USING AI FOR ENSURING DATA INTEGRITY OF INDUSTRIAL CONTROLLERS

Abstract

In example implementations described herein, the power of time series machine learning is used to extract the statistics of Programmable Logic Controller (PLC) data and external sensor data. The accuracy of time series machine learning is improved by manufacturing context-dependent segmentation of the time series into states which is factory may be in. The invention can capture subtle trends in these time series data and be able to classify them into several outcomes from ICS security attacks to normal anomalies and machine/sensor failures.

Claims

1. A method, comprising: for a state of a factory determined from current operating conditions of the factory: receiving streaming Programmable Logic Controller (PLC) values from PLCs on a network of the factory, and streaming external sensor values from sensors in the factory connected externally to the network; conducting probabilistic analytics on the streaming PLC values and streaming external sensor values against historical PLC values and historical sensor values associated with the state of the factory; and for the probabilistic analytics indicative of the streaming PLC values being within expectation for the state, and the streaming external sensor values not being within expectation for the state, providing an indication of a security incident.

2. The method of claim 1, further comprising, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values not being within expectation for the state, detecting one of a new state and a factory event.

3. The method of claim 2, wherein for the detecting being indicative of the new state, storing the streaming PLC values and the streaming external sensor values as the historical PLC values and the historical sensor values for the new state.

4. The method of claim 1, further comprising, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values being within expectation for the state, providing an indication of sensor failure.

5. The method of claim 1, wherein the state is selected from a plurality of states, each state associated with corresponding historical sensor and PLC values, and associated with operations of the factory.

6. A non-transitory computer readable medium, storing instructions for executing a process, the instructions comprising: for a state of a factory determined from current operating conditions of the factory: receiving streaming Programmable Logic Controller (PLC) values from PLCs on a network of the factory, and streaming external sensor values from sensors in the factory connected externally to the network; conducting probabilistic analytics on the streaming PLC values and streaming external sensor values against historical PLC values and historical sensor values associated with the state of the factory; and for the probabilistic analytics indicative of the streaming PLC values being within expectation for the state, and the streaming external sensor values not being within expectation for the state, providing an indication of a security incident.

7. The non-transitory computer readable medium of claim 6, further comprising, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values not being within expectation for the state, detecting one of a new state and a factory event.

8. The non-transitory computer readable medium of claim 7, wherein for the detecting being indicative of the new state, storing the streaming PLC values and the streaming external sensor values as the historical PLC values and the historical sensor values for the new state.

9. The non-transitory computer readable medium of claim 6, further comprising, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values being within expectation for the state, providing an indication of sensor failure.

10. The non-transitory computer readable medium of claim 6, wherein the state is selected from a plurality of states, each state associated with corresponding historical sensor and PLC values, and associated with operations of the factory.

11. A management apparatus configured to manage a plurality of programmable logic controllers (PLCs) on a network of a factory and a plurality of sensors connected to the management apparatus externally from the network, the management apparatus comprising: a processor, configured to: for a state of a factory determined from current operating conditions of the factory: receive streaming PLC values from the PLCs and streaming external sensor values from the plurality of sensors in the factory connected externally to the network; conduct probabilistic analytics on the streaming PLC values and streaming external sensor values against historical PLC values and historical sensor values associated with the state of the factory; and for the probabilistic analytics indicative of the streaming PLC values being within expectation for the state, and the streaming external sensor values not being within expectation for the state, providing an indication of a security incident.

12. The apparatus of claim 11, the processor further configured to, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values not being within expectation for the state, detect one of a new state and a factory event.

13. The apparatus of claim 12, the processor further configured to, for the detecting being indicative of the new state, store the streaming PLC values and the streaming external sensor values as the historical PLC values and the historical sensor values for the new state.

14. The apparatus of claim 11, the processor further configured to, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values being within expectation for the state, providing an indication of sensor failure.

15. The apparatus of claim 11, wherein the state is selected from a plurality of states, each state associated with corresponding historical sensor and PLC values, and associated with operations of the factory.

Description

BRIEF DESCRIPTION OF DRAWINGS

[0017] FIG. 1 illustrates an example of an ICS System with additional sensors, in accordance with an example implementation.

[0018] FIG. 2 illustrates an example system diagram of the AI implementations for an ICS system, in accordance with an example implementation.

[0019] FIG. 3 illustrates an example of the space of global external variables, in accordance with an example implementation.

[0020] FIG. 4 illustrates an example flow for the factory state determination module, in accordance with an example implementation.

[0021] FIG. 5 illustrates an example flow for the factory state determination module when the signal_state is received, in accordance with an example implementation.

[0022] FIG. 6 illustrates an example of security analytics module, in accordance with an example implementation.

[0023] FIG. 7 illustrates an example flow diagram for the training module of the security analytics module, in accordance with an example implementation.

[0024] FIG. 8 illustrates a flow diagram for a test module of the security analytics module, in accordance with an example implementation.

[0025] FIG. 9 illustrates an example system architecture of a sensing system and a control system in a factory, in accordance with an example implementation.

[0026] FIGS. 10(a) and 10(b) illustrate example management information, in accordance with an example implementation.

[0027] FIG. 11 illustrates an example computing environment with an example computer device suitable for use in example implementations.

DETAILED DESCRIPTION

[0028] The following detailed description provides further details of the figures and example implementations of the present application. Reference numerals and descriptions of redundant elements between figures are omitted for clarity. Terms used throughout the description are provided as examples and are not intended to be limiting. For example, the use of the term automatic may involve fully automatic or semi-automatic implementations involving user or administrator control over certain aspects of the implementation, depending on the desired implementation of one of ordinary skill in the art practicing implementations of the present application. Selection can be conducted by a user through a user interface or other input means, or can be implemented through a desired algorithm. Example implementations as described herein can be utilized either singularly or in combination and the functionality of the example implementations can be implemented through any means according to the desired implementations.

[0029] FIG. 2 illustrates an example system diagram of the AI implementations for an ICS system, in accordance with an example implementation. For clarity purposes, the present disclosure uses the concepts of Factory State or Class. In the definition of factory state and class of the present disclosure, a factory may exist in one of several possible high-level states and in each state the operational conditions, labor conditions and statistics of PLC and sensor values are distinct. Examples are as follows:

[0030] 1. The state is defined by the product being manufactured in the assembly lines. If the product changes from product A to product B, the state also changes. For example, the new product B may have to be built faster than product A (e.g., target higher parts produced per minute) which means that machines operate faster and more workers may be required. This difference thereby corresponds to a new state.

[0031] 2. The duration of time in which the shift changes in the factory is a new state. In this state, workers from the old shift leave and new workers come in. There is some disruption in operations during this time and thus it qualifies as a new state.

[0032] 3. Suppose that in a given morning, many workers do not show up. Some machines may be shut down, some production may be stopped or re-routed to different machines. The duration of time for which this condition persists can be labeled as a new state.

[0033] 4. An important machine breaks down and has to be taken offline for maintenance. Some production is stopped or re-routed to different machines. The duration of time for which this condition persists can be labeled as a new state.

[0034] Usually a state will last for a period of time before switching to a new state. Some states will usually re-occur again later either in a regular manner (examples 1 and 2 above) or in an irregular manner (examples 3 and 4 above).

[0035] The block diagram of the proposed system is shown in FIG. 2. The system of FIG. 2 has the following components, the high-level descriptions of which are described herein.

[0036] There is a factory state determination module 202 which takes its input from all existing data sources 201 in the factory that are not related to machine information (such as PLCs or external sensors). Such existing data sources 201 can include Enterprise Resource Planning (ERP) systems that show procurement delays, changes in sales and operations planning, Manufacturing Execution System (MES) that show the real-time changes in production, shop-floor condition, video analysis results in shop-floor that track worker flow and significant changes therein, and so on in accordance with the desired implementation. Unlike machine information such as PLCs and external sensors, the values of these data sources do not change significantly over short time durations. The factory state determination module 202 computes factory state and passes this information via connection 203 to a security analytics module 204. The security analytics module 204 is attached to the streaming databases that store PLC values 205 and that store external sensor values 206, wherein the security analytics module 204 can access data from both of them. The security analytics module 204 performs security analytics based on these three types of information and passes on the result back to the factory state determination module 202. This result is encapsulated in a data structure called Signal_State 207.

[0037] FIG. 3 illustrates an example of the space of global external variables, in accordance with an example implementation. Specifically, FIG. 3 illustrates a conceptual view of the space E of all possible states. This space E is also a space of all possible outcomes of data sources in 201. A particular state (e.g. 2011, 2012, 2013) is a subset of E. Note there some states may overlap (for example the two states given in examples 3 and 4 have a commonality that machines are shut down and these could be the same machines. These could be states E1 and E3). Thus, there may not be a finite number of states and new states may need to be defined. Hence there is no rigorous way to define a state. In the present disclosure, states are therefore described in a qualitative way.

[0038] FIG. 4 illustrates an example flow for the factory state determination module, in accordance with an example implementation. The flow of the factory state determination module 202 can be as follows.

[0039] At 2021, the module initializes a set of states or classes E.sub.1 to E.sub.K. This set of states or classes can be based on human (factory personnel) input, or otherwise depending on the desired implementation. The module assigns a numerical label S.sub.1 to S.sub.K for each state for ease of future reference. At 2022, the module obtains the value of current data sources not related to machine information. Call this e. At 2023, the module checks if this value corresponds to a known state amongst E.sub.1 to E.sub.K, or is very close to one of these states. This operation of checking can be based on a qualitative judgement in accordance with the desired implementation (e.g., within a set threshold, a probablistic analytics, such as standard deviation, etc.).

[0040] If variable e seems to correspond to an existing state E.sub.n (Yes), proceed to 2025 add this variable to the existing state E.sub.n. To perform this operation, a set of pre-defined rules can be utilized, and the states can be matched as new variables come in, based on the desired implementation. If variable e is indicative of very different conditions than existing states (No), then the process proceeds to 2024 to form a new state E.sub.K+1. Depending on the desired implementation, this process can generate a user interface to prompt human input and validation to incorporate a new state.

[0041] FIG. 5 illustrates an example flow for the factory state determination module when the signal_state is received, in accordance with an example implementation. The factory state determination module 202 also performs various functionalities based on feedback Signal_State 203 from the security analytics module 204. The flow of FIG. 5 is as follows.

[0042] At 2025, the module receives the signal signal_state 207 and processes the signal to determine its type at 2026. The processing can be conducted based on algorithms constructed to process signal_state in accordance with the desired implementation, or can be provided for human interpretation via a user interface. If the value is Check Sensors or Normal Anomaly, then this indicates that there is some normal operational issues with machines (Normal Anomaly) or the external sensors are malfunctioning (Check Sensors). In this case, the process proceeds to 2028 to notify the relevant operations team in the factory to address such issues. Such process can involve dispatching preset instructions based on the type of event. The definitions of Check Sensors and Normal Anomaly is described with respect to the functionalities of the security analytics module 204.

[0043] If the value is New State, then the process proceeds to 2029 as the value indicates that the combination of statistics of the PLC and external sensors have detected the presence of a new state that was not recorded before. In that case, the module stores the current variable e containing information about data sources not related to machine information as a new state.

[0044] If the value is ICS attack, then the process proceeds to 2027 to take action accordingly.

[0045] FIG. 6 illustrates an example of Security Analytics module 204, in accordance with an example implementation. As illustrated in FIG. 6, security analytics module 204 involves two submodules; the training module 2041 and test module 2042. Further details of each module are described with respect to FIGS. 7 and 8.

[0046] FIG. 7 illustrates an example flow diagram for the training module of the security analytics module, in accordance with an example implementation. The training module 2041 can execute the following flow.

[0047] At 20411, the module stores the information regarding the current class and label. At 20412, the module observes all PLC variables and forms the time series P(t). If the class changes in the process at 20411, then the process forms a new time series for that class. At 20413, the module observes all external sensor variables and forms the time series Z(t). If the class changes in the process at 20411, then the module forms a new time series for that class.

[0048] At 20414, the module conducts probabilistic analytics, such as standard time series analysis (e.g., according to any method known to one of ordinary skill in the art) on P(t) to obtain its probabilistic representation P.sub.Sn. This could be a mathematical function of multiple variables. The module labels the probabilistic representation with the label of the current class. As new time series values are received (for the same class), the module updates and improves the nature of P.sub.Sn.

[0049] At 20415, the module conducts probabilistic analytics, such as standard time series analysis on Z(t) to obtain its probabilistic representation Z.sub.Sn. This could be a mathematical function of multiple variables. The module labels the probabilistic representation with the label of the current class. As new time series values are received (for the same class), the module updates and improves the nature of Z.sub.Sn.

