Threat detection for a fleet of industrial assets
First Claim
1. A system to protect a fleet of industrial assets, comprising:
- a communication port to exchange information with a plurality of remote industrial assets comprising the fleet of industrial assets, wherein each remote industrial asset is geographically remote from at least one other industrial asset and includes a set of monitoring nodes; and
an industrial fleet protection system coupled to the communication port and including a computer processor to;
(i) receive information from each of the plurality of remote industrial assets, the information from each industrial asset including at least a current feature vector generated based on information from monitoring nodes of that industrial asset and a normal/abnormal status indication for that industrial asset,(ii) calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector,(iii) compare the current fleet-wide operation feature vector with a fleet-wide decision boundary, the fleet-wide decision boundary separating normal operation of the fleet of industrial assets from abnormal operation of the fleet of industrial assets, and(iv) automatically transmit a response when a result of the comparison indicates abnormal operation of the fleet of industrial assets, the response including a transmittal, from the industrial fleet protection system to at least one of the industrial assets, an adjustment to an industrial asset decision boundary.
2 Assignments
0 Petitions
Accused Products
Abstract
A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.
15 Citations
20 Claims
-
1. A system to protect a fleet of industrial assets, comprising:
-
a communication port to exchange information with a plurality of remote industrial assets comprising the fleet of industrial assets, wherein each remote industrial asset is geographically remote from at least one other industrial asset and includes a set of monitoring nodes; and an industrial fleet protection system coupled to the communication port and including a computer processor to; (i) receive information from each of the plurality of remote industrial assets, the information from each industrial asset including at least a current feature vector generated based on information from monitoring nodes of that industrial asset and a normal/abnormal status indication for that industrial asset, (ii) calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector, (iii) compare the current fleet-wide operation feature vector with a fleet-wide decision boundary, the fleet-wide decision boundary separating normal operation of the fleet of industrial assets from abnormal operation of the fleet of industrial assets, and (iv) automatically transmit a response when a result of the comparison indicates abnormal operation of the fleet of industrial assets, the response including a transmittal, from the industrial fleet protection system to at least one of the industrial assets, an adjustment to an industrial asset decision boundary. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system to protect an industrial asset that is a member of a fleet of industrial assets, wherein each industrial asset is geographically remote from at least one other industrial asset, comprising:
-
a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset; an abnormal space data source storing, for each of the plurality of monitoring nodes, a series of abnormal monitoring node values over time that represent an abnormal operation of the industrial asset; an abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to; (i) receive the series of normal monitoring node values and generate a set of normal feature vectors, (ii) receive the series of abnormal monitoring node values and generate a set of abnormal state feature vectors, (iii) automatically calculate a decision boundary for an abnormal state detection model based on the set of normal feature vectors and the set of threatened feature vectors, the decision boundary separating normal operation of the industrial asset from abnormal operation of the industrial asset, and (iv) automatically adjust the decision boundary based on information received from a remote industrial fleet protection system; a plurality of real-time monitoring node signal inputs to receive streams of monitoring node signal values over time that represent a current operation of the industrial asset; and a threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs and the threat detection model creation computer, to; (i) receive the streams of monitoring node signal values, (ii) for each stream of monitoring node signal values, generate a current monitoring node feature vector, (iii) select an appropriate decision boundary for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node, (iv) compare each generated current monitoring node feature vector with the selected corresponding appropriate decision boundary, and (v) automatically transmit at least one current monitoring node feature vector and normal/abnormal status indication to the industrial fleet protection system based on results of said comparisons. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A computerized method to protect a fleet of industrial assets, comprising:
-
receiving, at a cloud-based industrial fleet protection system, information from each of a plurality of remote industrial assets comprising the fleet of industrial assets, wherein each remote industrial asset is geographically remote from at least one other industrial asset and includes a set of monitoring nodes, the information from each industrial asset including at least a current feature vector generated based on information from monitoring nodes of that industrial asset and a normal/abnormal status indication for that industrial asset; calculating, based on information received from multiple industrial assets, a current fleet-wide operation feature vector; comparing the current fleet-wide operation feature vector with a fleet-wide decision boundary, the fleet-wide decision boundary separating normal operation of the fleet of industrial assets from abnormal operation of the fleet of industrial assets; and automatically transmitting a response when a result of the comparison indicates abnormal operation of the fleet of industrial assets, the response including a transmittal, from the industrial fleet protection system to at least one of the industrial assets, an adjustment to an industrial asset decision boundary. - View Dependent Claims (19, 20)
-
Specification