SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS, VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT
First Claim
1. A system for providing security on an industrial network, comprising:
- a memory that stores computer-executable components; and
a processor, operatively coupled to the memory, that executes the computer-executable components, the computer-executable components comprising;
a learning component configured to determine a first pattern of data communication between an industrial controller and an industrial asset device based on monitoring of data exchanged between the industrial controller and the industrial asset device via an automation network during a training period; and
an analyzer component configured to determine a second pattern of data communication based on monitoring of the data exchanged between the industrial controller and the industrial asset device subsequent to the training period, and to generate a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined deviation threshold,wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.
60 Citations
20 Claims
-
1. A system for providing security on an industrial network, comprising:
-
a memory that stores computer-executable components; and a processor, operatively coupled to the memory, that executes the computer-executable components, the computer-executable components comprising; a learning component configured to determine a first pattern of data communication between an industrial controller and an industrial asset device based on monitoring of data exchanged between the industrial controller and the industrial asset device via an automation network during a training period; and an analyzer component configured to determine a second pattern of data communication based on monitoring of the data exchanged between the industrial controller and the industrial asset device subsequent to the training period, and to generate a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined deviation threshold, wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for implementing industrial network security, comprising:
-
monitoring, by a system comprising a processor, first data exchange activity between an industrial controller and an industrial asset via a plant network during a training period; determining, by the system based on the monitoring of the first data exchange activity, a first pattern of data communication between an industrial controller and an industrial asset device; monitoring, by the system, second data exchange activity between the industrial controller and the industrial asset via the plant network subsequent to the training period; determining, by the system based on the monitoring of the second data exchange activity, a second pattern of data communication between the industrial controller and the industrial asset device; and in response to determining that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, generating a security output configured to alter a network traffic pattern between the industrial controller and the industrial asset device. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable medium having stored thereon instructions that, in response to execution, cause a security analysis system comprising a processor to perform operations, the operations comprising:
-
determining a first pattern of data communication between an industrial controller and an industrial asset based on monitoring of first data exchanged between the industrial controller and the industrial asset device via an industrial network during a training period; determining a second pattern of data communication based on monitoring of second data exchanged between the industrial controller and the industrial asset device after the training period; and generating a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device. - View Dependent Claims (19, 20)
-
Specification