[0050] FIG. 8 illustrates a flow diagram for a test module of the security analytics module, in accordance with an example implementation. The test module 2042 is configured to execute the flow as follows.

[0051] At 20421, the module stores the information about the current class and label. At 20422, the module observes all PLC variables and forms the time series P.sub.current(t). This analysis is done for a short time window or sub-sequence as the algorithm tries to detect events (anomalies or attacks) over the window. At 20423, the module observes all external sensor variables and forms the time series Z.sub.current(t). This analysis is done for a short time window or sub-sequence as the algorithm tries to detect events (anomalies or attacks) over the window. At 20424, the module conducts probabilistic analytics, such as standard time series analysis (e.g., according to any method known to one of ordinary skill in the art) on P.sub.current(t) to obtain its probabilistic representation P.sub.SnCurrent. This could be a mathematical function of multiple variables. The module labels the probabilistic representation with the label of the current class.

[0052] At 20425, the module conducts probabilistic analytics, such as standard time series analysis (e.g., according to any method known to one of ordinary skill in the art) on Z.sub.current(t) to obtain its probabilistic representation Z.sub.SnCurrent. This could be a mathematical function of multiple variables. The module labels the probabilistic representation with the label of the current class.

[0053] At 20426, the module computes the distance (e.g., in a probabilistic sense according to any desired implementation known in the art) between P.sub.SnCurrent from the process at 20424 and P.sub.Sn from the process at 20414. Define variable P. If the distance is large (e.g., meets a threshold set in accordance with a desired implementation), then the module assigns P=1, else the module assigns P=0. This process shows that there is significant statistical difference in the behavior of the PLC variables when it is assumed apiori that the factory is in a certain class.

[0054] At 20427, compute the distance (e.g., in a probabilistic sense according to any desired implementation known in the art) between Z.sub.SnCurrent from the process at 20425 and Z.sub.Sn from the process at 20415. Define variable Z. If the distance is large (e.g., meets a threshold set in accordance with a desired implementation), then the module assigns Z=1, else the module assigns Z=0. This process shows that there is significant statistical difference in the behavior of the external sensor variables when it is assumed apiori that the factory is in a certain class.

[0055] At 20428, the process performs the following operations

[0056] a. If P=0 and Z=0, it means that the expected statistical behavior of both PLC and external sensors is as expected. This is a normal event. The module assigns the signal_state accordingly (e.g., as a normal event).

[0057] b. If P=0 and Z=1, it means that the expected statistical behavior of PLC is expected but the behavior of the external sensors is not. This is indicative of an ICS attack which is affecting data integrity of the PLC variables being reported to SCADA. The module assigns the signal_state accordingly (e.g., as ICS attack).

[0058] c. If P=1 and Z=1, it means that the statistical behavior of both PLC and external sensors are not as per expectation. This could be a normal anomaly (such as machine breakdown). It is also possible that the basic assumption of system state is incorrect, and a new state needs to be defined in the Factory State Determination module 202. The module assigns signal_state accordingly (e.g., normal anomaly or new state as determined by user input through a human interface or an algorithmic process in accordance with a desired implementation).

[0059] d. If P=1 and Z=0, it means that the expected statistical behavior of sensors is expected but the behavior of the PLC sensors is not. The latter points to machine event which should have been picked by the former and thus most probably means some malfunctioning in external sensors. The module assigns signal_state accordingly (e.g., check sensors).

[0060] The example implementations described herein can thereby provide manufacturing context-dependent segmentation of the time series into different states which a factory can be in, and find the mathematical representations separately for each class. Such example implementations improve the accuracy over the case when this context dependent knowledge was not used. This is because time series approaches (e.g., as known in the related art) that derive probabilistic functions work well if the underlying distributions are stationary, which is not the case between different states. Further, the example implementations use the PLC sequence and external sensor sequence separately to be able to distinguish between a wide range of outcomes as shown in the process at 20428.

[0061] FIG. 9 illustrates an example system architecture of a sensing system and a control system in a factory, in accordance with an example implementation. In this example system architecture, IoT gateway (GW) 901 controls data gathering from one or more sensors 902 in a synchronous manner, and server 900-2 organizes one or more PLCs 903 connected with each corresponding machine 904-1, 904-2, 904-3. Server 900-2 can not only control the behavior of each machine 904-1, 904-2, 904-3, but also collect PLC values regarding the operations of each machine 904-1, 904-2, 904-3 in a synchronous manner. Therefore, in the example system illustrated in FIG. 9, server 900-1 obtains synchronous values from the sensors 902 and from the PLCs 903. In such a configuration, server 900-1 operates as a management apparatus to manage sensors through IoT GW 901, and PLCs 903 and machine operations through server 900-2.

[0062] To maintain security, the network of the factory itself is managed by server 900-2, which manages the PLCs 903 controlling the underlying machines 904-1, 904-2, 904-3. Server 900-2 can receive a schedule from server 900-1 over a separate network from the factory network as illustrated in FIG. 10(a), and then instruct the PLCs 903 to control the machines 904-1, 904-2, and 904-3 to execute the operations according to the schedule set forth in FIG. 10(a). Sensors 902 are associated with one or more of the machines 904-1, 904-2, 904-3, and are connected to a network that is separate from the factory network for security reasons. This network is managed by IoT GW 901. Server 900-2 streams PLC values with associated timestamps to server 900-1, whereas IoT GW 901 streams sensor values with associated timestamps to server 900-1, whereupon server 900-1 synchronizes the PLC values and the sensor values accordingly based on the timestamp.

[0063] FIGS. 10(a) and 10(b) illustrate example management information, in accordance with an example implementation. Specifically, FIG. 10(a) illustrates an example of scheduling of operations of the factory, which can include the scheduled time period, the operations to be conducted during the scheduled time period, and the expected state derived from the operations to be conducted. From the information of FIG. 10(a), the current operating conditions can thereby be determined for the factory based on the current time and the scheduled operations for the current time. FIG. 10(b) illustrates an example of managing states with historical PLC values and historical sensor values. Each previously measured state can be associated with corresponding historical PLC values and historical sensor values, along with the operations involved in the factory when the state was detected.

[0064] FIG. 11 illustrates an example computing environment with an example computer device suitable for use in example implementations, such as server 900-1 or 900-2 of FIG. 9. Computer device 1105 in computing environment 1100 can include one or more processing units, cores, or processors 1110, memory 1115 (e.g., RAM, ROM, and/or the like), internal storage 1120 (e.g., magnetic, optical, solid state storage, and/or organic), and/or I/O interface 1125, any of which can be coupled on a communication mechanism or bus 1130 for communicating information or embedded in the computer device 1105.

[0065] Computer device 1105 can be communicatively coupled to input/user interface 1135 and output device/interface 1140. Either one or both of input/user interface 1135 and output device/interface 1140 can be a wired or wireless interface and can be detachable. Input/user interface 1135 may include any device, component, sensor, or interface, physical or virtual, that can be used to provide input (e.g., buttons, touch-screen interface, keyboard, a pointing/cursor control, microphone, camera, braille, motion sensor, optical reader, and/or the like). Output device/interface 1140 may include a display, television, monitor, printer, speaker, braille, or the like. In some example implementations, input/user interface 1135 and output device/interface 1140 can be embedded with or physically coupled to the computer device 1105. In other example implementations, other computer devices may function as or provide the functions of input/user interface 1135 and output device/interface 1140 for a computer device 1105. In example implementations involving a touch screen display, a television display, or any other form of display, the display is configured to provide a user interface.

[0066] Examples of computer device 1105 may include, but are not limited to, highly mobile devices (e.g., smartphones, devices in vehicles and other machines, devices carried by humans and animals, and the like), mobile devices (e.g., tablets, notebooks, laptops, personal computers, portable televisions, radios, and the like), and devices not designed for mobility (e.g., desktop computers, other computers, information kiosks, televisions with one or more processors embedded therein and/or coupled thereto, radios, and the like).

[0067] Computer device 1105 can be communicatively coupled (e.g., via I/O interface 1125) to external storage 1145 and network 1150 for communicating with any number of networked components, devices, and systems, including one or more computer devices of the same or different configuration. Computer device 1105 or any connected computer device can be functioning as, providing services of, or referred to as a server, client, thin server, general machine, special-purpose machine, or another label.

[0068] I/O interface 1125 can include, but is not limited to, wired and/or wireless interfaces using any communication or I/O protocols or standards (e.g., Ethernet, 802.11x, Universal System Bus, WiMax, modem, a cellular network protocol, and the like) for communicating information to and/or from at least all the connected components, devices, and network in computing environment 1100. Network 1150 can be any network or combination of networks (e.g., the Internet, local area network, wide area network, a telephonic network, a cellular network, satellite network, and the like).

[0069] Computer device 1105 can use and/or communicate using computer-usable or computer-readable media, including transitory media and non-transitory media. Transitory media include transmission media (e.g., metal cables, fiber optics), signals, carrier waves, and the like. Non-transitory media include magnetic media (e.g., disks and tapes), optical media (e.g., CD ROM, digital video disks, Blu-ray disks), solid state media (e.g., RAM, ROM, flash memory, solid-state storage), and other non-volatile storage or memory.

[0070] Computer device 1105 can be used to implement techniques, methods, applications, processes, or computer-executable instructions in some example computing environments. Computer-executable instructions can be retrieved from transitory media, and stored on and retrieved from non-transitory media. The executable instructions can originate from one or more of any programming, scripting, and machine languages (e.g., C, C++, C#, Java, Visual Basic, Python, Perl, JavaScript, and others).

[0071] Processor(s) 1110 can execute under any operating system (OS) (not shown), in a native or virtual environment. One or more applications can be deployed that include logic unit 1160, application programming interface (API) unit 1165, input unit 1170, output unit 1175, and inter-unit communication mechanism 1195 for the different units to communicate with each other, with the OS, and with other applications (not shown). The described units and elements can be varied in design, function, configuration, or implementation and are not limited to the descriptions provided. Processor(s) 1110 can be in the form of physical processors or central processing units (CPU) that is configured to execute instructions loaded from Memory 1115.

[0072] In some example implementations, when information or an execution instruction is received by API unit 1165, it may be communicated to one or more other units (e.g., logic unit 1160, input unit 1170, output unit 1175). In some instances, logic unit 1160 may be configured to control the information flow among the units and direct the services provided by API unit 1165, input unit 1170, output unit 1175, in some example implementations described above. For example, the flow of one or more processes or implementations may be controlled by logic unit 1160 alone or in conjunction with API unit 1165. The input unit 1170 may be configured to obtain input for the calculations described in the example implementations, and the output unit 1175 may be configured to provide output based on the calculations described in example implementations.

[0073] Memory 1115 is configured to store management information as illustrated in FIGS. 10(a) and 10(b), wherein processor(s) 1110 is configured to execute processes to facilitate the functionality of server 900-1 or 900-2 based on the management information. For example, processor(s) 1110 can be configured to transmit the scheduling information of FIG. 10(a) to server 900-2, or instruct PLCs 903 to control machines to conduct operations in accordance with the schedule.

[0074] Processor(s) 1110 can be configured to for a state of a factory determined from current operating conditions of the factory based on management information of FIG. 10(a), receive streaming PLC values from the PLCs and streaming external sensor values from the plurality of sensors in the factory connected externally to the network as illustrated in FIG. 7 and FIG. 9; conduct probabilistic analytics on the streaming PLC values and streaming external sensor values against historical PLC values and historical sensor values associated with the state of the factory as illustrated in FIG. 7 and FIG. 8; and for the probabilistic analytics indicative of the streaming PLC values being within expectation for the state, and the streaming external sensor values not being within expectation for the state, providing an indication of a security incident, as illustrated at 20428 of FIG. 8 for ICS attack. Examples of providing an indication are shown at 2027 of FIG. 5, which can include raising alerts and executing preset instructions for a security incident response (e.g., shutting down corresponding PLCs and machines, etc.), as well as providing an indication on a user interface in accordance with the desired implementation. Through such example implementations, ICS attacks on a factory floor can be detected by a management apparatus, even if the PLC values obtained appear to indicate that the factory is operating normally.

[0075] Processor(s) 1110 can be configured to, for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values not being within expectation for the state, detect one of a new state and a factory event as illustrated at 20428 of FIG. 8 for a new state/normal anomaly, and as illustrated at 2026 and 2028 of FIG. 5.

[0076] Processor(s) 1110 can be configured to, for the detecting being indicative of the new state, store the streaming PLC values and the streaming external sensor values as the historical PLC values and the historical sensor values for the new state as illustrated in 2026 and 2029 of FIG. 5 and FIG. 10(b).

[0077] Processor(s) 1110 can be configured to for the probabilistic analytics indicative of the streaming PLC values not being within expectation for the state, and the streaming external sensor values being within expectation for the state, providing an indication of sensor failure as illustrated at 2026 and 2028 of FIG. 5, and as illustrated at 20428 of FIG. 8 for Check Sensors.

[0078] Processor(s) 1110 can be configured to select the state from a plurality of states as illustrated in FIG. 10(b), each state associated with corresponding historical sensor and PLC values, and associated with operations of the factory as illustrated in FIG. 8.

[0079] Through the example system of FIG. 9 and the example implementations as described in FIG. 11, a management apparatus can manage a sensor system on a network separate from a PLC/machine system on a factory network of the factory, and detect ICS attacks occurring on the factory based on the streaming PLC values and the sensor values, thereby improving security for the factory floor.

[0080] Some portions of the detailed description are presented in terms of algorithms and symbolic representations of operations within a computer. These algorithmic descriptions and symbolic representations are the means used by those skilled in the data processing arts to convey the essence of their innovations to others skilled in the art. An algorithm is a series of defined steps leading to a desired end state or result. In example implementations, the steps carried out require physical manipulations of tangible quantities for achieving a tangible result.

[0081] Unless specifically stated otherwise, as apparent from the discussion, it is appreciated that throughout the description, discussions utilizing terms such as processing, computing, calculating, determining, displaying, or the like, can include the actions and processes of a computer system or other information processing device that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system's memories or registers or other information storage, transmission or display devices.

[0082] Example implementations may also relate to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may include one or more general-purpose computers selectively activated or reconfigured by one or more computer programs. Such computer programs may be stored in a computer readable medium, such as a computer-readable storage medium or a computer-readable signal medium. A computer-readable storage medium may involve tangible mediums such as, but not limited to optical disks, magnetic disks, read-only memories, random access memories, solid state devices and drives, or any other types of tangible or non-transitory media suitable for storing electronic information. A computer readable signal medium may include mediums such as carrier waves. The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Computer programs can involve pure software implementations that involve instructions that perform the operations of the desired implementation.

[0083] Various general-purpose systems may be used with programs and modules in accordance with the examples herein, or it may prove convenient to construct a more specialized apparatus to perform desired method steps. In addition, the example implementations are not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the example implementations as described herein. The instructions of the programming language(s) may be executed by one or more processing devices, e.g., central processing units (CPUs), processors, or controllers.

[0084] As is known in the art, the operations described above can be performed by hardware, software, or some combination of software and hardware. Various aspects of the example implementations may be implemented using circuits and logic devices (hardware), while other aspects may be implemented using instructions stored on a machine-readable medium (software), which if executed by a processor, would cause the processor to perform a method to carry out implementations of the present application. Further, some example implementations of the present application may be performed solely in hardware, whereas other example implementations may be performed solely in software. Moreover, the various functions described can be performed in a single unit, or can be spread across a number of components in any number of ways. When performed by software, the methods may be executed by a processor, such as a general purpose computer, based on instructions stored on a computer-readable medium. If desired, the instructions can be stored on the medium in a compressed and/or encrypted format.

[0085] Moreover, other implementations of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the teachings of the present application. Various aspects and/or components of the described example implementations may be used singly or in any combination. It is intended that the specification and example implementations be considered as examples only, with the true scope and spirit of the present application being indicated by the following claims.

USING AI FOR ENSURING DATA INTEGRITY OF INDUSTRIAL CONTROLLERS

Assignee

Inventors

Cpc classification

Classification Explorer

G05B2219/14114

PHYSICS

Classification Explorer

G06V10/84

PHYSICS

Classification Explorer

G05B19/058

PHYSICS

Classification Explorer

G06F21/552

PHYSICS

Classification Explorer

G05B19/4184

PHYSICS

Classification Explorer

G06F21/55

PHYSICS

Classification Explorer

G06F30/27

PHYSICS

Classification Explorer

Y02P90/02

GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS

Classification Explorer

G06F21/56

PHYSICS

Classification Explorer

G06F21/50

PHYSICS

Classification Explorer

G06F21/566

PHYSICS

Classification Explorer

G01R31/2846

PHYSICS

Classification Explorer

G05B2219/14006

PHYSICS

Classification Explorer

G05B2219/14058

PHYSICS

International classification

Classification Explorer

G05B19/05

PHYSICS

Abstract

Claims

Description