Abstract: A verification platform may include a data connection to receive a stream of industrial asset data, including a subset of the industrial asset data, from industrial asset sensors. The verification platform may store the subset of industrial asset data into a data store, the subset of industrial asset data being marked as invalid, and record a hash value associated with a compressed representation of the subset of industrial asset data combined with metadata in a secure, distributed ledger (e.g., associated with blockchain technology). The verification platform may then receive a transaction identifier from the secure, distributed ledger and mark the subset of industrial asset data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset data combined with metadata.

Abstract: The example embodiments are directed to a system and method for forecasting anomalies in feature detection. In one example, the method includes storing feature behavior information of at least one monitoring node of an asset, including a normalcy boundary identifying normal feature behavior and abnormal feature behavior for the at least one monitoring node in feature space, receiving input signals from the at least one monitoring node of the asset and transforming the input signals into feature values in the feature space, wherein the feature values are located within the normalcy boundary, forecasting that a future feature value corresponding to a future input signal from the at least one monitoring node is going to be positioned outside the normalcy boundary based on the feature values within the normalcy boundary, and outputting information concerning the forecasted future feature value being outside the normalcy boundary for display.

Abstract: An augmented system model may include a system high fidelity model that generates a first output. The augmented system model may further include a data driven model to receive data associated with the first output and to generate a second output, and a feature space version of the second output may be output from the augmented system model. Monitoring nodes may each generate a series of current monitoring node values over time representing current operation of an industrial asset. A model adaptation element may receive the current monitoring node values, calculate a feature space version of current operation, and compare the feature space version of the second output of the augmented system model with the feature space version of current operation. Parameters of the data driven model may then be adapted based on a result of the comparison.

Abstract: A control system having one or more controllers configured to determine physical or psychophysiological (3P) changes of an operator of a vehicle. First and second imaging devices take real-time images of an operator of a vehicle. Then, based on the physical, physiological and/or psychological features extracted from the imaging device data, and a 3P model from historical data the one or more processors also configured to, responsive to the physical, physiological and/or psychological changes of the operator of the vehicle, alert the operator and control the operation of the vehicle.

Abstract: According to some embodiments, a validation platform computer may interpret at least one received data packet to identify a control command for a controller of an industrial asset control system. The at least data packet being might be received, for example, from a network associated with a current operation of the industrial asset control system. The control command may then be introduced into an industrial asset simulation executing in parallel with the industrial asset control system. A simulated result of the control command from the industrial asset simulation may be validated, and, upon validation of the simulated result, it may be arranged for the control command to be provided to the controller of the industrial asset control system. Additionally, in some embodiments failed validation of a simulated result will prompt a threat-alert signal as well as prevent the command (e.g., data packet) from continuing to the controller.

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

Abstract: In some embodiments, a plurality of real-time monitoring node signal inputs receive streams of monitoring node signal values over time that represent a current operation of the industrial asset control system. A threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs, may receive the streams of monitoring node signal values and, for each stream of monitoring node signal values, generate a current monitoring node feature vector. The threat detection computer platform may then compare each generated current monitoring node feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node, and localize an origin of a threat to a particular monitoring node. The threat detection computer platform may then automatically transmit a threat alert signal based on results of said comparisons along with an indication of the particular monitoring node.

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided to protect a decision manifold of a control system for an industrial asset, comprising: a detection and neutralization module including: a decision manifold having a receiver configured to receive a training dataset comprising data, wherein the decision manifold is operative to generate a first decision manifold with the received training dataset; and a detection model; a memory for storing program instructions; and a detection and neutralization processor, coupled to the memory, and in communication with the detection and neutralization module and operative to execute program instructions to: receive the first decision manifold, wherein the first decision manifold separates a normal operating space from an abnormal operating space; determine whether there are one or more inadequacies with the detection model; generate a corrected decision manifold based on the determined one or more inadequacies with the

Abstract: In some embodiments, an Unmanned Aerial Vehicle (“UAV”) system may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the UAV system. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors. The attack detection computer platform may access an attack detection model having at least one decision boundary (e.g., created using a set of normal feature vectors a set of attacked feature vectors). The attack detection model may then be executed and the platform may transmit an attack alert signal based on the set of current feature vectors and the at least one decision boundary. According to some embodiments, attack localization and/or neutralization functions may also be provided.

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classification computer may determine, for each monitoring node, a classification result indicating whether each monitoring node is in a normal or abnormal state. A disambiguation engine may receive the classification results from the node classification computer and associate a Hidden Markov Model (“HMM”) with each monitoring node. For each node in an abnormal state, the disambiguation engine may execute the HMM associated with that monitoring node to determine a disambiguation result indicating if the abnormal state is a result of an attack or a fault and output a current status of each monitoring node based on the associated classification result and the disambiguation result.

