Abstract: System and method are disclosed for preserving privacy of shared data over a shared network. A vector encoder transforms received data into a feature vector. An autoencoder includes a neural network-based encoder transforms the feature vector into a fixed size latent space representation of the received data. A neural network-based decoder of the autoencoder is configured to reconstruct the feature vector from the latent space representation. The autoencoder is trained using training data with an objective to minimize reconstruction error. A vector decoder transforms the reconstructed feature vector into reconstructed data. The latent space representation of data from the trained autoencoder is shared as anonymized data with at least one trusted party over the shared network, decoded offline using a replica of the trained decoder.

Abstract: A micro data capture device can be configured to operate as a unidirectional connection from a first computing device to a second computing device. The micro data capture device can include a data capture side comprising a first universal serial bus (USB) interface configured to connect to the first computing device so as to extract data from the first computing device. The micro data capture device can further include a monitoring apparatus comprising an interceptor configured to copy data from the data capture side so as to define the unidirectional connection. Further, the micro data capture device can define a data storage side comprising a second USB interface configured to connect to the second computing device so as to transfer data to the second computing device. The data storage side can be configured to receive data from the data storage side via the monitoring apparatus. In some cases, the data capture side has only volatile memory, and the data storage side includes non-volatile memory.

Abstract: An apparatus for monitoring a protected network using unidirectional communication includes a sending unit coupled to one or more devices of the protected network for obtaining network data related to protected network status. The apparatus further includes an eavesdropping unit with an interceptor configured to intercept the requested data within the sending unit via a loop connection between input and output interfaces of the sending unit. The interceptor and the loop connection are inductively coupled and configured for unidirectional communication from the sending unit to the receiving unit. A receiving unit is coupled to the eavesdropping unit for receiving the duplicated data and forwarding the duplicated data to an evaluation system located in a low security external network. A reconfigurable application layer includes at least one modular application configured to operate security related functions that support intrusion detection.

Abstract: Methods and systems are disclosed for security management in an industrial control system (ICS). An event entity detection and linking module generates a model for a plurality of event entities extracted from a plurality of different data sources including one ICS data source and one IT data source. The model encodes a set of linked event entities and their relationships, each event entity associated with a vector of attribute value pairs. A data standardization of domain knowledge includes translating, by a machine learning application, extracted knowledge base information to rules for the constraints and using the rules to validate the constraints and to add new constraints. A fusion module performs temporal correlation detection across data streams of the different data sources for establishing causality between triplets of association models within a defined time span.

Abstract: A system for monitoring an industrial system for cyberattacks includes an industrial control system including a plurality of actuators, a plurality of sensors each arranged to measure one of a plurality of operating parameters, and an edge device and a computer including a data storage device having stored thereon a program that includes each of a time-series database including expected operating ranges for each operating parameter, a clustering-based database that includes clusters of operating parameters having similarities, and a correlation database that includes pairs of operating parameters that show a correlation.

Abstract: A method for imputing data to a time series of events include collecting data relating to a plurality of events, storing the collected data in a database, defining a set of rules based on patterns observed, defining a new data relating to one of the plurality of events based on the set of rules. Defining additional rules and new data is iteratively performed based on new data and rules established in a prior iteration. The iterations may be stopped when no new rules or data is established in a previous iteration. The new data may be sequential temporal information of the event in the time series or may be a tag relating to the class of the event. The new data may be generated using rule mining. The new data is propagated to the rule mining and additional rules are defined based on the new data.

Abstract: A computer-implemented method of detecting an anomalous action associated with a physical system includes developing, by a computing device a plurality of vectors, each vector indicative of an event that occurred at a specific time within the system, combining, with the computing device each vector that occurred within a predefined time duration into one of a plurality of master vectors, and performing, with the computing device a cluster analysis to group each master vector of the plurality of master vectors into one of a plurality of states. The method also includes determining, with the computing device a real-time master vector based at least in part on one or more events that occur within the predefined time duration, classifying, with the computing device the real-time master vector as a real-time state, and indicating that the real-time state is anomalous when the real-time state doesn't match one of the plurality of states.

Abstract: In an industrial system, a data capture apparatus can be configured to operate as a unidirectional communication connection between a private network and a public network. The data capture apparatus can be further configured to collect raw data from the private network. The raw data can define a data distribution. The data capture apparatus can be further configured, based on the data distribution of the raw data, to generate anonymized or synthetic data that represents the raw data. The anonymized data can be transmitted over the unidirectional communication connection to a receiver machine of the data capture apparatus. In some cases, the receiver machine can send the anonymized data to an analysis system within the public network, such that the raw data can be analyzed by the analysis system, based on the anonymized data that represents the raw data, without the analysis system obtaining the raw data.

Abstract: A transmission device for transmitting data between a first network and a second includes: a first unidirectional transmission unit which is coupled to the first network and is configured to exclusively receive data transmitted from the first network to the transmission device, a second unidirectional transmission unit which is coupled to the second network and is configured to exclusively send data from the transmission device to the second network, and an identification unit which is located between the first unidirectional unit and the second unidirectional unit and which is configured to receive the data received by the first unidirectional transmission unit and to identify anomalies in the received data. The provided transmission device achieves the reliable, optimized identification of anomalies in the first network and increases security in the identification unit against manipulation and against attacks or intrusion attempts from the second network.

