WO2016172514A1 - Amélioration de la résilience d'un système de commande par couplage fort de fonctions de sécurité avec la commande - Google Patents

Amélioration de la résilience d'un système de commande par couplage fort de fonctions de sécurité avec la commande Download PDF

Info

Publication number
WO2016172514A1
WO2016172514A1 PCT/US2016/028893 US2016028893W WO2016172514A1 WO 2016172514 A1 WO2016172514 A1 WO 2016172514A1 US 2016028893 W US2016028893 W US 2016028893W WO 2016172514 A1 WO2016172514 A1 WO 2016172514A1
Authority
WO
WIPO (PCT)
Prior art keywords
automation system
production
data
network data
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2016/028893
Other languages
English (en)
Inventor
Dong Wei
George Lo
Leandro Pfleger De Aguiar
Martin Otto
Justinian Rosca
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Siemens Corp
Original Assignee
Siemens AG
Siemens Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG, Siemens Corp filed Critical Siemens AG
Publication of WO2016172514A1 publication Critical patent/WO2016172514A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Definitions

  • the network of each production cell is isolated from others and protected by a security device such as firewall/VPN (Virtual Private Network) concentrator.
  • a security device such as firewall/VPN (Virtual Private Network) concentrator.
  • VPN Virtual Private Network
  • This solution was developed based on the assumption that cyber-attacks come from the outside world (i.e., via the communication link between the production cell network and the office network). Additionally, control systems and security systems run individually and independently. Thus, automation engineers and IT security professionals design, program, operate and monitor control and security, respectively. [4]
  • the assumption of “production cells” no longer holds because the production cell networks become more and more open and dynamic since more mobile devices, wireless sensors, etc., are used for data collection and diagnostics. These devices are connected to plant floor systems directly and, thus, present a direct security risk to automation devices.
  • Embodiments of the present invention address and overcome one or more of the above shortcomings and drawbacks, by providing methods, systems, and apparatuses related to improving control system resilience by running control and cybersecurity side-by-side in a highly-coupled fashion.
  • the techniques described herein are able to detect cyber-attacks which cannot be detected by conventional intrusion detection technologies, and furthermore they enable control to react to detected cyber-attacks instantly, thus reducing the adverse impact of those cyber-attacks.
  • a method for threat detection in an industrial production environment includes an industrial controller determining a plurality of predicted values for automation system production data and automation system network data collected by the programmable logic controller and monitoring current values for the automation system production data and the automation system network data. If the current values for the automation system production data and the automation system network data deviate from the plurality of predicted values, the industrial controller applies a knowledge model for intrusion detection to the automation system production data and the automation system network data to identify a possible cyber-attack. Then, the industrial controller transmits an alert providing an indication of the possible cyber-attack to an operator device. In some instances, the industrial controller may also (or alternatively) perform one or more automatic operations.
  • the industrial controller responds to identification of the possible cyber-attack by performing one of: reducing production speed for processes performed by the industrial controller, completing production of a current batch by the industrial controller and thereafter stopping production, or performing one or more operations to stop production immediately.
  • the knowledge model is implemented in one or more function blocks executed by the industrial controller and the automation system production data and the automation system network data are stored in a system data block.
  • the knowledge model is implemented in one or more software applications (or“apps”) executed by the industrial controller.
  • the method further incudes the industrial controller receiving an update to the knowledge model from a remote source. The industrial controller detects when critical production processes are not being executed and, in response, applies the update to the knowledge model.
  • the aforementioned method further includes the industrial controller receiving additional automation system production data collected by other industrial controllers in the industrial production environment. The industrial controller applies the knowledge model to additional automation system production data in addition to the automation system production data and the automation system network data to identify the possible cyber-attack.
  • a system for threat detection in an industrial production environment includes an industrial controller comprising a process image, a networking component, and one or more security function blocks.
  • the process image is updated according to a scan cycle with automation system production data associated with one or more field devices.
  • the networking component is configured to send and receive automation system network data on a plant floor network.
  • the one or more security function blocks are configured to apply a knowledge model for intrusion detection to the automation system production data and the automation system network data to identify a possible cyber- attack.
  • the aforementioned system may be configured to leverage knowledge of other components of the industrial production environment.
  • the networking component in the system is further configured to receive additional automation system production data and additional automation system network data corresponding to other control systems in the industrial production environment.
  • the knowledge model for intrusion detection may then be further applied to the additional automation system production data and additional automation system network data to identify the possible cyber-attack.
  • the system may transmit a message with information related to the possible cyber-attack to one or more other production devices in the environment.
  • the functionality of the one or more security function blocks in the aforementioned system may be extended in different embodiments of the aforementioned system.
  • the security function blocks are further configured to extrapolate the automation system production data and the automation system network data at a next time step to yield a plurality of predicted values.
  • the security function blocks compare the plurality of predicted values to actual values for the automation system production data and the automation system network data to yield difference values.
  • the knowledge model for intrusion detection may then be conditionally applied to the automation system production data and the automation system network data when the difference values deviate from historical patterns associated with the automation system production data and the automation system network data.
  • the one or more security function blocks are further configured to respond to identification of the possible cyber-attack by performing one of reducing production speed for processes performed by the industrial controller, completing production of a current batch by the industrial controller and thereafter stopping production, or performing one or more operations to stop production immediately.
  • a system for threat detection in an industrial production environment includes an industrial controller comprising a process image, a networking component, a real-time database, and an app container.
  • the process image is updated according to a scan cycle with automation system production data associated with one or more field devices.
  • the networking component is configured to send and receive automation system network data on a plant floor network.
  • the real-time database comprises an embedded historian which is configured to store the automation system production data collected via the process image and automation system network data collected via the networking component.
  • the app container includes an app which is configured to apply a knowledge model for intrusion detection to the automation system production data and the automation system network data to identify a possible cyber-attack.
  • the aforementioned app utilized in the system may implement various additional functionality in different embodiments of the present invention.
  • the app is further configured to extrapolate the automation system production data and the automation system network data at a next time step to yield a plurality of predicted values and, at the next time step, compare the plurality of predicted values to actual values for the automation system production data and the automation system network data to yield difference values.
  • the knowledge model for intrusion detection may then be conditionally applied to the automation system production data and the automation system network data when the difference values deviate from historical patterns associated with the automation system production data and the automation system network data.
  • the app is further configured to respond to identification of the possible cyber- attack by performing one of reducing production speed for processes performed by the industrial controller, completing production of a current batch by the industrial controller and thereafter stopping production, or performing one or more operations to stop production immediately. Additionally, in some instances, the app may also transmit a message with information related to the possible cyber-attack to one or more other production devices.
  • a system for threat detection in an industrial production environment includes two virtual machines, an internal communication channel, and a hypervisor which executes the two virtual machines.
  • the first virtual machine executes an industrial controller which is configured to monitor automation system production data and automation system network data from a plant floor network.
  • the second virtual machine executes a security application which is configured to apply a knowledge model for intrusion detection to the automation system production data and the automation system network data to identify a possible cyber-attack.
  • the internal communication channel configured facilitates transfer of the automation system production data and the automation system network data between the first virtual machine and the second virtual machine.
  • FIG. 1 provides an illustration of a PLC implementing a highly-coupled control- security system on legacy hardware, according to some embodiments
  • FIG. 2 provides an illustration of a PLC implementing a highly-coupled control- security system on a WinAC system, according to some embodiments
  • FIG. 3 provides an illustration of a PLC implementing a highly-coupled control- security system on an Open PLC system, according to some embodiments
  • FIG. 21 provides an illustration of a PLC implementing a highly-coupled control- security system on an Open PLC system, according to some embodiments.
  • FIG. 4 illustrates an example Organization for Machine Automation and Control PackML state model which may be utilized in some embodiments
  • FIG. 5 shows a sliding window for temperature measurement, which may be utilized in some embodiments
  • FIG. 6 shows an additional example of a highly-coupled control-security PLC system with data analytics, which may be utilized in some embodiments
  • FIG. 7 provides an illustration of a framework for intrusion detection based on data analytics and modeling, as may be applied in some embodiments
  • FIG. 8 provides an illustration of observed events in a PLC of an automobile door assembly workshop, as may be utilized in some embodiments
  • FIG.9 illustrates a hacking scenario using an open TCP/IP connection
  • Control systems such as a Programmable Logic Controllers (PLC) or a Distributed Control System (DCS) are becoming more and more powerful with more computational power and much bigger memory space.
  • PLC Programmable Logic Controllers
  • DCS Distributed Control System
  • FIG. 1 provides an illustration of a PLC 100 implementing a highly-coupled control-security system on legacy hardware (e.g., Siemens Simatic S7 400), according to some embodiments.
  • legacy hardware e.g., Siemens Simatic S7 400
  • Basic System Functions 110 such as memory handling, I/O processing and communication, reside above the Operating System 105.