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

Abstract: A plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of a cyber-physical system. A feature-based forecasting framework may receive the time-series of and generate a set of current feature vectors using feature discovery techniques. The feature behavior for each monitoring node may be characterized in the form of decision boundaries that separate normal and abnormal space based on operating data of the system. A set of ensemble state-space models may be constructed to represent feature evolution in the time-domain, wherein the forecasted outputs from the set of ensemble state-space models comprise anticipated time evolution of features. The framework may then obtain an overall features forecast through dynamic ensemble averaging and compare the overall features forecast to a threshold to generate an estimate associated with at least one feature vector crossing an associated decision boundary.

Abstract: In some embodiments, a plurality of monitoring nodes each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors including a current feature for capturing transients (e.g., local transients and/or global transients). The attack detection computer platform may also access an attack detection model having at least one decision boundary that was created using at least one of a set of normal feature vectors and/or a set of attacked feature vectors. The attack detection model may then be executed such that an attack alert signal is transmitted by the attack detection computer platform, when appropriate, based on the set of current feature vectors (including the current feature to capture transients) and the at least one decision boundary.

Abstract: A threat detection model creation computer may receive a series of monitoring node values (representing normal and/or threatened operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may identify a first cluster and a second cluster in the set of feature vectors. The threat detection model creation computer may then automatically determine a plurality of cluster-based decision boundaries for a threat detection model. A first potential cluster-based decision boundary for the threat detection model may be automatically calculated based on the first cluster in the set of feature vectors. Similarly, the threat detection model creation computer may also automatically calculate a second potential cluster-based decision boundary for the threat detection model based on the second cluster in the set of feature vectors.

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

Abstract: Streams of monitoring node signal values over time, representing a current operation of the industrial asset, are used to generate current monitoring node feature vectors. Each feature vector is compared with a corresponding decision boundary separating normal from abnormal states. When a first monitoring node passes a corresponding decision boundary, an attack is detected and classified as an independent attack. When a second monitoring node passes a decision boundary, an attack is detected and a first decision is generated based on a first set of inputs indicating if the attack is independent/dependent. From the beginning of the attack on the second monitoring node until a final time, the first decision is updated as new signal values are received for the second monitoring node. When the final time is reached, a second decision is generated based on a second set of inputs indicating if the attack is independent/dependent.

Abstract: The example embodiments are directed to a system and method for neutralizing abnormal signals in a cyber-physical system. In one example, the method includes receiving input signals comprising time series data associated with an asset and transforming the input signals into feature values in a feature space, detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, and determining an estimated true value for each abnormal feature value, and performing an inverse transform of each estimated true value to generate neutralized signals comprising time series data and outputting the neutralized signals.

Abstract: Input signals may be received from monitoring nodes of the industrial asset, each input signal comprising time series data representing current operation. A neutralization engine may transform the input signals into feature vectors in feature space, each feature vector being associated with one of a plurality of overlapping batches of received input signals. A dynamic decision boundary may be generated based on the set of feature vectors, and an abnormal state of the asset may be detected based on the set of feature vectors and a predetermined static decision boundary. An estimated neutralized value for each abnormal feature value may be calculated based on the dynamic decision boundary and the static decision boundary such that a future set of feature vectors will be moved with respect to the static decision boundary. An inverse transform of each estimated neutralized value may be performed to generate neutralized signals comprising time series data that are output.

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classifier computer, coupled to the plurality of monitoring nodes, may receive the series of current monitoring node values and generate a set of current feature vectors. The node classifier computer may also access at least one multi-class classifier model having at least one decision boundary. The at least one multi-class classifier model may be executed and the system may transmit a classification result based on the set of current feature vectors and the at least one decision boundary. The classification result may indicate, for example, whether a monitoring node status is normal, attacked, or faulty.

Abstract: Operation of an industrial asset control system may be simulated or monitored under various operating conditions to generate a set of operating results. Subsets of the operating results may be used to calculate a normalization function for each of a plurality of operating conditions. Streams of monitoring node signal values over time may be received that represent a current operation of the industrial asset control system. A threat detection platform may then dynamically calculate normalized monitoring node signal values based at least in part on a normalization function in an operating mode database. For each stream of normalized monitoring node signal values, a current monitoring node feature vector may be generated and compared with a corresponding decision boundary for that monitoring node, the decision boundary separating normal and abnormal states for that monitoring node. A threat alert signal may then be automatically transmitted based on results of those comparisons.