Overlay cyber security networked system and method

US 10,250,619 B1
Filed: 05/13/2016
Issued: 04/02/2019
Est. Priority Date: 06/17/2015
Status: Active Grant

First Claim

Patent Images

1. An overlay cyber security method comprising:

providing an overlay secure network comprising a communication channel associated with a Process Control Network (PCN);

associating, with each component of the Process Control Network (PCN), identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component;

receiving, by at least one security device via the communication channel of the overlay security network, physical-level signals received or output by a component of the Process Control Network (PCN);

receiving, by the at least one security device and using the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component;

obtaining, by the at least one security device, derived state information associated with the component via a network, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component;

obtaining, by the at least one security device, stored historical state information associated with the component from a computer-readable historian device, the historical state information including stored timestamp information;

determining, by the at least one security device, occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information and said or the historical state information, and based on a horizontal state estimation consistency comparison of a plurality of said physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN);

capturing and storing information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device;

transforming the event message into a formatted message; and

outputting the formatted message via an interface to a forensic analysis system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An overlay cyber security networked system and method that includes one or more devices configured to monitor physical-level signal information to determine a cyber security threat or breach event based on activity occurring with physical signals present at one or more components of a Process Control Network (PCN), enabling forensic analysis. The overlay cyber security networked system also provides information needed for real-time incident management by capturing logs of relevant events at various points in the network hierarchy starting at the analog signaling from the sensors to detect unauthorized variances in operational parameters, thereby providing a defense in depth security architecture for PCN-based systems.

Citations

28 Claims

1. An overlay cyber security method comprising:
- providing an overlay secure network comprising a communication channel associated with a Process Control Network (PCN);
  
  associating, with each component of the Process Control Network (PCN), identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component;
  
  receiving, by at least one security device via the communication channel of the overlay security network, physical-level signals received or output by a component of the Process Control Network (PCN);
  
  receiving, by the at least one security device and using the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component;
  
  obtaining, by the at least one security device, derived state information associated with the component via a network, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component;
  
  obtaining, by the at least one security device, stored historical state information associated with the component from a computer-readable historian device, the historical state information including stored timestamp information;
  
  determining, by the at least one security device, occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information and said or the historical state information, and based on a horizontal state estimation consistency comparison of a plurality of said physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN);
  
  capturing and storing information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device;
  
  transforming the event message into a formatted message; and
  
  outputting the formatted message via an interface to a forensic analysis system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The overlay cyber security method according to claim 1, wherein the physical-level signal includes an electrical current between 4 mA and 20 mA, or between −
    - 10 mA and +10 mA.
  - 3. The overlay cyber security method according to claim 1, wherein the physical-level signal includes a binary signal having a first state associated with a 24 VDC level and a second state associated with a 0 VDC level.
  - 4. The overlay cyber security method according to claim 1, wherein the communication channel is an out-of-band communication channel that is independent from the Process Control Network (PCN).
  - 5. The overlay cyber security method according to claim 1, further comprising:
    - receiving, by at least one control device, the physical-level signals from each of the at least one security device, the at least one control device being operatively coupled with one or more of the at least one security device via a network and arranged to form a cyber protection network associated with a protected physical system.
  - 6. The overlay cyber security method according to claim 5, wherein the network includes a Transport Control Protocol/Internet Protocol (TCP/IP) communication channel.
  - 7. The overlay cyber security method according to claim 5, further comprising encrypting information carried by the network.
  - 8. The overlay cyber security method according to claim 5, wherein the control device is configured to calculate and indicate one or more response options via a user interface.
  - 9. The overlay cyber security method according to claim 1, wherein the component is a field component which sends an indication of a physical characteristic associated with the component.
  - 10. The overlay cyber security method according to claim 1, further comprising issuing commands by the at least one security device to the component to restore a desired state.
  - 11. The overlay cyber security method according to claim 5, wherein the control device is collocated with the controller that controls the component.
  - 12. The overlay cyber security method according to claim 1, wherein the vertical consistency comparison includes a determination of a negative correlation of an absence of a change in one of the derived state information and the historical state information with a change in state of a physical signal state change at the component or the controller.
  - 13. The overlay cyber security method according to claim 1, wherein the vertical consistency comparison includes a determination of a positive correlation of one of the derived state information and the historical state information being consistent with a change in state of a physical signal state change at the component or the controller.
  - 14. The overlay cyber security method according to claim 1, wherein the vertical consistency comparison includes a correlation in time of the state change of the physical signal associated with the component, or with the controller of the component, based on timestamp information of one of the derived state information and the historical state information, to provide a determination of the entity or person who authorized or caused the physical signal state or state change to occur.

