System and methodology providing automation security analysis, validation, and learning in an industrial controller environment
First Claim
1. A security analysis tool, comprising:
- a processor; and
a memory communicatively coupled to the processor and having stored thereon computer-executable components configured to implement the security analysis tool, the computer-executable components comprising;
a learning component that monitors communication of data associated with an I/O table of an industrial controller of an automation system during a training period and generates a learned pattern of communication, wherein the I/O table stores input data received by the industrial controller from a controlled device via an I/O device and output data provided by the industrial controller to the controlled device via the I/O device; and
an analyzer component that monitors data traffic subsequent to the training period and generates one or more security outputs in response to a determination that a current pattern of the data traffic deviates from the learned pattern in excess of an acceptable deviation, the one or more security outputs comprising at least one output that alters the data traffic between the industrial controller and the I/O device.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.
145 Citations
30 Claims
-
1. A security analysis tool, comprising:
-
a processor; and a memory communicatively coupled to the processor and having stored thereon computer-executable components configured to implement the security analysis tool, the computer-executable components comprising; a learning component that monitors communication of data associated with an I/O table of an industrial controller of an automation system during a training period and generates a learned pattern of communication, wherein the I/O table stores input data received by the industrial controller from a controlled device via an I/O device and output data provided by the industrial controller to the controlled device via the I/O device; and an analyzer component that monitors data traffic subsequent to the training period and generates one or more security outputs in response to a determination that a current pattern of the data traffic deviates from the learned pattern in excess of an acceptable deviation, the one or more security outputs comprising at least one output that alters the data traffic between the industrial controller and the I/O device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for analyzing security in an industrial automation system, comprising:
-
monitoring, by a system comprising at least one processor, communication of data associated with an I/O table of an industrial controller for a predetermined training period to learn at least one learned pattern of communication, wherein the I/O table stores input data received by the controller from a controlled device via an I/O device and output data sent by the controller to the controlled device via the I/O device; defining, by the system, a pattern threshold specifying an acceptable deviation from the at least one learned pattern; monitoring, by the system, data traffic subsequent to the training period; and performing, by the system, at least one automated security event in response to a determination that a current pattern of the data traffic deviates from the at least one learned pattern in excess of the acceptable deviation after the training period, wherein the performing the at least one automated security event comprises at least altering a network traffic pattern between the industrial controller and the I/O device. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A non-transitory computer-readable storage medium having stored thereon computer-executable components that, in response to execution, cause a system comprising at least one processor to perform operations, comprising:
-
monitoring communication of data associated with an I/O table of an industrial controller for a predetermined training period, wherein the I/O table stores input data received by the industrial controller from a controlled device via an I/O device and output data sent by the industrial controller to the controlled device via the I/O device; learning a learned pattern of communication based on the monitoring; defining a pattern threshold that specifies an acceptable deviation from the learned pattern; automatically detecting that a current pattern of communication of the data associated with the I/O table deviates from the learned pattern in excess of the acceptable deviation after the training period; and performing an automated action that alters the current pattern of communication in response to the detecting.
-
-
22. A security validation system for use in an industrial automation environment, comprising:
-
a processor; and a memory communicatively coupled to the processor and having stored thereon computer-executable components configured to implement the security validation system, the computer-executable components comprising; a learning component that monitors communication of data associated with an I/O table with respect to an industrial controller during a training period and establishes a learned pattern of communication, wherein the I/O table comprises a portion of a memory of the industrial controller that maintains input data received by the industrial controller from a controlled device via an I/O device and output data provided by the industrial controller to the controlled device via the I/O device; and an analyzer component that monitors a current pattern of communication of the data associated with the I/O table subsequent to the training period and automatically performs a security action to bring the current pattern in line with the learned pattern in response to detecting that the current pattern communication has deviated from the learned pattern of communication in excess of a defined pattern threshold. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A method for validating security in an industrial automation environment, comprising:
-
monitoring communication of data associated with an I/O table with respect to an industrial controller during a training period and establishing a learned pattern of communication, wherein the I/O table stores input data received by the industrial controller from a controlled device via an I/O device and output data sent by the industrial controller to the controlled device via the I/O device; defining a pattern threshold specifying an allowable deviation from the learned pattern; monitoring a current pattern of communication of the data associated with the I/O table subsequent to the training period; and initiating a security procedure that performs a security action to bring the current pattern in line with the learned pattern in response to determining that the monitoring identifies that the current pattern deviates from the learned pattern in excess of the allowable deviation.
-
Specification