Telemetry analysis system for physical process anomaly detection
First Claim
1. A security system for detecting a security anomaly associated with a physical process within an industrial control system (ICS) comprising:
- an industrial control network including a plurality of endpoint devices, and at least one programmable logic controller that communicates with the endpoint devices through the industrial control network, the endpoint devices producing telemetry data and transmitting the telemetry data on the industrial control network; and
a telemetry analytics engine server configured to;
receive the telemetry data from the endpoint devices and cluster the telemetry data into logical endpoint device groupings according to a location of each logical endpoint device in the industrial control network, each grouping representing a sub network of the industrial control network that corresponds to a different separate section of the industrial control network, andreceive security data from at least one external data source, the security data being based on one or more of device log data, network log data, or security alert data;
the telemetry analytics engine server further comprising;
an anomaly detection processor configured to analyze the clustered telemetry data to detect anomalies that indicate a potential security compromise;
a root cause analysis processor configured to execute a correlation process between the security data received from the at least one external data source, and data that is output from the anomaly detection processor;
the telemetry analytics engine server identifying the root cause of the potential security compromise with respect to the industrial control system and providing an anomaly alert to a human machine interface (HMI).
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.
24 Citations
13 Claims
-
1. A security system for detecting a security anomaly associated with a physical process within an industrial control system (ICS) comprising:
-
an industrial control network including a plurality of endpoint devices, and at least one programmable logic controller that communicates with the endpoint devices through the industrial control network, the endpoint devices producing telemetry data and transmitting the telemetry data on the industrial control network; and a telemetry analytics engine server configured to; receive the telemetry data from the endpoint devices and cluster the telemetry data into logical endpoint device groupings according to a location of each logical endpoint device in the industrial control network, each grouping representing a sub network of the industrial control network that corresponds to a different separate section of the industrial control network, and receive security data from at least one external data source, the security data being based on one or more of device log data, network log data, or security alert data; the telemetry analytics engine server further comprising; an anomaly detection processor configured to analyze the clustered telemetry data to detect anomalies that indicate a potential security compromise; a root cause analysis processor configured to execute a correlation process between the security data received from the at least one external data source, and data that is output from the anomaly detection processor; the telemetry analytics engine server identifying the root cause of the potential security compromise with respect to the industrial control system and providing an anomaly alert to a human machine interface (HMI). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification