Abstract: Various embodiments described herein relate to dynamic data containerization using hash data analytics. In this regard, an indication of a peripheral device being communicatively coupled to an industrial control system is received. In response to the indication, reputation data for one or more industrial control files stored by the peripheral device is determined based on a comparison between a file hash of one or more industrial control files and one or more security threat hashes. Furthermore, the reputation data for the one or more industrial control files is stored in a dynamic database container. In response to a determination that a validity time period for the dynamic database container satisfies a defined criterion, new reputation data for the one or more industrial control files is determined and the new reputation data for the one or more industrial control files is stored in a new dynamic database container.

Abstract: A blockchain-based network arrangement includes member nodes joined by a multicast network including a trusted node configured for creating at least one cryptographic key and for distributing copies of the cryptographic key over the multicast network as a multicast blockchain transmission to other member nodes. A requesting node outside the member nodes is configured for initiating a smart contract containing its blockchain address and for sending the smart contract as a request for group access with an address of the trusted node. The trusted node is configured for receiving the smart contract and a decides to accept or reject the smart contract, and records the decision in the blockchain by updating the smart contract. An accept decision results in a member node sending the cryptographic key to the requesting node.

Abstract: A method includes detecting a connection attempt from a device, quarantining the device to prevent the device from substantially interacting with a host system, and determining whether the device requires verification while the device is quarantined. The method also includes, in response to determining that the device requires verification, presenting at least one authorization challenge to a user while the device is quarantined. The at least one authorization challenge requests that the user provide at least one specified response. The method further includes, in response to determining that the device requires verification, determining whether the user correctly provided the at least one specified response while the device is quarantined, granting access to the device in response to determining that the user correctly provided the at least one specified response, and continuing to quarantine the device in response to determining that the user did not correctly provide the at least one specified response.

Abstract: An apparatus includes at least one processor configured to determine whether a blockchain identifies a valid smart contract indicating that communication with a specified node is permitted. In response to determining that the blockchain does identify the valid smart contract, the at least one processor is configured to establish a secure communication session with the specified node. In response to determining that the blockchain does not identify the valid smart contract, the at least one processor is configured to generate a new smart contract associated with the specified node, establish the secure communication session with the specified node in response to user approval of the new smart contract, and not establish the secure communication session with the specified node in response to user rejection of the new smart contract.

Abstract: This disclosure provides for patch monitoring and analysis, such as in an industrial process control and automation system. A method includes discovering at least one connected device by a risk manager system, including a software module for the connected device and installed patch information for the software module. The method includes identifying current patch information for the software module by the risk manager system. The method includes populating a patch definition file according to the device, the software module, the installed patch information, the current patch information, by the risk manager system. The method includes analyzing the patch definition file. The method includes producing an output based on the analysis by the risk manager system, the output including the software module, the installed patch information, the current patch information, and the status of the software module with respect to the installed patch information.

Abstract: This disclosure provides a security system and method for using machine learning to improve cybersecurity operations in an industrial control networks and other systems. A method includes collecting, by a security system, current communications channel information for a plurality of devices in a control system. The method includes analyzing, by the security system, the current communications channel information according to one or more device models. The method includes producing, by the security system and according to the analysis, a risk report that identifies an abnormal device among the plurality of devices.

Abstract: A blockchain-based network arrangement includes member nodes joined by a multicast network including a trusted node configured for creating at least one cryptographic key and for distributing copies of the cryptographic key over the multicast network as a multicast blockchain transmission to other member nodes. A requesting node outside the member nodes is configured for initiating a smart contract containing its blockchain address and for sending the smart contract as a request for group access with an address of the trusted node. The trusted node is configured for receiving the smart contract and a decides to accept or reject the smart contract, and records the decision in the blockchain by updating the smart contract. An accept decision results in a member node sending the cryptographic key to the requesting node.

Abstract: An apparatus includes at least one processor configured to determine whether a blockchain identifies a valid smart contract indicating that communication with a specified node is permitted. In response to determining that the blockchain does identify the valid smart contract, the at least one processor is configured to establish a secure communication session with the specified node. In response to determining that the blockchain does not identify the valid smart contract, the at least one processor is configured to generate a new smart contract associated with the specified node, establish the secure communication session with the specified node in response to user approval of the new smart contract, and not establish the secure communication session with the specified node in response to user rejection of the new smart contract.

Abstract: A method includes obtaining first data identifying first user interactions with one or more computing or networking resources during at least one first user session that is known to be valid. The method also includes generating one or more profiles defining typical user interactions with the one or more resources based on the first data. The method further includes obtaining second data identifying second user interactions with at least one of the one or more resources during a subsequent second user session. The method also includes determining whether the second user session is valid based on the second data and at least one of the one or more profiles by comparing the second user interactions to the typical user interactions defined in the at least one profile. In addition, the method includes taking one or more actions in response to determining that the second user session is not valid.

Abstract: This disclosure provides a security system and method for using machine learning to improve cybersecurity operations in an industrial control networks and other systems. A method includes collecting, by a security system, current communications channel information for a plurality of devices in a control system. The method includes analyzing, by the security system, the current communications channel information according to one or more device models. The method includes producing, by the security system and according to the analysis, a risk report that identifies an abnormal device among the plurality of devices.

Abstract: This disclosure provides a security system and method for using machine learning to improve cybersecurity operations in an industrial control networks and other systems. A method includes collecting, by a security system, current process information for a plurality of processes in a control system. The method includes analyzing, by the security system, the current process information according to one or more process models. The method includes producing, by the security system and according to the analysis, a risk report that identifies an abnormal process among the plurality of processes.

Abstract: This disclosure provides an infrastructure monitoring tool, and related systems and methods, for collecting industrial process control and automation system risk data, and other data. A method includes discovering multiple devices in a computing system by a risk manager system. The method includes grouping the multiple devices into multiple security zones by the risk manager system. The method includes, for each security zone, causing one or more devices in that security zone to provide information to the risk manager system identifying alerts and events associated with the one or more devices. The method includes storing the information, by the risk manager system, in association with unique identifier values, the unique identifier values identifying different types of information.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.

Abstract: This disclosure provides systems and methods for prediction of potential cyber security threats and risks in an industrial control system using predictive cyber analytics. A method includes receiving, by a risk manager system, real-time data from a plurality of connected devices. The method includes creating, by the risk manager system, a data model based on the real-time data. The method includes analyzing, by the risk manager system, the data model to identify potential current threats. The method includes predicting, by the risk manager system, potential threats. The method includes notifying a user, by the risk manager system, of the potential threats.

Abstract: This disclosure provides a rules engine for converting system-related characteristics and events into cyber-security risk assessment values, including related systems and methods. A method includes receiving information identifying characteristics of multiple devices in a computing system and multiple events associated with the multiple devices. The method includes analyzing the information using multiple sets of rules. The method includes generating at least one risk assessment value based on the analyzing. The at least one risk assessment value identifies at least one cyber-security risk of the multiple devices. The method includes displaying the at least one risk assessment value in a user interface.

Abstract: This disclosure provides for patch monitoring and analysis, such as in an industrial process control and automation system. A method includes discovering at least one connected device by a risk manager system, including a software module for the connected device and installed patch information for the software module. The method includes identifying current patch information for the software module by the risk manager system. The method includes populating a patch definition file according to the device, the software module, the installed patch information, the current patch information, by the risk manager system. The method includes analyzing the patch definition file. The method includes producing an output based on the analysis by the risk manager system, the output including the software module, the installed patch information, the current patch information, and the status of the software module with respect to the installed patch information.

Abstract: This disclosure provides an infrastructure monitoring tool, and related systems and methods, for collecting industrial process control and automation system risk data, and other data. A method includes discovering multiple devices in a computing system by a risk manager system. The method includes grouping the multiple devices into multiple security zones by the risk manager system. The method includes, for each security zone, causing one or more devices in that security zone to provide information to the risk manager system identifying alerts and events associated with the one or more devices. The method includes storing the information, by the risk manager system, in association with unique identifier values, the unique identifier values identifying different types of information.

Abstract: This disclosure provides a technique for using infrastructure monitoring software to collect cyber-security risk data. A method includes sending first information from a risk manager system to a plurality of agents each associated with a respective device in a computing system. The first information is associated with one or more risk-monitoring configurations. The method includes receiving second information by the risk manager system from the agents. The second information identifies identified vulnerabilities and events associated with the respective devices. The method includes storing and displaying to a user at least one of the second information and an analysis of the second information.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.