Abstract: A method includes accessing, from a data store, at least one predefined data classification for asset data associated with multiple assets in an industrial process control system, wherein the at least one predefined data classification is associated with one or more first policies, wherein the data store stores a plurality of data classifications for asset data. The method also includes receiving user input of a customization to the at least one predefined data classification to generate at least one customized data classification associated with one or more second policies. The method further includes storing the at least one customized data classification in the data store. The method also includes collecting asset data from at least one of the multiple assets. The method further includes processing the collected asset data according to the one or more second policies associated with the at least one customized data classification.

Abstract: This disclosure provides an apparatus and method for inferred detection of data replication errors of source applications by enterprise applications, including but not limited to in industrial control systems and other systems. A method includes periodically generating and storing a heartbeat data value by a site risk manager (RM) system. The method includes sending site data with the current heartbeat data value by the site RM system to an enterprise application executing on an enterprise RM system. The enterprise RM system periodically compares a current time and the last received heartbeat data value to produce a calculated time difference. The enterprise RM system determines that site data replication is not functioning correctly when the calculated time difference is greater than a predefined threshold. When the replication is not functioning correctly, the enterprise RM system notifies a user that replicated site data may be inaccurate.

Abstract: This disclosure provides an apparatus and method for a consolidated enterprise view of cybersecurity data from multiple sites, including but not limited to in industrial control systems and other systems. A method includes receiving, by a replicator system, cybersecurity data from a site risk manager (RM) database. The method includes transferring the cybersecurity data, by the replicator system, through a secure firewall to an enterprise RM database. The enterprise RM database consolidates data received from a plurality of replicator systems.

Abstract: This disclosure provides for patch monitoring and analysis, such as in an industrial process control and automation system. A method includes discovering at least one connected device by a risk manager system, including a software module for the connected device and installed patch information for the software module. The method includes identifying current patch information for the software module by the risk manager system. The method includes populating a patch definition file according to the device, the software module, the installed patch information, the current patch information, by the risk manager system. The method includes analyzing the patch definition file. The method includes producing an output based on the analysis by the risk manager system, the output including the software module, the installed patch information, the current patch information, and the status of the software module with respect to the installed patch information.

Abstract: This disclosure provides an apparatus and method for dynamic customization of cyber-security risk item rules. A method includes interacting with a user, by a risk manager system, to define a plurality of rules for risk items to be monitored among a plurality of connected devices. The method also includes mapping each of the rules to a corresponding one or more of the connected devices by the risk manager system. The method further includes monitoring the connected devices according to the rules by the risk manager system. In addition, the method includes displaying an output based on the rules and a status of the connected devices by the risk manager system.

Abstract: A method includes accessing, from a data store, at least one predefined data classification for asset data associated with multiple assets in an industrial process control system, wherein the at least one predefined data classification is associated with one or more first policies, wherein the data store stores a plurality of data classifications for asset data. The method also includes receiving user input of a customization to the at least one predefined data classification to generate at least one customized data classification associated with one or more second policies. The method further includes storing the at least one customized data classification in the data store. The method also includes collecting asset data from at least one of the multiple assets. The method further includes processing the collected asset data according to the one or more second policies associated with the at least one customized data classification.

Abstract: A method includes discovering one or more assets associated with a system. The method also includes determining first data that could be collected from each of the one or more assets by cross-referencing the one or more assets with a collection model. The method further includes determining second data that is to be collected from each of the one or more assets by cross-referencing the first data with requirements of one or more applications that use data from the one or more assets. In addition, the method includes automatically generating a schedule for collection of the second data from the one or more assets.

Abstract: This disclosure provides an apparatus and method for deployment assurance checks for monitoring industrial control systems and other systems. A method includes identifying, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes determining devices to be monitored from the plurality of connected devices. The method includes evaluating system resource usage, by the risk manager system, on each device to be monitored. The method includes providing recommendations to a user as to whether or not the user should proceed with the monitoring, based on the evaluation.

Abstract: This disclosure provides an apparatus and method for near-real-time export of cyber-security risk information, including but not limited to in industrial control systems and other systems. A method includes monitoring, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes detecting a cyber-security risk to one or more of the devices being monitored. The method includes identifying an external system to be notified of the detected cyber-security risk. The method includes sending cyber-security risk data to the external system according to the detected cyber-security risk and at least one filtering option.

