PRODUCTION PROCESS KNOWLEDGE-BASED INTRUSION DETECTION FOR INDUSTRIAL CONTROL SYSTEMS

US 20170264629A1
Filed: 03/10/2016
Published: 09/14/2017
Est. Priority Date: 03/10/2016
Status: Active Grant

First Claim

Patent Images

1. A system for threat detection in an industrial production environment, the system comprising:

a programmable logic controller comprising;

a process image updated according to a scan cycle with process data associated with one or more field devices;

a program configured to operate the one or more field devices using the process data; and

one or more function blocks configured to;

monitor the process data in the process image during each scan cycle, andidentify a possible cyberattack based on the process data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for threat detection in an industrial production environment comprises a programmable logic controller. This programmable logic controller includes a process image updated according to a scan cycle with process data associated with one or more field devices, a program configured to operate the one or more field devices using the process data, and one or more function blocks. These function blocks are configured to monitor the process data in the process image during each scan cycle, and identify a possible cyberattack based on the process data.

34 Citations

View as Search Results

20 Claims

1. A system for threat detection in an industrial production environment, the system comprising:
- a programmable logic controller comprising;
  
  a process image updated according to a scan cycle with process data associated with one or more field devices;
  
  a program configured to operate the one or more field devices using the process data; and
  
  one or more function blocks configured to;
  
  monitor the process data in the process image during each scan cycle, andidentify a possible cyberattack based on the process data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the one or more function blocks are further configured to:
    - transmit a message with information related to the possible cyberattack to one or more other production devices.
  - 3. The system of claim 2, further comprising:
    - a human-machine interface (HMI) configured to receive the message and display an alert indicative of the possible cyberattack.
  - 4. The system of claim 1, wherein the one or more function blocks comprise a limit-based intrusion detection function block configured to:
    - identify limits of physical variables used by the programmable logic controller in execution of the program;
      
      during each scan cycle, determine current values of the physical variables based on the process data;
      
      identify the possible cyberattack if the current values of the physical variables exceed the limits of the physical variables.
  - 5. The system of claim 4, wherein the limit-based intrusion detection function block is further configured to:
    - maintaining a state model indicative of a current operational state of the programmable logic controller,wherein the limits of physical variables used by the programmable logic controller are based on the state model.
  - 6. The system of claim 5, wherein the state model is similar to the Organization of Machine Automation and Control'"'"'s Package Machine Language State Model.
  - 7. The system of claim 1, wherein the one or more function blocks comprise a change-based intrusion detection function block configured to:
    - over a plurality of scan cycles, monitor a rate of change associated with a physical variable used by the programmable logic controller in execution of the program;
      
      identify the possible cyberattack if the rate of change exceeds an expected rate of change for the plurality of scan cycles.
  - 8. The system of claim 1, wherein the one or more function blocks comprise a change-based intrusion detection function block configured to:
    - over a plurality of scan cycles, monitor a rate of change associated with a physical variable used by the programmable logic controller in execution of the program;
      
      identify, based on a reference curve, the possible cyberattack if the rate of change is less than an expected rate of change for the plurality of scan cycles.
  - 9. The system of claim 8, wherein the system comprises a simulation-based application configured to generate the reference curve used to identify the possible cyberattack.
  - 10. The system of claim 9, wherein the possible cyberattack is identified by a process comprising:
    - collecting first data comprising physical byproducts of the one or more field devices;
      
      extracting behavioral information relevant to cyberattacks from the first data;
      
      collecting second data comprising fieldbus sensor data;
      
      fusing the behavioral information and the second data into a synchronized time series dataset;
      
      performing a simulation of the industrial production environment using the synchronized time series dataset to yield simulated sensor data;
      
      applying a classification algorithm to the simulated sensor data to yield a probability of cyberattack;
      
      contextualizing the probability of cyberattack with process knowledge relevant to the industrial production environment; and
      
      identifying the possible cyberattack based on the contextualized probability of cyberattack.
  - 11. The system of claim 10, wherein the classification algorithm comprises a short-term classification process and a long-term classification process.
  - 12. The system of claim 1, wherein the one or more function blocks comprise a correlation-based intrusion detection function block configured to:
    - over a plurality of scan cycles, monitor a first process information variable to yield a first variable history;
      
      over the plurality of scan cycles, monitor a second process information variable to yield a second variable history;
      
      identify the possible cyberattack based on a correlation between the first variable history and the second variable history.

13. A method for cyberattack detection in an industrial production environment, the method comprising:
- updating, by a programmable logic controller, a process image according to a scan cycle with process data associated with one or more field devices;
  
  operating, by the programmable logic controller, the one or more field devices using the process data;
  
  monitoring, by the programmable logic controller, the process data in the process image during each scan cycle;
  
  identifying, by the programmable logic controller, a possible cyberattack based on the process data; and
  
  transmitting, by the programmable logic controller, a message with information related to the possible cyberattack to one or more other production devices.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein identification of the possible cyberattack comprises:
    - identifying limits of physical variables used by the programmable logic controller in operating the one or more field devices;
      
      during each scan cycle, determining current values of the physical variables based on the process data;
      
      identifying the possible cyberattack if the current values of the physical variables exceed the limits of the physical variables.
  - 15. The method of claim 13, wherein identification of the possible cyberattack comprises:
    - over a plurality of scan cycles, monitoring a rate of change associated with a physical variable used by the programmable logic controller in operating the one or more field devices;
      
      identifying the possible cyberattack if the rate of change deviates from an expected rate of change for the plurality of scan cycles.
  - 16. The method of claim 13, wherein identification of the possible cyberattack comprises:
    - over a plurality of scan cycles, monitoring a first process information variable to yield a first variable history;
      
      over the plurality of scan cycles, monitoring a second process information variable to yield a second variable history;
      
      identifying the possible cyberattack based on a correlation between the first variable history and the second variable history.
  - 17. The method of claim 13, further comprising:
    - reducing production speed in response to identification of the possible cyberattack.
  - 18. The method of claim 13, further comprising:
    - responding to identification of the possible cyberattack by completing production of a current batch and thereafter stopping production.
  - 19. The method of claim 13, further comprising:
    - performing one or more operations to stop production immediately in response to identification of the possible cyberattack.

20. An article of manufacture for intrusion detection in an industrial production environment, the article of manufacture comprising a non-transitory, tangible computer-readable medium holding computer-executable instructions for performing a process comprising:
- updating a process image according to a scan cycle with process data associated with one or more field devices;
  
  operating the one or more field devices using the process data;
  
  monitoring the process data in the process image during each scan cycle; and
  
  identifying a possible cyberattack based on the process data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Siemens AG
Original Assignee
Siemens AG
Inventors
Wei, Dong, Pfleger de Aguiar, Leandro, Martinez Canedo, Arquimedes

Granted Patent

US 10,027,699 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/058   Safety, monitoring

G05B 23/0232   based on qualitative trend ...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

PRODUCTION PROCESS KNOWLEDGE-BASED INTRUSION DETECTION FOR INDUSTRIAL CONTROL SYSTEMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PRODUCTION PROCESS KNOWLEDGE-BASED INTRUSION DETECTION FOR INDUSTRIAL CONTROL SYSTEMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links