Control system cyber security

US 9,177,139 B2
Filed: 12/30/2012
Issued: 11/03/2015
Est. Priority Date: 12/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a computing device, a first plurality of measurements gathered by each of a number of sensing and actuating devices of a control system over a first time period;

determining, by the computing device, a predicted second plurality of measurements associated with a second time period later than the first time period;

receiving, by the computing device, a second plurality of measurements gathered by each of the number of sensing and actuating devices of the control system over the second time period;

determining, by the computing device, a suspected portion of the received second plurality of measurements based on a difference between the predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold;

monitoring, by the computing device, the suspected portion of the received second plurality of measurements over a particular time period;

determining, by the computing device, whether the suspected portion of the received second plurality of measurements is associated with a cyber attack;

determining a measurement falsely set by the cyber attack;

correcting the measurement falsely set by the cyber attack; and

providing at least one decoy measurement to an attacker to conceal the correction.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Devices, methods, and systems for control system cybersecurity are described herein. One method includes receiving a plurality of measurements from each of a number of sensing and actuating devices of a control system, determining a suspected portion of the received measurements, monitoring the suspected portion of the received measurements over a particular time period, and determining whether the suspected portion of the received measurements is associated with a cyber attack.

53 Citations

View as Search Results

13 Claims

1. A method, comprising:
- receiving, by a computing device, a first plurality of measurements gathered by each of a number of sensing and actuating devices of a control system over a first time period;
  
  determining, by the computing device, a predicted second plurality of measurements associated with a second time period later than the first time period;
  
  receiving, by the computing device, a second plurality of measurements gathered by each of the number of sensing and actuating devices of the control system over the second time period;
  
  determining, by the computing device, a suspected portion of the received second plurality of measurements based on a difference between the predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold;
  
  monitoring, by the computing device, the suspected portion of the received second plurality of measurements over a particular time period;
  
  determining, by the computing device, whether the suspected portion of the received second plurality of measurements is associated with a cyber attack;
  
  determining a measurement falsely set by the cyber attack;
  
  correcting the measurement falsely set by the cyber attack; and
  
  providing at least one decoy measurement to an attacker to conceal the correction.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the method includes determining whether the suspected portion of the received second plurality of measurements is associated with a cyber attack based, at least in part, on historical cyber attack information.
  - 3. The method of claim 1, wherein the method includes determining whether the suspected portion of the received second plurality of measurements is associated with a cyber attack based, at least in part, on historical measurements not indicative of a cyber attack.
  - 4. The method of claim 3, wherein the method includes receiving an indication, made by a user, of the historical measurements not indicative of a cyber attack.
  - 5. The method of claim 1, wherein the method includes:
    - determining a received measurement of the suspected portion of the received second plurality of measurements exceeding a particular importance threshold; and
      
      providing a notification responsive to the received measurement of the suspected portion of the received second plurality of measurements exceeding a particular threshold.
  - 6. The method of claim 1, wherein the control system is associated with an electric grid.

7. A non-transitory computer-readable medium having instructions stored thereon executable by a processor to:
- receive a first set of measurements from a first operation of a control system, the first set of measurements gathered by each of a number of sensing and actuating devices of the control system;
  
  conduct a simulated second operation of the physical system using the first set of measurements;
  
  determine an expected second set of measurements based, at least in part, on the simulated second operation of the physical system;
  
  receive a second set of measurements from a second operation of the control system, the second set of measurements gathered by each of the number of sensing and actuating devices of the control system, wherein the second operation occurs later than the first operation;
  
  determine a suspected portion of the received second set of measurements based on a difference between the simulated second operation and the second operation exceeding a particular threshold;
  
  monitor the suspected portion of the received second set of measurements over a particular time period;
  
  determine whether the suspected portion of the received second set of measurements is associated with a cyber attack;
  
  determine a measurement of the second set of measurements falsely set by the cyber attack;
  
  correct the measurement falsely set by the cyber attack; and
  
  provide at least one decoy measurement to an attacker to conceal the correction.

8. A control system, comprising:
- a plurality of sensing devices, each configured to;
  
  gather a respective first plurality of measurements from a physical system over a first time period; and
  
  gather a respective second plurality of measurements from the physical system over a second time period; and
  
  a computing device, configured to;
  
  receive the respective first plurality of measurements gathered by the plurality of sensing devices over the first time period from each of the sensing devices;
  
  predict a respective second plurality of measurements for each of the sensing devices based on the respective first plurality of measurements;
  
  receive the second plurality of measurements gathered by the plurality of sensing devices over the second time period;
  
  compare the respective predicted second plurality of measurements with the received second plurality of measurements; and
  
  take an action associated with a determined cyber attack responsive to a difference between the respective predicted second plurality of measurements and the received second plurality of measurements exceeding a particular threshold, wherein taking the action includes determining a measurement of at least one of the first and second plurality of measurements falsely set by the cyber attack, correcting the measurement falsely set by the cyber attack, and providing at least one decoy measurement to an attacker to conceal the correction.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The control system of claim 8, wherein the computing device is configured to provide a notification associated with the determined cyber attack.
  - 10. The control system of claim 8, wherein the computing device is configured to determine an attack vector associated with the determined cyber attack.
  - 11. The control system of claim 8, wherein the computing device is configured to determine the action based, at least in part, on a type of the determined cyber attack.
  - 12. The control system of claim 8, wherein the control system is a distributed control system.
  - 13. The control system of claim 8, wherein the control system is a supervisory control and data acquisition system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Honeywell International Inc.
Original Assignee
Honeywell International Inc.
Inventors
Hull Roskos, Julie J.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US13/731,054
Publication Number

US 20140189860A1
Time in Patent Office

1,038 Days
Field of Search

726 22- 23
US Class Current

1/1
CPC Class Codes

G05B 2219/31246   Firewall

G05B 2219/31255   Verify communication parame...

G05B 23/0235   based on a comparison with ...

G06F 21/552   involving long-term monitor...

H04L 63/1408   by monitoring network traff...

Control system cyber security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Control system cyber security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links