System and methodology providing automation security analysis and network intrusion protection in an industrial environment
First Claim
1. A system for detecting and correcting industrial network security issues, comprising:
- a pattern monitoring component configured to monitor data traffic on the industrial network during a training period;
a pattern analysis component configured to generate at least one learned profile characterizing at least one learned pattern of data traffic determined based on data traffic information collected by the pattern monitoring component during the training period; and
a comparison analyzer configured to detect a deviation of a current pattern of data traffic from the at least one learned pattern of data traffic in excess of a threshold subsequent to the training period, and to initiate one or more automated countermeasures in response to detecting the deviation.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.
-
Citations
20 Claims
-
1. A system for detecting and correcting industrial network security issues, comprising:
-
a pattern monitoring component configured to monitor data traffic on the industrial network during a training period; a pattern analysis component configured to generate at least one learned profile characterizing at least one learned pattern of data traffic determined based on data traffic information collected by the pattern monitoring component during the training period; and a comparison analyzer configured to detect a deviation of a current pattern of data traffic from the at least one learned pattern of data traffic in excess of a threshold subsequent to the training period, and to initiate one or more automated countermeasures in response to detecting the deviation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for mitigating detected network security issues in an automation environment, comprising:
-
monitoring data traffic on an automation network during a training period; generating at least one learned profile encoding at least one learned data traffic pattern determined based on the monitoring; detecting a deviation of a current data traffic pattern from the learned data traffic pattern in excess of a threshold subsequent to the training period; and initiating a security countermeasure in response to the detecting. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium having stored thereon computer-executable instructions that, in response to execution, direct a computer system to perform operations, including:
-
monitoring data traffic on an industrial network during a training period; creating at least one learned data traffic profile characterizing at least one learned pattern of data traffic observed during the training period; and initiating a security countermeasure on the industrial network in response to detecting a deviation of a present data traffic pattern from the at least one learned pattern of data traffic in excess of a threshold subsequent to the training period.
-
Specification