Control system cyber security
First Claim
Patent Images
1. A method, comprising:
- receiving, by a computing device, a first plurality of measurements gathered by each of a number of sensing and actuating devices of a control system over a first time period;
determining, by the computing device, a predicted second plurality of measurements associated with a second time period later than the first time period;
receiving, by the computing device, a second plurality of measurements gathered by each of the number of sensing and actuating devices of the control system over the second time period;
determining, by the computing device, a suspected portion of the received second plurality of measurements based on a difference between the predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold;
monitoring, by the computing device, the suspected portion of the received second plurality of measurements over a particular time period;
determining, by the computing device, whether the suspected portion of the received second plurality of measurements is associated with a cyber attack;
determining a measurement falsely set by the cyber attack;
correcting the measurement falsely set by the cyber attack; and
providing at least one decoy measurement to an attacker to conceal the correction.
1 Assignment
0 Petitions
Accused Products
Abstract
Devices, methods, and systems for control system cybersecurity are described herein. One method includes receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system, determining a suspected portion of the received measurements, monitoring the suspected portion of the received measurements over a particular time period, and determining whether the suspected portion of the received measurements is associated with a cyber attack.
53 Citations
13 Claims
-
1. A method, comprising:
-
receiving, by a computing device, a first plurality of measurements gathered by each of a number of sensing and actuating devices of a control system over a first time period; determining, by the computing device, a predicted second plurality of measurements associated with a second time period later than the first time period; receiving, by the computing device, a second plurality of measurements gathered by each of the number of sensing and actuating devices of the control system over the second time period; determining, by the computing device, a suspected portion of the received second plurality of measurements based on a difference between the predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold; monitoring, by the computing device, the suspected portion of the received second plurality of measurements over a particular time period; determining, by the computing device, whether the suspected portion of the received second plurality of measurements is associated with a cyber attack; determining a measurement falsely set by the cyber attack; correcting the measurement falsely set by the cyber attack; and providing at least one decoy measurement to an attacker to conceal the correction. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable medium having instructions stored thereon executable by a processor to:
-
receive a first set of measurements from a first operation of a control system, the first set of measurements gathered by each of a number of sensing and actuating devices of the control system; conduct a simulated second operation of the physical system using the first set of measurements; determine an expected second set of measurements based, at least in part, on the simulated second operation of the physical system; receive a second set of measurements from a second operation of the control system, the second set of measurements gathered by each of the number of sensing and actuating devices of the control system, wherein the second operation occurs later than the first operation; determine a suspected portion of the received second set of measurements based on a difference between the simulated second operation and the second operation exceeding a particular threshold; monitor the suspected portion of the received second set of measurements over a particular time period; determine whether the suspected portion of the received second set of measurements is associated with a cyber attack; determine a measurement of the second set of measurements falsely set by the cyber attack; correct the measurement falsely set by the cyber attack; and provide at least one decoy measurement to an attacker to conceal the correction.
-
-
8. A control system, comprising:
-
a plurality of sensing devices, each configured to; gather a respective first plurality of measurements from a physical system over a first time period; and gather a respective second plurality of measurements from the physical system over a second time period; and a computing device, configured to; receive the respective first plurality of measurements gathered by the plurality of sensing devices over the first time period from each of the sensing devices; predict a respective second plurality of measurements for each of the sensing devices based on the respective first plurality of measurements; receive the second plurality of measurements gathered by the plurality of sensing devices over the second time period; compare the respective predicted second plurality of measurements with the received second plurality of measurements; and take an action associated with a determined cyber attack responsive to a difference between the respective predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold, wherein taking the action includes determining a measurement of at least one of the first and second plurality of measurements falsely set by the cyber attack, correcting the measurement falsely set by the cyber attack, and providing at least one decoy measurement to an attacker to conceal the correction. - View Dependent Claims (9, 10, 11, 12, 13)
-
Specification