Overlay cyber security networked system and method
First Claim
1. An overlay cyber security method comprising:
- providing an overlay secure network comprising a communication channel associated with a Process Control Network (PCN);
associating, with each component of the Process Control Network (PCN), identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component;
receiving, by at least one security device via the communication channel of the overlay security network, physical-level signals received or output by a component of the Process Control Network (PCN);
receiving, by the at least one security device and using the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component;
obtaining, by the at least one security device, derived state information associated with the component via a network, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component;
obtaining, by the at least one security device, stored historical state information associated with the component from a computer-readable historian device, the historical state information including stored timestamp information;
determining, by the at least one security device, occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information and said or the historical state information, and based on a horizontal state estimation consistency comparison of a plurality of said physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN);
capturing and storing information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device;
transforming the event message into a formatted message; and
outputting the formatted message via an interface to a forensic analysis system.
2 Assignments
0 Petitions
Accused Products
Abstract
An overlay cyber security networked system and method that includes one or more devices configured to monitor physical-level signal information to determine a cyber security threat or breach event based on activity occurring with physical signals present at one or more components of a Process Control Network (PCN), enabling forensic analysis. The overlay cyber security networked system also provides information needed for real-time incident management by capturing logs of relevant events at various points in the network hierarchy starting at the analog signaling from the sensors to detect unauthorized variances in operational parameters, thereby providing a defense in depth security architecture for PCN-based systems.
-
Citations
28 Claims
-
1. An overlay cyber security method comprising:
-
providing an overlay secure network comprising a communication channel associated with a Process Control Network (PCN); associating, with each component of the Process Control Network (PCN), identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component; receiving, by at least one security device via the communication channel of the overlay security network, physical-level signals received or output by a component of the Process Control Network (PCN); receiving, by the at least one security device and using the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component; obtaining, by the at least one security device, derived state information associated with the component via a network, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component; obtaining, by the at least one security device, stored historical state information associated with the component from a computer-readable historian device, the historical state information including stored timestamp information; determining, by the at least one security device, occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information and said or the historical state information, and based on a horizontal state estimation consistency comparison of a plurality of said physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN); capturing and storing information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device; transforming the event message into a formatted message; and outputting the formatted message via an interface to a forensic analysis system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An overlay cyber security networked system comprising:
-
at least one security device, the security device including a first interface to a forensic analysis system via a communication channel associated with a Process Control Network (PCN), each component of the Process Control Network (PCN) having associated identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component; one or more physical signal interfaces for receiving, by the at least one security device via the communication channel, at least one physical-level signal received or output by a component of the Process Control Network (PCN); one or more physical signal interfaces for receiving, by the at least one security device via the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component; a second interface for receiving derived state information associated with the component, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component; and a third interface to a computer-readable historian device associated with the Process Control Network (PCN) for receiving historical state information, the historical state information including stored timestamp information, wherein the security device is configured to; determine occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information or historical state information, and based on a horizontal state estimation consistency comparison of a plurality of the physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN); capture and store information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device; transform the event message into a formatted message; and output the formatted message to the forensic analysis system via the first interface. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification