Various embodiments of the teachings herein include an industrial network behavior analysis method. The method may include: defining a first time window for a target industrial control system, for the target industrial control system to perform a control behavior; respectively determining an execution probability deviation for each control instruction within the first time window and using the execution probability to characterize the ratio of the number of times the corresponding control instruction is executed within a time period to the total number of times the control instruction within the time period; defining a second time window according to the control instruction characterizing a time period when the system performs the corresponding control behavior, and the control behavior is the same as that performed in the first time window. The method may include performing for each second time window: for each control instruction, calculating an execution probability; for each control instruction, determining whether the execution probability meets a target deviation, wherein the target execution probability deviation is the execution probability deviation of the control instruction in the first time window corresponding to the same in the second; determining that the control instruction is legal if the execution probability meets the target deviation; and determining that the instruction is suspicious if the execution probability of the control instruction does not.

A control device is protected from a threat which may occur with the advance of networking or incorporation of intelligence. A security monitoring device that can be externally attached to the control device having a program execution portion that executes a program produced in accordance with a control target includes a communication port for connection with the control device. When it is detected from a content of communication that a security event is generated in access from outside to the control device, a notification is provided to a notification destination corresponding to the generated security event. The security event includes an event that does not conform to a predetermined rule.

A method of providing cyber security to an industrial control system is described. The method includes detecting an anomaly and recording and reporting the detected anomaly to a control system within a network associated with the industrial control system. Detecting the anomaly may include recording all unauthorized attempts to connect to a communication port in the network, capturing identifying information associated with the unauthorized attempts, detecting scanning activity of a hacker in the network, detecting an attempt to manipulate a log file to conceal malicious activity in the network; and recording and reporting the detected anomaly to a controller within the network

A method for authenticating devices and/or applications, specifically web applications, in a control system for an industrial plant, wherein the control system includes at least one local registration service and at least one software inventory, where the method includes determining by the at least one local registration service information about which communications protocols and/or applications are supported by the devices and/or applications and/or which communications protocols and/or applications are active, during authentication of the devices and/or applications within the control system, and storing the device-specific information determined by the local registration service in the at least one software inventory of the control system.

Various embodiments of the teachings herein include an industrial network behavior analysis method. The method may include: defining a first time window for a target industrial control system, for the target industrial control system to perform a control behavior; respectively determining an execution probability deviation for each control instruction within the first time window and using the execution probability to characterize the ratio of the number of times the corresponding control instruction is executed within a time period to the total number of times the control instruction within the time period; defining a second time window according to the control instruction characterizing a time period when the system performs the corresponding control behavior, and the control behavior is the same as that performed in the first time window. The method may include performing for each second time window: for each control instruction, calculating an execution probability; for each control instruction, determining whether the execution probability meets a target deviation, wherein the target execution probability deviation is the execution probability deviation of the control instruction in the first time window corresponding to the same in the second; determining that the control instruction is legal if the execution probability meets the target deviation; and determining that the instruction is suspicious if the execution probability of the control instruction does not.

A method for performing a safe guard detection of unexpected operations launched by an operator for a manufacturing execution system (MED system) is based on a first database containing a set of operations, a set of operators, calendar information for a shift and calendar information for the equipment of the MES-system. The MES-systems further has a second database containing a login history of carried out logins of the operator. The detection of a malicious operation is carried out as to whether the operation complies with a set of rules defining allowed operations or with a learning module, in which specific roles of operators are contained and whether an operation complies with a specific role. In case of non-compliance, the operation is stored as an entry in an event trace file for generating alerts.

A control system in industrial automation technology includes hardware having at least one processor and at least one storage device, in which applications to be executed by the control system are stored. The control system is configured such that at least two and preferably a plurality of mutually isolated execution environments are provided and/or configured. At least two, and preferably a plurality, of independently executable and/or operating functional modules are included, each of which can be executed and/or operate, in particular exclusively, in an isolated execution environment. The functional modules are characteristic of functions of the control system.

A control device is protected from a threat which may occur with the advance of networking or incorporation of intelligence. A security monitoring device that can be externally attached to the control device having a program execution portion that executes a program produced in accordance with a control target includes a communication port for connection with the control device. When it is detected from a content of communication that a security event is generated in access from outside to the control device, a notification is provided to a notification destination corresponding to the generated security event. The security event includes an event that does not conform to a predetermined rule.

An integrated industrial system includes a safety instrumented system which is installed in a first zone, a host system which is connected to the safety instrumented system through a network, the host system being installed in a second zone which is different from the first zone, a detector which is installed in each of the first zone and the second zone, the detector being configured to detect a cyber-attack from outside to a self-zone, and a defender configured to perform a countermeasure of restricting a communication between the first zone and the second zone or of restricting a communication in the first zone or the second zone, based on a detection result of the detector.

Monitoring the integrity of industrial automation systems is provided. For example, a negative impact on integrity caused by unauthorized access should be identified. This is made possible by comparing state data which describe the operating state of the industrial automation system, with sensor data which describe an environmental influence of the automation system.