Abstract: System and method are disclosed for preserving privacy of shared data over a shared network. A vector encoder transforms received data into a feature vector. An autoencoder includes a neural network-based encoder transforms the feature vector into a fixed size latent space representation of the received data. A neural network-based decoder of the autoencoder is configured to reconstruct the feature vector from the latent space representation. The autoencoder is trained using training data with an objective to minimize reconstruction error. A vector decoder transforms the reconstructed feature vector into reconstructed data. The latent space representation of data from the trained autoencoder is shared as anonymized data with at least one trusted party over the shared network, decoded offline using a replica of the trained decoder.

Abstract: A method performed in an industrial control system where User and Entity Behavior Analytics (UEBA) is applied to specific actions that are performed within the industrial control system to detect security and safety anomalies related to actions of process engineers and plant operators. Malicious and non-malicious, as well as intentional and accidental, misuses of engineering workstations and human machine interfaces (HMIs) are detected.

Abstract: A system and method is provided that facilitates threat impact characterization. The system may include a replica programmable logic controller (PLC) that corresponds to a production PLC in a production system and that may be configured to operate at an accelerated processing speed that is at least two times faster than a processing speed of the production PLC. The system may also include a data processing system configured to communicate with the replica PLC when executing malware infected PLC firmware and generate a simulation of the production system based on a virtual model of the production system operating at an accelerated processing speed that is at least two times faster than a processing speed of the physical production system. The simulation may include accelerated simulation of the production PLC based on communication with the replica PLC using the malware infected PLC firmware.

Abstract: In an industrial system, a data capture apparatus can be configured to operate as a unidirectional communication connection between a private network and a public network. The data capture apparatus can be further configured to time stamp data, for instance digitally sign data with a time stamp, so as ensure data integrity over the unidirectional communication connection, while maintaining physical isolation between the private network and public network.

Abstract: An apparatus for monitoring a protected network using unidirectional communication includes a sending unit coupled to one or more devices of the protected network for obtaining network data related to protected network status. The apparatus further includes an eavesdropping unit with an interceptor configured to intercept the requested data within the sending unit via a loop connection between input and output interfaces of the sending unit. The interceptor and the loop connection are inductively coupled and configured for unidirectional communication from the sending unit to the receiving unit. A receiving unit is coupled to the eavesdropping unit for receiving the duplicated data and forwarding the duplicated data to an evaluation system located in a low security external network. A reconfigurable application layer includes at least one modular application configured to operate security related functions that support intrusion detection.

Abstract: A system and a method provide multilevel consistency check for a cyber attack detection in an automation and control system wherein the multilevel consistency check of sensor measurements, commands and settings on different automation devices on a plant floor is able to provide end-to-end intrusion detection on exchanged data. The multilevel consistency check includes a measurement consistency check and a commands and settings consistency check to enable a cyber security solution for industrial control systems (ICS). An alarm is set when detecting a first value inconsistent from a second value. An anomaly is detected based on at least one of the measurement consistency or the commands and settings consistency and it is identified as an intrusion detection.

Abstract: A micro data capture device can be configured to operate as a unidirectional connection from a first computing device to a second computing device. The micro data capture device can include a data capture side comprising a first universal serial bus (USB) interface configured to connect to the first computing device so as to extract data from the first computing device. The micro data capture device can further include a monitoring apparatus comprising an interceptor configured to copy data from the data capture side so as to define the unidirectional connection. Further, the micro data capture device can define a data storage side comprising a second USB interface configured to connect to the second computing device so as to transfer data to the second computing device. The data storage side can be configured to receive data from the data storage side via the monitoring apparatus. In some cases, the data capture side has only volatile memory, and the data storage side includes non-volatile memory.

Abstract: In an industrial system, a data capture apparatus can be configured to operate as a unidirectional communication connection between a private network and a public network. The data capture apparatus can be further configured to collect raw data from the private network. The raw data can define a data distribution. The data capture apparatus can be further configured, based on the data distribution of the raw data, to generate anonymized or synthetic data that represents the raw data. The anonymized data can be transmitted over the unidirectional communication connection to a receiver machine of the data capture apparatus. In some cases, the receiver machine can send the anonymized data to an analysis system within the public network, such that the raw data can be analyzed by the analysis system, based on the anonymized data that represents the raw data, without the analysis system obtaining the raw data.

Abstract: In an industrial system, a data capture apparatus can be configured to operate as a unidirectional communication connection between a private network and a public network. The data capture apparatus can be further configured to time stamp data, for instance digitally sign data with a time stamp, so as ensure data integrity over the unidirectional communication connection, while maintaining physical isolation between the private network and public network.

Abstract: A system for monitoring an industrial system for cyberattacks includes an industrial control system including a plurality of actuators, a plurality of sensors each arranged to measure one of a plurality of operating parameters, and an edge device and a computer including a data storage device having stored thereon a program that includes each of a time-series database including expected operating ranges for each operating parameter, a clustering-based database that includes clusters of operating parameters having similarities, and a correlation database that includes pairs of operating parameters that show a correlation.

Abstract: Methods and systems are disclosed for security management in an industrial control system (ICS). An event entity detection and linking module generates a model for a plurality of event entities extracted from a plurality of different data sources including one ICS data source and one IT data source. The model encodes a set of linked event entities and their relationships, each event entity associated with a vector of attributevalue pairs. A data standardization of domain knowledge includes translating, by a machine learning application, extracted knowledge base information to rules for the constraints and using the rules to validate the constraints and to add new constraints. A fusion module performs temporal correlation detection across data streams of the different data sources for establishing causality between triplets of association models within a defined time span.