Systems, Methods, and Devices for Detecting Anomalies in an Industrial Control System
First Claim
1. A control system protection mechanism that detects unauthorized interference with an industrial control system controlling an industrial system, comprising:
- a programmable anomaly detection module connected to sensors to receive sensor data, the sensor data representing a configuration of the industrial system;
the programmable anomaly detection module also being connected to control outputs of the industrial control system and to receive control output data, the control output data commanding functions of the industrial system;
the anomaly detection module having a processor and a data store with executable instructions to cause the processor to generate error commands responsively to a network model, on a data store of the anomaly detection module, that distinguishes non-anomalous attribute combination in an attribute space defined by all possible values of the control output data and sensor data;
the error commands including at least one command applied to the industrial control system effective to cause the industrial control system to take a corrective or protective action when the network model indicates that a current combination of sensor data and control output data lies outside the non-anomalous combination;
wherein the industrial system has one or more production operating modes and one or more non-production operating modes, the latter corresponding to testing, maintenance, startup, or shutdown, non-anomalous combinations include conditions during non-production operating modes,the network model being generated by training the network model using unlabeled data obtained by operating the industrial system during production modes and receiving the attending sensor data and control output data of the industrial system during non-anomalous operation or by selecting the attending sensor data and control output data corresponding to non-anomalous operation;
the industrial control system being signally connected to the anomaly detection module to receive said at least one of said error commands;
an alarm output device connected to the anomaly detection module to receive at least another of said error commands and to generate an alarm notification receivable by one or more operators responsively thereto;
said alarm output device or said anomaly detection module being configured to detect a loss of connection between said alarm output device and said anomaly detection module and to generate an alarm notification upon said loss of connection.
0 Assignments
0 Petitions
Accused Products
Abstract
A method of detecting anomalies in an industrial control system includes analyzing data of correct operational parameters from at least one input device and storing the correct operational parameter or a correlation of at least two operational parameters as training data. The training data is used to train an anomaly detection system. Current operational parameters of the at least one input device are detected. The anomaly detection system then checks at least one of the detected operational parameter or a correlation of at least two detected operational parameters to detect a deviation from the training data. When the detected deviation is above or below a defined threshold, a communication function is performed. For example, the communication function is at least one of creating an alarm, communicating data to at least one of a control system and an operator, and recording the data or the alarm.
66 Citations
41 Claims
-
1. A control system protection mechanism that detects unauthorized interference with an industrial control system controlling an industrial system, comprising:
-
a programmable anomaly detection module connected to sensors to receive sensor data, the sensor data representing a configuration of the industrial system; the programmable anomaly detection module also being connected to control outputs of the industrial control system and to receive control output data, the control output data commanding functions of the industrial system; the anomaly detection module having a processor and a data store with executable instructions to cause the processor to generate error commands responsively to a network model, on a data store of the anomaly detection module, that distinguishes non-anomalous attribute combination in an attribute space defined by all possible values of the control output data and sensor data; the error commands including at least one command applied to the industrial control system effective to cause the industrial control system to take a corrective or protective action when the network model indicates that a current combination of sensor data and control output data lies outside the non-anomalous combination; wherein the industrial system has one or more production operating modes and one or more non-production operating modes, the latter corresponding to testing, maintenance, startup, or shutdown, non-anomalous combinations include conditions during non-production operating modes, the network model being generated by training the network model using unlabeled data obtained by operating the industrial system during production modes and receiving the attending sensor data and control output data of the industrial system during non-anomalous operation or by selecting the attending sensor data and control output data corresponding to non-anomalous operation; the industrial control system being signally connected to the anomaly detection module to receive said at least one of said error commands; an alarm output device connected to the anomaly detection module to receive at least another of said error commands and to generate an alarm notification receivable by one or more operators responsively thereto; said alarm output device or said anomaly detection module being configured to detect a loss of connection between said alarm output device and said anomaly detection module and to generate an alarm notification upon said loss of connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 39, 40)
-
-
8. (canceled)
-
9. (canceled)
-
10. (canceled)
-
11. (canceled)
-
12. (canceled)
-
13. (canceled)
-
14. (canceled)
-
15. (canceled)
-
16. (canceled)
-
17. (canceled)
-
18. A method of detecting anomalies in an industrial control system, comprising:
-
analyzing historical data of correct operational parameters from at least one input device and storing the correct operational parameters or a correlation of at least two correct operational parameters as training data; training an anomaly detection system using the training data; detecting current operational parameters of the at least one input device; by the anomaly detection system, analyzing the current operational parameters with respect to the training data so as to detect a deviation in the current operational parameters; and performing a communication function when the detected deviation is above or below a predefined threshold; wherein the communication function comprises at least one of;
creating an alarm, communicating data associated with the detected deviation to at least one of the industrial control system and an operator, and recording the alarm or data associated with the detected deviation. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 41)
-
-
19. (canceled)
-
20. (canceled)
-
21. (canceled)
-
22. (canceled)
-
23. (canceled)
-
34. (canceled)
-
35. (canceled)
-
36. (canceled)
-
37. (canceled)
-
38. (canceled)
Specification