Method for mitigation of cyber attacks on industrial control systems

1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:

• polling specific fields of packet data, obtained from packets, at a fixed frequency, for a plurality of programmable logic controllers (PLCs), to establish network behavior;
  
  determining a protocol type from the specific packet data fields;
  
  deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications, including communications using a stateful protocol as the determined protocol type;
  
  generating a value based on the vector indicative of a network behavioral state;
  
  maintaining a network behavior state machine comprising a list of network states and transition counts in accordance with the stateful protocol, wherein the transition count is maintained in accordance to the value;
  
  determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
  
  establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
  
  determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
  
  ,taking protective action according to whether the determined probability is below the established threshold.