CONTROL SYSTEM CYBER SECURITY

US 20140189860A1
Filed: 12/30/2012
Published: 07/03/2014
Est. Priority Date: 12/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising;

receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system;

determining a suspected portion of the received measurements;

monitoring the suspected portion of the received measurements over a particular time period; and

determining whether the suspected portion of the received measurements is associated with a cyber attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, methods, and systems for control system cybersecurity are described herein. One method includes receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system, determining a suspected portion of the received measurements, monitoring the suspected portion of the received measurements over a particular time period, and determining whether the suspected portion of the received measurements is associated with a cyber attack.

77 Citations

View as Search Results

20 Claims

1. A method, comprising;
- receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system;
  
  determining a suspected portion of the received measurements;
  
  monitoring the suspected portion of the received measurements over a particular time period; and
  
  determining whether the suspected portion of the received measurements is associated with a cyber attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the method includes determining whether the suspected portion of the received measurements is associated with a cyber attack based, at least in part, on historical cyber attack information.
  - 3. The method of claim 1, wherein the method includes determining whether the suspected portion of the received measurements is associated with a cyber attack based, at least in part, on historical measurements not indicative of a cyber attack.
  - 4. The method of claim 3, wherein the method includes receiving an indication, made by a user, of the historical measurements not indicative of a cyber attack.
  - 5. The method of claim 1, wherein the method includes:
    - determining a received measurement of the suspected portion of the received measurements exceeding a particular importance threshold; and
      
      providing a notification responsive to the received measurement of the suspected portion of the received measurements exceeding a particular threshold.
  - 6. The method of claim 1, wherein the control system is associated with an electric grid.

7. A non-transitory computer-readable medium having instructions stored thereon executable by a processor to:
- receive a set of data associated with a particular portion of an operation of a physical system;
  
  determine an expected set of data associated with the particular portion of the operation of the physical system using the received set of data; and
  
  provide a notification responsive to a difference between the expected set of data and the received set of data exceeding a particular threshold.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The computer-readable medium of claim 7, wherein the instructions include instructions executable to determine the expected set of data based, at least in part, on at least one additional portion of the operation of the physical system.
  - 9. The computer-readable medium of claim 7, wherein the instructions include instructions executable to:
    - conduct a simulated operation of the physical system using the received set of data;
      
      provide a notification responsive to a difference between the simulated operation and the operation exceeding a particular threshold.
  - 10. The computer-readable medium of claim 7, wherein the instructions include instructions executable to:
    - receive a first set of data from a first operation of the physical system;
      
      conduct a simulated second operation of the physical system using the first set of data;
      
      receive a second set of data from a second operation of the physical system; and
      
      provide a notification responsive to a difference between the simulated second operation and the second operation exceeding a particular threshold.
  - 11. The computer-readable medium of claim 7, wherein at least a portion of the set of data is received from a controller associated with a sensing and actuating device.

12. A control system, comprising:
- a plurality of sensing devices, each configured to;
  
  gather a respective first plurality of measurements from a physical system over a first time period; and
  
  gather a respective second plurality of measurements from the physical system over a second time period; and
  
  a computing device, configured to;
  
  receive the respective first plurality of measurements from each of the sensing devices;
  
  determine a respective predicted second plurality of measurements for each of the sensing devices based on the respective first plurality of measurements;
  
  receive the second plurality of measurements;
  
  compare the respective predicted second plurality of measurements with the received second plurality of measurements; and
  
  take an action associated with a determined cyber attack responsive to a difference between the respective predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The control system of claim 12, wherein the computing device is configured to provide a notification associated with the determined cyber attack.
  - 14. The control system of claim 12, wherein the computing device is configured to determine an attack vector associated with the determined cyber attack.
  - 15. The control system of claim 12, wherein the computing device is configured to determine the action based, at least in part, on a type of the determined cyber attack.
  - 16. The control system of claim 12, wherein the computing device is configured to determine a measurement falsely set by the cyber attack.
  - 17. The control system of claim 16, wherein the computing device is configured to correct the measurement falsely set by the cyber attack.
  - 18. The control system of claim 17, wherein the computing device is configured to conceal the correction of the measurement falsely set by the cyber attack.
  - 19. The control system of claim 12, wherein the control system is a distributed control system.
  - 20. The control system of claim 12, wherein the control system is a supervisory control and data acquisition system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Hull Roskos, Julie J.

Granted Patent

US 9,177,139 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G05B 2219/31246   Firewall

G05B 2219/31255   Verify communication parame...

G05B 23/0235   based on a comparison with ...

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

CONTROL SYSTEM CYBER SECURITY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTROL SYSTEM CYBER SECURITY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links