  • FBs Control Function Blocks
  • Standard FBs 120 e.g., data parsing and data conversion
  • Some of the FBs 130 may be developed by users.
  • Application Program 125 resides on the top layer of the PLC 100.
  • basic security functions such as encryption and decryption, may be implemented within the Basic System Functions 110.
  • security FBs within the Standard FBs 120 with interface of keys, session information, etc. are provided for users to call.
  • Various security features may be provided within the Basic System Functions 110.
  • the security functions include cryptography, access control (by device, MAC address, IP address, and even role), intrusion detection, and security incident event management. These security functions can be configured via system function block and all related data can be saved in system data block. In some embodiments, security policies can be adjusted on the fly via system function blocks by the state of the control system. For instance, system vendors can upgrade or patch the control system only when the control system is not running critical production process to make sure the critical production process would not be interrupted. Additionally, in some embodiments, the security functions within the Basic System Functions 110 may be configured to inform the control system if it is under cyber-attack, whether the detected attack can be mitigated completely or partially.
  • the PLC 100 or the control system as a whole can decide if it needs to operate in a safe mode, or stop the production after the current batch is finished, or stop the production right away.
  • the security functions within the Basic System Functions 110 contain advanced sensors that generate log data specific to the requirements of a Security Information and Event Management (SIEM) system deployed for the entire network. Due to the intelligence of the control system, logging can be adjusted on the fly by command from SIEM system to address, for example, updated threat intelligence or indicators of compromise, hence beyond simple log levels that switch granularity. The result would be an improved quality of log data and thus a reduced rate of false positives at the SIEM.
  • SIEM Security Information and Event Management
  • FIG. 2 shows an alternative implementation of a highly coupled system PLC 200 based on the Microsoft WinAC Open Development Kit (ODK), according to some embodiments.
  • WinAC 205 is a PC-based PLC running on Microsoft Windows.
  • WinAC ODK enables users to develop their own applications on Windows which may then be called by a PLC.
  • WinAC exchanges data with C/C++ applications 210 via Shared Memory Extension Interface (SMX) 215.
  • SMX Shared Memory Extension Interface
  • FIG. 3 shows an implementation of a highly coupled system 300 on an Open Controller, according to some embodiments.
  • Siemens SIMATIC ET 200SP Open PLC is a controller of this type that combines the functions of PC-based software controller with virtualization.
  • a PC hosts two virtual machines (two cores) 305 and 310, which run Windows applications and PLC applications, respectively. PLC and Windows applications interact with each other via Internal Communication 315.
  • PC-based PLC is able to keep running even if Windows is shutdown.
  • security functions may be implemented in either virtual machine 305 and 310.
  • virtual machine 305 may include one or more Windows applications dedicated to security functionality.
  • virtual machine 310 may include one or more FB-based security implementations similar to those discussed above with respect to FIGS. 1 and 2.
  • an open source Unix based network monitoring framework e.g., Bro
  • HMI human-machine interfaces
  • This information may include the state of the production system, such as Stopped, Off, Ready, Producing and Standby defined by Organization for Machine Automation and Control (OMAC) model 400, as shown in the FIG. 4.
  • the information may also include static limits of measurements, such as temperature sensors and temperature setting issued by the operator via HMI. Additionally, dynamic limits of measurements may be used in the validation and verification process (e.g., the temperature of an oven cannot be raised by 100°C in 2 minutes). Measurements collected by sensors and commands from HMIs (by operators) are examined and validated according to the state of the production system.
  • measurements collected by sensors and commands from HMIs are examined and validated according to the limits of physical variables of the production system. It could be cyber-attacks when received measurements of sensors and commands exceed the limits of physical variables of the production process.
  • conveyors of a packaging line should run forward in the speed range of 0.25 ⁇ 0.5 m/s when the production line is in the state of“Producing”, as shown in FIG. 4.
  • the controller receives a reading from the drive of conveyor which indicates the conveyor is running at 0.1 m/s, it could be a cyber-attack on the control system or the drive system.
  • intrusion detection is performed based on change of variables. It is known that some variables cannot be changed dramatically in a short period of time.
  • a sliding window technique can be deployed for this application. For example, the temperature for a furnace cannot be increased by 100°C with 3 minutes. Assume that a wireless sensor is used to collect temperature information of a furnace. Plot 500 in FIG. 5 shows how a sliding window may be used to exam the wireless temperature sensor reading. The sliding window is moving along the time axis. A data block is deployed to record the temperature of the furnace temperature reading in the last 3 minutes. If the temperature rises too fast, for instance, from 800°C to 850°C in 3 minutes, this could be a cyber-attack on the wireless sensor or the controller. [37] In some embodiments intrusion detection is performed by correlation of variables. It is known that some variables are correlated with other variables.
  • an industrial oven has multiple heating elements and the temperature in a certain interval in the oven depends on how many heating elements are on.
  • a wireless sensor is used to collect temperature information of the industrial oven and there are 10 heating elements which can be operated individually. Usually, it takes 15 minutes to raise temperature from 20°C to 400°C if all heating elements are on. However, the controller detects that it took 15 minutes to raise temperature from 20°C to 400°C when only 2 heating elements are on. Thus this could be a cyber-attack on the wireless sensor or the controller.
  • No cybersecurity system or solution is 100% secure.
  • the security functions implemented within the control system include functionality for minimizing the adverse impacts of cyber-attacks.
  • a library of function blocks (FBs) of intrusion detection is created using IEC 61131 language. Then these FBs can be called in industrial controllers, such as PLCs, DCSs, and/or motion controllers (see, e.g. FBs 120 or 130 in FIG. 1).
  • the inputs to the function blocks are variables, such as sensor measurements and commands from HMI or Manufacturing Execution System (MES) and data block to log variables for a certain interval (sliding window), and static and dynamics limits of variables.
  • MES Manufacturing Execution System
  • the output is the alarm of potential cyber-attacks. This alarm can be categorized according to four levels and responded accordingly, as shown in the following table:
  • the PLC 600 has two cores where each runs as a virtual machine.
  • one virtual machine 605 is configured to implement Simatic S7 Firmware and the other virtual machine is 610 configured to implement either Windows or Linux.
  • the Simatic S7 PLC firmware within virtual machine 605 there is a real-time database driven by an embedded historian. It collects all real-time process image data as time series, such as inputs, outputs, memory variables, and commands from HMIs and the MES.
  • the Windows/Linux virtual machine 610 another real-time database exchanges data with the real-time database (RTDB) hosted in Simatic S7 firmware.
  • RTDB real-time database
  • the block of "Processing” in virtual machine 605 is a function block which performs primary data processing, reading/writing/filtering/smoothing primary data in the real-time database.
  • the block of "Context” in virtual machine 605 works as a translator, which translates the meaning of all data into production knowledge, such as translating measurements into temperature (e.g. of a beer fermentation tank).
  • App Container There are multiple applications hosted by an App Container in the virtual machine 605, some of which can be directed at security functionality. For example, App1 could be used for cyber intrusion detection and App2 could be a machine prognostic analysis application. They both need to work based on collected data in the real-time database.
  • the proposed cyber- attack detection app can be easily added, removed and updated, just as a Windows or Linux application.
  • a cloud-based cybersecurity operation center CSOC
  • all above mentioned PLCs may be connected to the CSOC.
  • each PLC may not only use its own historical data, but also historical data of similar control systems and production processes. For instance, a group of 6-MW wind turbines and their control systems are quite similar. The generated behavior/signature of multiple turbines can be used for other similar turbines.
  • the security functions implemented on the PLC may perform intrusion detection based on data analytics and modeling. Equation (1) is conventionally used to collect signals S from the plant field.
  • These signals include 1) inputs of PLC, such as temperature, pressure, flow rate, current, speed, position; 2) outputs of PLC, such as valve open/close, flow rate setting, speed setting, position setting; 3) variables in PLC, such as running mode (production, idle, maintenance, etc.); 4) counters in PLC; 5) timers in PL; and 6) other signals, such as acoustic sensors, thermal and vibration sensors for prognostics and maintenance.
  • Equation (1) can be combined with Equation (2) to detect potential cyber-attacks aiming at PLCs.
  • C includes network activities, number of connections, round-trip delay, bandwidth usage, commands, settings, recipes and e-Cams profiles received by PLCs, etc. These commands and settings come from HMIs, MES, log servers, etc., via the plant floor network. It is assumed that cyber-attacks come from these communication links. Note that, as compared with conventional prognostics, the cybersecurity solution described herein collects additional data, especially commands and settings from HMIs and MES.
  • FIG. 7 shows a framework 700 for intrusion detection based on data analytics and modeling, according to some embodiments. Based on historical data c urrent status and
  • commands, settings, recipes, and e-Cams are extrapolated (or predicted) by simulating the production process with data analytics technologies and production process knowledge, especially correlation with known context.
  • the knowledge model for intrusion and production process can be created during engineering stage and include an intrusion/cybersecurity ontology of concepts that could explain intrusion/cyber security attacks (such as fake commands from HMI, tampered data blocks from MES and even denial-of-service).
  • the ontology also includes other knowledge, such as adverse impacts lead by cyber-attacks, for instance, degraded performance in terms of production and quality.
  • the intrusion and cybersecurity ontology as well as additional production process knowledge can connect causally between process image data (field data) and other forms of context knowledge in controllers, and enable reasoning about abnormal events.
  • the ontology is expressed using Resource Description Framework or Web Ontology Language (OWL).
  • OWL Web Ontology Language
  • the intrusion and cybersecurity data in these embodiments may also be stored in a triplestore located on the non-volatile computer- readable storage medium operably coupled to the PLC.
  • Different knowledge models i.e., ontologies
  • different aspects e.g. product, asset, process, and sensor
  • the modular structure of ontology languages enables user to dynamically add/remove knowledge dimensions to automation system data. For example, depending on the application or recipient of data, more or less knowledge information can be added to the raw data by the automation devices.
  • Knowledge models are not restricted to hierarchically organized models and may consist of a network (i.e. not only trees), which subsumes various types of relations.
  • each knowledge model may be declaratively specified in syntax file which allows model changes during runtime without compilation or stopping the PLC.
  • the auto frame After assembling, the auto frame is removed from the skid, and the PLC moves back the skid to the home position, where a new auto frame will be placed on the skid.
  • the PLC exchanges data with an HMI continuously during production.
  • MES Manufacturing Execution System
  • the MES creates a connection, reads the batch number from the PLC and then downloads settings of position, speed and proportional– integral–derivative (PID) control parameters of the skid when there is a shift change or batch change.
  • C1 the number of connections, C2 exchanged data blocks, S1 the actual position collected by PLC (high-fidelity data) and S2 production time of a car frame.
  • the following events may be correlated, as shown in the event sequence 800 in FIG. 8: (1) Event A - a new communication connection to the PLC is created; (2) Event B - an open TCP/IP data block is send from the PLC and then another open TCP/IP data block is sent to the PLC; (3) Event C - skid position of high fidelity; and (4) Event D - the production time of a car frame is recorded. Note that, for a certain batch (same side, same type) of car, the production time cannot be exactly the same for each car frame.
  • Event E an open TCP/IP connection to the PLC 915 is created; (2) Event F - a data block over this TCP connection is sent by the PLC 915; and another data block is sent to the PLC 915; (3) Event G - positions of the skid is collected, and position overshot and vibration of the skid is observed; and (4) Event H - the production time of one increases and jumps out of the historical pattern as expected.
  • the intrusion detection functionality on the PLC 915 can monitor the abnormal events and reason backward as follows. First, according to the historical data, the expected time to position the skid and the production time of a car is extrapolated.
  • an alarm may be sent (e.g., to HMI 920) indicating that a cyber-attack may happen.
  • the methods, systems, and apparatuses described herein provide several advantages compared to conventional systems. For example, the use data analytics and production process knowledge allows detections of cyber-attacks which cannot be detected by traditional intrusion detection technologies developed in the IT world. Additionally, the use of distributed (in each controller), high-fidelity data rather than centralized detection helps avoid single point of failure in the overall system. The ability to (remotely) deploy custom developed signature based detection plugins (virtual patch) during cyber-attack enhances the behavioral detection with threat intelligence capabilities. Additionally, with the disclosed technology, security feature is an add-on application that can be easily added and removed.
  • the processors described herein as used by control layer devices may include one or more central processing units (CPUs), graphical processing units (GPUs), or any other processor known in the art. More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing tasks. A processor acts upon information by manipulating, analyzing, modifying, converting or transmitting information for use by an executable procedure or an information device, and/or by routing the information to an output device.
  • CPUs central processing units
  • GPUs graphical processing units
  • a processor may use or comprise the capabilities of a computer, controller or microprocessor, for example, and be conditioned using executable instructions to perform special purpose functions not performed by a general purpose computer.
  • a processor may be coupled (electrically and/or as comprising executable components) with any other processor enabling interaction and/or communication there-between.
  • a user interface processor or generator is a known element comprising electronic circuitry or software or a combination of both for generating display images or portions thereof.
  • a user interface comprises one or more display images enabling user interaction with a processor or other device.
  • Various devices described herein including, without limitation, the control layer devices and related computing infrastructure, may include at least one computer readable medium or memory for holding instructions programmed according to embodiments of the invention and for containing data structures, tables, records, or other data described herein.
  • the term“computer readable medium” as used herein refers to any medium that participates in providing instructions to one or more processors for execution.
  • a computer readable medium may take many forms including, but not limited to, non-transitory, non-volatile media, volatile media, and transmission media.
  • Non-limiting examples of non-volatile media include optical disks, solid state drives, magnetic disks, and magneto-optical disks.
  • Non- limiting examples of volatile media include dynamic memory.
  • Non-limiting examples of transmission media include coaxial cables, copper wire, and fiber optics, including the wires that make up a system bus. Transmission media may also take the form of acoustic or light waves, such as those generated during radio wave and infrared data communications.
  • An executable application comprises code or machine readable instructions for conditioning the processor to implement predetermined functions, such as those of an operating system, a context data acquisition system or other information processing system, for example, in response to user command or input.
  • An executable procedure is a segment of code or machine readable instruction, sub-routine, or other distinct section of code or portion of an executable application for performing one or more particular processes.
  • These processes may include receiving input data and/or parameters, performing operations on received input data and/or performing functions in response to received input parameters, and providing resulting output data and/or parameters.
  • the functions and process steps herein may be performed automatically, wholly or partially in response to user command.
  • An activity (including a step) performed automatically is performed in response to one or more executable instructions or device operation without user direct initiation of the activity.
  • the system and processes of the figures are not exclusive. Other systems, processes and menus may be derived in accordance with the principles of the invention to accomplish the same objectives.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Programmable Controllers (AREA)

Abstract

L'invention concerne un procédé de détection de menaces dans un environnement de production industrielle, comprenant la détermination par un moyen industriel de commande d'une pluralité de valeurs prédites de données de production d'un système d'automation et données de réseau du système d'automation recueillies par l'automate programmable et la surveillance de valeurs actuelles des données de production du système d'automation et des données de réseau du système d'automation. Si les valeurs actuelles des données de production du système d'automation et des données de réseau du système d'automation s'écartent de la pluralité de valeurs prédites, le moyen industriel de commande applique un modèle de connaissances pour la détection d'intrusion aux données de production du système d'automation et aux données de réseau du système d'automation afin d'identifier une cyber-attaque possible. Ensuite, le moyen industriel de commande envoie à un dispositif d'opérateur une alerte donnant une indication de la cyber-attaque possible.
PCT/US2016/028893 2015-04-24 2016-04-22 Amélioration de la résilience d'un système de commande par couplage fort de fonctions de sécurité avec la commande Ceased WO2016172514A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201562152250P 2015-04-24 2015-04-24
US62/152,250 2015-04-24
US201562266881P 2015-12-14 2015-12-14
US62/266,881 2015-12-14

Publications (1)

Publication Number Publication Date
WO2016172514A1 true WO2016172514A1 (fr) 2016-10-27

Family

ID=55910413

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/028893 Ceased WO2016172514A1 (fr) 2015-04-24 2016-04-22 Amélioration de la résilience d'un système de commande par couplage fort de fonctions de sécurité avec la commande

Country Status (1)

Country Link
WO (1) WO2016172514A1 (fr)

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789253A (zh) * 2016-12-23 2017-05-31 西安电子科技大学 一种复杂信息网络的弹性评估和优化方法
CN107395598A (zh) * 2017-07-25 2017-11-24 重庆邮电大学 一种抑制病毒传播的自适应防御方法
CN108259478A (zh) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 基于工控终端设备接口hook的安全防护方法
EP3361332A1 (fr) * 2017-02-08 2018-08-15 Kaspersky Lab AO Système et procédé de surveillance du système d'exécution d'un contrôleur logique programmable
WO2018217191A1 (fr) * 2017-05-24 2018-11-29 Siemens Aktiengesellschaft Collecte d'indicateurs d'api de compromis et de données médico-légales
EP3425866A1 (fr) * 2017-07-06 2019-01-09 Siemens Aktiengesellschaft Détection d'une action indéfinie dans un système industriel
EP3425503A1 (fr) * 2017-07-03 2019-01-09 Kyland Technology Co., Ltd. Procédé et appareil permettant de faire fonctionner une pluralité de systèmes d'exploitation dans un système d'exploitation d'internet industriel
EP3439254A1 (fr) * 2017-08-01 2019-02-06 Schneider Electric Industries SAS Dispositif multiport
WO2019066883A1 (fr) * 2017-09-29 2019-04-04 Siemens Aktiengesellschaft Déploiement de fonctionnalité de sécurité déclarative prête à l'emploi pour plateforme d'ingénierie
WO2019099088A1 (fr) * 2017-11-17 2019-05-23 Siemens Aktiengesellschaft Analyse de risque pour système de commande industriel
US10417415B2 (en) 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
CN110445801A (zh) * 2019-08-16 2019-11-12 武汉思普崚技术有限公司 一种物联网的态势感知方法和系统
CN110460472A (zh) * 2019-08-16 2019-11-15 武汉思普崚技术有限公司 一种加权量化的态势感知方法和系统
CN110460608A (zh) * 2019-08-16 2019-11-15 武汉思普崚技术有限公司 一种包含关联分析的态势感知方法和系统
CN110471975A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种物联网态势感知调用方法和装置
CN110474904A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种改进预测的态势感知方法和系统
CN110474805A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种可调用的态势感知分析的方法和装置
CN110493043A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种分布式态势感知调用方法和装置
CN110493044A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种可量化的态势感知的方法和系统
CN110493217A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种分布式的态势感知方法和系统
CN110493218A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种态势感知虚拟化的方法和装置
US10599120B2 (en) 2017-02-08 2020-03-24 AO Kaspersky Lab System and method of monitoring of the execution system of a programmable logic controller
US10805329B2 (en) 2018-01-19 2020-10-13 General Electric Company Autonomous reconfigurable virtual sensing system for cyber-attack neutralization
US10896261B2 (en) 2018-11-29 2021-01-19 Battelle Energy Alliance, Llc Systems and methods for control system security
WO2021180528A1 (fr) * 2020-03-11 2021-09-16 Siemens Gamesa Renewable Energy A/S Procédé d'identification par ordinateur d'un accès non autorisé à un parc éolien
US20230109488A1 (en) * 2020-03-11 2023-04-06 Siemens Gamesa Renewable Energy A/S A method for computer-implemented identifying unauthorized access to a wind farm it infrastructure
WO2023043369A3 (fr) * 2021-09-14 2023-05-25 Singapore University Of Technology And Design Systèmes pour établir une logique de détection d'intrusion pour des contrôleurs logiques programmables
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack
US12034741B2 (en) 2021-04-21 2024-07-09 Ge Infrastructure Technology Llc System and method for cyberattack detection in a wind turbine control system
US12510052B1 (en) 2024-06-27 2025-12-30 GE Vernova Renovables Espana, S.L. System and method for optimizing control of a wind turbine
US12560150B2 (en) 2021-10-07 2026-02-24 GE Vernova Renovables Espana, S.L. Systems and methods for controlling a wind turbine

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011155961A2 (fr) * 2010-06-10 2011-12-15 Siemens Corporation Procédé pour l'estimation quantitative de la résilience de systèmes de commande industriels
WO2013055807A1 (fr) * 2011-10-10 2013-04-18 Global Dataguard, Inc Détection de comportement émergent dans des réseaux de communication
WO2015033049A1 (fr) * 2013-09-04 2015-03-12 Frederic Planchon Conseil Moyens de protection pour systèmes informatiques industriels

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011155961A2 (fr) * 2010-06-10 2011-12-15 Siemens Corporation Procédé pour l'estimation quantitative de la résilience de systèmes de commande industriels
WO2013055807A1 (fr) * 2011-10-10 2013-04-18 Global Dataguard, Inc Détection de comportement émergent dans des réseaux de communication
WO2015033049A1 (fr) * 2013-09-04 2015-03-12 Frederic Planchon Conseil Moyens de protection pour systèmes informatiques industriels

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10417415B2 (en) 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
CN106789253A (zh) * 2016-12-23 2017-05-31 西安电子科技大学 一种复杂信息网络的弹性评估和优化方法
US10599120B2 (en) 2017-02-08 2020-03-24 AO Kaspersky Lab System and method of monitoring of the execution system of a programmable logic controller
EP3361332A1 (fr) * 2017-02-08 2018-08-15 Kaspersky Lab AO Système et procédé de surveillance du système d'exécution d'un contrôleur logique programmable
CN110678864A (zh) * 2017-05-24 2020-01-10 西门子股份公司 危害和取证数据的plc指标的收集
WO2018217191A1 (fr) * 2017-05-24 2018-11-29 Siemens Aktiengesellschaft Collecte d'indicateurs d'api de compromis et de données médico-légales
EP3425503A1 (fr) * 2017-07-03 2019-01-09 Kyland Technology Co., Ltd. Procédé et appareil permettant de faire fonctionner une pluralité de systèmes d'exploitation dans un système d'exploitation d'internet industriel
US10656961B2 (en) 2017-07-03 2020-05-19 Kyland Technology Co., Ltd Method and apparatus for operating a plurality of operating systems in an industry internet operating system
WO2019007827A1 (fr) * 2017-07-06 2019-01-10 Siemens Aktiengesellschaft Détection d'une action non définie dans un système industriel
EP3425866A1 (fr) * 2017-07-06 2019-01-09 Siemens Aktiengesellschaft Détection d'une action indéfinie dans un système industriel
CN107395598B (zh) * 2017-07-25 2020-06-19 重庆邮电大学 一种抑制病毒传播的自适应防御方法
CN107395598A (zh) * 2017-07-25 2017-11-24 重庆邮电大学 一种抑制病毒传播的自适应防御方法
EP3439254A1 (fr) * 2017-08-01 2019-02-06 Schneider Electric Industries SAS Dispositif multiport
WO2019066883A1 (fr) * 2017-09-29 2019-04-04 Siemens Aktiengesellschaft Déploiement de fonctionnalité de sécurité déclarative prête à l'emploi pour plateforme d'ingénierie
WO2019099088A1 (fr) * 2017-11-17 2019-05-23 Siemens Aktiengesellschaft Analyse de risque pour système de commande industriel
CN108259478A (zh) * 2017-12-29 2018-07-06 中国电力科学研究院有限公司 基于工控终端设备接口hook的安全防护方法
US10805329B2 (en) 2018-01-19 2020-10-13 General Electric Company Autonomous reconfigurable virtual sensing system for cyber-attack neutralization
US12189778B2 (en) 2018-11-29 2025-01-07 Battelle Energy Alliance, Llc Systems and methods for control system security
US10896261B2 (en) 2018-11-29 2021-01-19 Battelle Energy Alliance, Llc Systems and methods for control system security
CN110471975A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种物联网态势感知调用方法和装置
CN110493217B (zh) * 2019-08-16 2022-04-12 武汉思普崚技术有限公司 一种分布式的态势感知方法和系统
CN110493218A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种态势感知虚拟化的方法和装置
CN110493044A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种可量化的态势感知的方法和系统
CN110493043A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种分布式态势感知调用方法和装置
CN110474805A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种可调用的态势感知分析的方法和装置
CN110474904A (zh) * 2019-08-16 2019-11-19 武汉思普崚技术有限公司 一种改进预测的态势感知方法和系统
CN110460608A (zh) * 2019-08-16 2019-11-15 武汉思普崚技术有限公司 一种包含关联分析的态势感知方法和系统
CN110460472A (zh) * 2019-08-16 2019-11-15 武汉思普崚技术有限公司 一种加权量化的态势感知方法和系统
CN110445801A (zh) * 2019-08-16 2019-11-12 武汉思普崚技术有限公司 一种物联网的态势感知方法和系统
CN110493218B (zh) * 2019-08-16 2022-04-08 武汉思普崚技术有限公司 一种态势感知虚拟化的方法和装置
CN110474904B (zh) * 2019-08-16 2022-04-12 武汉思普崚技术有限公司 一种改进预测的态势感知方法和系统
CN110445801B (zh) * 2019-08-16 2022-04-12 武汉思普崚技术有限公司 一种物联网的态势感知方法和系统
CN110493217A (zh) * 2019-08-16 2019-11-22 武汉思普崚技术有限公司 一种分布式的态势感知方法和系统
CN110460608B (zh) * 2019-08-16 2022-04-12 武汉思普崚技术有限公司 一种包含关联分析的态势感知方法和系统
CN110493044B (zh) * 2019-08-16 2022-05-03 武汉思普崚技术有限公司 一种可量化的态势感知的方法和系统
CN110460472B (zh) * 2019-08-16 2022-05-03 武汉思普崚技术有限公司 一种加权量化的态势感知方法和系统
CN110474805B (zh) * 2019-08-16 2022-05-03 武汉思普崚技术有限公司 一种可调用的态势感知分析的方法和装置
CN110493043B (zh) * 2019-08-16 2022-05-03 武汉思普崚技术有限公司 一种分布式态势感知调用方法和装置
US20230109488A1 (en) * 2020-03-11 2023-04-06 Siemens Gamesa Renewable Energy A/S A method for computer-implemented identifying unauthorized access to a wind farm it infrastructure
WO2021180528A1 (fr) * 2020-03-11 2021-09-16 Siemens Gamesa Renewable Energy A/S Procédé d'identification par ordinateur d'un accès non autorisé à un parc éolien
US12463968B2 (en) * 2020-03-11 2025-11-04 Siemens Gamesa Renewable Energy A/S Method for computer-implemented identifying an unauthorized access to a wind farm
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack
US12034741B2 (en) 2021-04-21 2024-07-09 Ge Infrastructure Technology Llc System and method for cyberattack detection in a wind turbine control system
WO2023043369A3 (fr) * 2021-09-14 2023-05-25 Singapore University Of Technology And Design Systèmes pour établir une logique de détection d'intrusion pour des contrôleurs logiques programmables
US12560150B2 (en) 2021-10-07 2026-02-24 GE Vernova Renovables Espana, S.L. Systems and methods for controlling a wind turbine
US12510052B1 (en) 2024-06-27 2025-12-30 GE Vernova Renovables Espana, S.L. System and method for optimizing control of a wind turbine

Similar Documents

Publication Publication Date Title
WO2016172514A1 (fr) Amélioration de la résilience d'un système de commande par couplage fort de fonctions de sécurité avec la commande
US11099951B2 (en) Cyberattack-resilient control system design
US10027699B2 (en) Production process knowledge-based intrusion detection for industrial control systems
US11212322B2 (en) Automated discovery of security policy from design data
JP7603687B2 (ja) 集中型知識リポジトリおよびデータマイニングシステム
US10819721B1 (en) Systems and methods for monitoring traffic on industrial control and building automation system networks
US20210382989A1 (en) Multilevel consistency check for a cyber attack detection in an automation and control system
WO2018044410A1 (fr) Pot de miel de système de commande industriel non intrusive à interaction élevée
US10348570B1 (en) Dynamic, endpoint configuration-based deployment of network infrastructure
EP4152192A1 (fr) Système de détection d'intrusion de fond de panier sur châssis et plateforme d'activation de détection des menaces continu
Klick et al. Internet-facing PLCs as a network backdoor
US11683336B2 (en) System and method for using weighting factor values of inventory rules to efficiently identify devices of a computer network
CN113924570A (zh) 用于工业控制系统中的安全异常检测的用户行为分析
CN107852400B (zh) 自防御智能现场装置及体系结构
US20230328078A1 (en) System and method for counteracting effects of improper network traffic
EP4099656A1 (fr) Procédé mis en uvre par ordinateur et agencement de surveillance permettant d'identifier les manipulations des systèmes cyber-physiques, ainsi qu'outil mis en uvre par ordinateur et système cyber-physique
US11356468B2 (en) System and method for using inventory rules to identify devices of a computer network
CN119968629A (zh) 工业控制网络上的流量的解释和分类
Gupta et al. Integration of technology to access the manufacturing plant via remote access system-A part of Industry 4.0
JP7374792B2 (ja) 技術的システムの要素のitセキュリティを段階的に増加させるシステムおよび方法
EP4369228B1 (fr) Agrégation d'événements anormaux pour analyse et réponse de système
Wei et al. Improving control system resilience by highly coupling security functions with control
US20250300966A1 (en) Security protocol proxy for an operational technology system
EP4307146B1 (fr) Systèmes et procédés d'application de sécurité automatique pour dispositifs d'automatisation industrielle
EP3889711A1 (fr) Moteurs d'exécution de cybersécurité portables

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16720294

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16720294

Country of ref document: EP

Kind code of ref document: A1