15. An overlay cyber security networked system comprising:
- at least one security device, the security device including a first interface to a forensic analysis system via a communication channel associated with a Process Control Network (PCN), each component of the Process Control Network (PCN) having associated identification information that generates an identity for each component, the identity permitting timestamp information to be associated with one or more physical-level signals received or output by the component;
  
  one or more physical signal interfaces for receiving, by the at least one security device via the communication channel, at least one physical-level signal received or output by a component of the Process Control Network (PCN);
  
  one or more physical signal interfaces for receiving, by the at least one security device via the communication channel, at least one physical-level signal received by a controller of the component or at least one network-level signal output by the controller of the component;
  
  a second interface for receiving derived state information associated with the component, the derived state information including the timestamp information associated with the one or more physical-level signals received or output by the component; and
  
  a third interface to a computer-readable historian device associated with the Process Control Network (PCN) for receiving historical state information, the historical state information including stored timestamp information,wherein the security device is configured to;
  
  determine occurrence of an unexpected state associated with the component based on a vertical consistency comparison of the physical level signals received or outputted by the component and one of the derived state information or historical state information, and based on a horizontal state estimation consistency comparison of a plurality of the physical-level signals including the physical level signals received or outputted by the component and physical level signals received or outputted by other components at a same level as the component in the Process Control Network (PCN);
  
  capture and store information associated with the unexpected state using an event message, the captured and stored information including the identification information associated with the component of the PCN and a unique identifier associated with the security device;
  
  transform the event message into a formatted message; and
  
  output the formatted message to the forensic analysis system via the first interface.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The overlay cyber security networked system according to claim 15, wherein the physical level signal comprises an electrical current between 4 mA and 20 mA, or between −
    - 10 mA and +10 mA.
  - 17. The overlay cyber security networked system according to claim 15, wherein the physical-level signal comprises a binary signal having a first state associated with a 24 VDC level and a second state associated with a 0 VDC level.
  - 18. The overlay cyber security networked system according to claim 15, wherein the communication channel is an out-of-band communication channel that is independent from the Process Control Network (PCN).
  - 19. The overlay cyber security networked system according to claim 15, further comprising:
    - at least one control device operably coupled to the security device via a network and arranged to form a cyber protection network associated with a protected physical system.
  - 20. The overlay cyber security networked system according to claim 19, wherein the network comprises a Transport Control Protocol/Internet Protocol (TCP/IP) communication channel.
  - 21. The overlay cyber security networked system according to claim 19, wherein information carried by the network is encrypted.
  - 22. The overlay cyber security networked system according to claim 19, wherein the control device is configured to calculate and indicate one or more response options via a user interface.
  - 23. The overlay cyber security networked system according to claim 15, wherein the component is a field component that sends an indication of a physical characteristic associated with the component.
  - 24. The overlay cyber security networked system according to claim 15, wherein the at least one security device is further configured to issue commands to the component to restore a desired state.
  - 25. The overlay cyber security networked system according to claim 19, wherein the control device is collocated with the controller that controls the component.
  - 26. The overlay cyber security networked system according to claim 15, wherein the vertical consistency comparison includes a determination of a negative correlation of an absence of a change in one of the derived state information and the historical state information with a change in state of a physical signal state change at the component or the controller.
  - 27. The overlay cyber security networked system according to claim 15, wherein the vertical consistency comparison includes a determination of a positive correlation of one of the derived state information and the historical state information being consistent with a change in state of a physical signal state change at the component or the controller.
  - 28. The overlay cyber security networked system according to claim 15, wherein the vertical consistency comparison includes a correlation in time of the state change of the physical signal associated with the component, or with the controller of the component, based on timestamp information of one of the derived state information and the historical state information, to provide a determination of the entity or person who authorized or caused the physical signal state or state change to occur.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mission Secure, Inc.
Original Assignee
Mission Secure, Inc.
Inventors
Park, Daniel D., Baggett, John Mark, Suhler, Edward C., Jones, Rick A., Huband, Gary W., Robertson, Paul D., Weber, Dean
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Callahan, Paul E

Application Number

US15/154,469
Time in Patent Office

1,054 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 2221/2151   Time stamp

H04L 2463/146   Tracing the source of attacks

H04L 63/0428   wherein the data content is...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/16   Implementing security featu...

H04L 63/18   using different networks or...

Overlay cyber security networked system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Overlay cyber security networked system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links