrial control systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Production process knowledge-based intrusion detection for industrial control systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links