Abstract: Operation of an industrial asset control system may be simulated or monitored under various operating conditions to generate a set of operating results. Subsets of the operating results may be used to calculate a normalization function for each of a plurality of operating conditions. Streams of monitoring node signal values over time may be received that represent a current operation of the industrial asset control system. A threat detection platform may then dynamically calculate normalized monitoring node signal values based at least in part on a normalization function in an operating mode database. For each stream of normalized monitoring node signal values, a current monitoring node feature vector may be generated and compared with a corresponding decision boundary for that monitoring node, the decision boundary separating normal and abnormal states for that monitoring node. A threat alert signal may then be automatically transmitted based on results of those comparisons.

Abstract: In some embodiments, a system model construction platform may receive, from a system node data store, system node data associated with an industrial asset. The system model construction platform may automatically construct a data-driven, dynamic system model for the industrial asset based on the received system node data. A synthetic attack platform may then inject at least one synthetic attack into the data-driven, dynamic system model to create, for each of a plurality of monitoring nodes, a series of synthetic attack monitoring node values over time that represent simulated attacked operation of the industrial asset. The synthetic attack platform may store, in a synthetic attack space data source, the series of synthetic attack monitoring node values over time that represent simulated attacked operation of the industrial asset. This information may then be used, for example, along with normal operational data to construct a threat detection model for the industrial asset.

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided to protect a decision manifold of a control system for an industrial asset, comprising: a detection and neutralization module including: a decision manifold having a receiver configured to receive a training dataset comprising data, wherein the decision manifold is operative to generate a first decision manifold with the received training dataset; and a detection model; a memory for storing program instructions; and a detection and neutralization processor, coupled to the memory, and in communication with the detection and neutralization module and operative to execute program instructions to: receive the first decision manifold, wherein the first decision manifold separates a normal operating space from an abnormal operating space; determine whether there are one or more inadequacies with the detection model; generate a corrected decision manifold based on the determined one or more inadequacies with the

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided comprising one or more heterogeneous data source nodes generating data associated with operation of the medical device; an abnormal state detection, prediction and correction module to receive data from one or more heterogeneous data source nodes; a memory for storing program instructions; and an abnormal state processor, coupled to the memory, and in communication with the abnormal state detection, prediction and correction module and operative to execute program instructions to: receive data from one or more heterogeneous data source nodes; receive a decision manifold separating a normal operating space from an abnormal operating space; perform a feature extraction process on the received data to generate at least one feature vector; determine, via the abnormal state detection, prediction and correction module, whether the feature vector maps to the normal operating space or the abnormal operating space

Abstract: A threat detection model creation computer receives normal monitoring node values and abnormal monitoring node values. At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model (e.g., a weight matrix and affine terms). The parameters of the deep learning model and received monitoring node values may then be used to compute feature vectors. The feature vectors may be spatial along a plurality of monitoring nodes. At least one decision boundary for a threat detection model may be automatically calculated based on the computed feature vectors, and the system may output the decision boundary separating a normal state from an abnormal state for that monitoring node. The decision boundary may also be obtained by combining feature vectors from multiple nodes. The decision boundary may then be used to detect normal and abnormal operation of an industrial asset.

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

Abstract: A plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of a cyber-physical system. A feature-based forecasting framework may receive the time-series of and generate a set of current feature vectors using feature discovery techniques. The feature behavior for each monitoring node may be characterized in the form of decision boundaries that separate normal and abnormal space based on operating data of the system. A set of ensemble state-space models may be constructed to represent feature evolution in the time-domain, wherein the forecasted outputs from the set of ensemble state-space models comprise anticipated time evolution of features. The framework may then obtain an overall features forecast through dynamic ensemble averaging and compare the overall features forecast to a threshold to generate an estimate associated with at least one feature vector crossing an associated decision boundary.

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

Abstract: According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of current data source node values over time that represent a current operation of an electric power grid. A real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, may receive the series of current data source node values and generate a set of current feature vectors. The threat detection computer may then access an abnormal state detection model having at least one decision boundary created offline using at least one of normal and abnormal feature vectors. The abnormal state detection model may be executed, and a threat alert signal may be transmitted if appropriate based on the set of current feature vectors and the at least one decision boundary.

Abstract: A verification platform may include a data connection to receive a stream of industrial asset data, including a subset of the industrial asset data, from industrial asset sensors. The verification platform may store the subset of industrial asset data into a data store, the subset of industrial asset data being marked as invalid, and record a hash value associated with a compressed representation of the subset of industrial asset data combined with metadata in a secure, distributed ledger (e.g., associated with blockchain technology). The verification platform may then receive a transaction identifier from the secure, distributed ledger and mark the subset of industrial asset data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset data combined with metadata.

Abstract: According to some embodiments, a threat detection computer platform may receive a plurality of real-time monitoring node signal values over time that represent a current operation of the industrial asset. For each stream of monitoring node signal values, the platform may generate a current monitoring node feature vector. The feature vector may also be estimated using a dynamic model output with that monitoring node signal values. The platform may then compare the feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node. The platform may detect that a particular monitoring node has passed the corresponding decision boundary and classify that particular monitoring node as being under attack. The platform may then automatically determine if the attack on that particular monitoring node is an independent attack or a dependent attack.

Abstract: An alerter augmentation system includes one or more processors that determine an alertness of an operator of a vehicle system. The one or more processors also generate operator input requests that are separated in time by a temporal delay. These input requests seek responses or action by the operator in an attempt to keep or make the operator alert. The one or more processors change one or more of the temporal delay between the input requests and/or a type of the input requests that are generated based at least in part on the alertness of the operator that is determined.

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

Abstract: In some embodiments, an Unmanned Aerial Vehicle (“UAV”) system may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the UAV system. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors. The attack detection computer platform may access an attack detection model having at least one decision boundary (e.g., created using a set of normal feature vectors a set of attacked feature vectors). The attack detection model may then be executed and the platform may transmit an attack alert signal based on the set of current feature vectors and the at least one decision boundary. According to some embodiments, attack localization and/or neutralization functions may also be provided.

Abstract: Input signals may be received from monitoring nodes of the industrial asset, each input signal comprising time series data representing current operation. A neutralization engine may transform the input signals into feature vectors in feature space, each feature vector being associated with one of a plurality of overlapping batches of received input signals. A dynamic decision boundary may be generated based on the set of feature vectors, and an abnormal state of the asset may be detected based on the set of feature vectors and a predetermined static decision boundary. An estimated neutralized value for each abnormal feature value may be calculated based on the dynamic decision boundary and the static decision boundary such that a future set of feature vectors will be moved with respect to the static decision boundary. An inverse transform of each estimated neutralized value may be performed to generate neutralized signals comprising time series data that are output.

Abstract: A data source may provide a plurality of time-series measurements that represent normal operation of a cyber-physical system (e.g., in substantially real-time during online operation of the cyber-physical system). A stateful, nonlinear embedding computer may receive the plurality of time-series measurements and execute stateful, nonlinear embedding to project the plurality of time-series measurements to a lower-dimensional latent variable space. In this way, redundant and irrelevant information may be reduced, and temporal and spatial dependence among the measurements may be captured. The output of the stateful, nonlinear embedding may be utilized to automatically identify underlying system characteristics of the cyber-physical system. In some embodiments, a stateful generative adversarial network may be used to achieve stateful embedding.

Abstract: Streams of monitoring node signal values over time, representing a current operation of the industrial asset, are used to generate current monitoring node feature vectors. Each feature vector is compared with a corresponding decision boundary separating normal from abnormal states. When a first monitoring node passes a corresponding decision boundary, an attack is detected and classified as an independent attack. When a second monitoring node passes a decision boundary, an attack is detected and a first decision is generated based on a first set of inputs indicating if the attack is independent/dependent. From the beginning of the attack on the second monitoring node until a final time, the first decision is updated as new signal values are received for the second monitoring node. When the final time is reached, a second decision is generated based on a second set of inputs indicating if the attack is independent/dependent.

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.