Abstract: This disclosure provides an apparatus and method for identifying and retrospecting cyber security threats, including but not limited to in industrial control systems and other systems. A method includes receiving, by a risk manager system, a selection of an asset for analysis. The method includes receiving, by the risk manager system, current and historical cyber-risk data corresponding to the asset. The method includes receiving a user selection of one or more data options for analysis of the asset. The method includes identifying relevant portions of the current and historical cyber-risk data according to the selected data options. The method includes producing an output corresponding to the selected asset, the selected data options, and the identified relevant portions of the current and historical cyber-risk data. The method includes displaying the output as a report in a graphical user interface.

Abstract: This disclosure provides an apparatus and method for a consolidated enterprise view of cybersecurity data from multiple sites, including but not limited to in industrial control systems and other systems. A method includes receiving, by a replicator system, cybersecurity data from a site risk manager (RM) database. The method includes transferring the cybersecurity data, by the replicator system, through a secure firewall to an enterprise RM database. The enterprise RM database consolidates data received from a plurality of replicator systems.

Abstract: This disclosure provides an apparatus and method for inferred detection of data replication errors of source applications by enterprise applications, including but not limited to in industrial control systems and other systems. A method includes periodically generating and storing a heartbeat data value by a site risk manager (RM) system. The method includes sending site data with the current heartbeat data value by the site RM system to an enterprise application executing on an enterprise RM system. The enterprise RM system periodically compares a current time and the last received heartbeat data value to produce a calculated time difference. The enterprise RM system determines that site data replication is not functioning correctly when the calculated time difference is greater than a predefined threshold. When the replication is not functioning correctly, the enterprise RM system notifies a user that replicated site data may be inaccurate.

Abstract: This disclosure provides an apparatus and method for dynamic customization of cyber-security risk item rules. A method includes interacting with a user, by a risk manager system, to define a plurality of rules for risk items to be monitored among a plurality of connected devices. The method also includes mapping each of the rules to a corresponding one or more of the connected devices by the risk manager system. The method further includes monitoring the connected devices according to the rules by the risk manager system. In addition, the method includes displaying an output based on the rules and a status of the connected devices by the risk manager system.

Abstract: This disclosure provides a notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications. A method includes discovering multiple devices in a computing system. The method includes grouping the multiple devices into multiple security zones. The method includes generating a risk value identifying at least one cyber-security risk of the devices for one of the security zones. The method includes comparing the risk value to a threshold. The method includes automatically generating a notification for one or more users when the risk value violates the threshold.

Abstract: This disclosure provides an apparatus and method for dynamic customization of cyber-security risk item rules. A method includes obtaining information defining a rule by a risk manager system, the rule identifying a cyber-security risk to a computing device in an industrial process control and automation system. The method includes presenting a textual description describing the rule to a user by the risk manager system, the textual description including a selectable configuration parameter associated with the rule. The method includes receiving the user's selection of the configuration parameter by the risk manager system. The method includes, in response to receiving the user's selection of the configuration parameter, receiving a value associated with the configuration parameter from the user by the risk manager system.

Abstract: A method includes discovering one or more assets associated with a system. The method also includes determining first data that could be collected from each of the one or more assets by cross-referencing the one or more assets with a collection model. The method further includes determining second data that is to be collected from each of the one or more assets by cross-referencing the first data with requirements of one or more applications that use data from the one or more assets. In addition, the method includes automatically generating a schedule for collection of the second data from the one or more assets.

Abstract: This disclosure provides an apparatus and method for automatic handling of cyber-security risk events and other risk events. A method includes detecting, by a monitoring system, a first event associated with a device in a computing system. The method includes initializing a risk item corresponding to the first event, and setting the risk item to a full risk value, in response to detecting the event. The method includes determining whether a second event, corresponding to the first event, has been detected. The method includes altering the risk value over time in response to determining that no second event has been detected. The method includes determining if the risk value for the risk item has passed a threshold. The method includes clearing the event in response to the risk value passing the threshold.

Abstract: A method includes obtaining information defining a custom rule from a user. The custom rule is associated with a cyber-security risk. The custom rule identifies a type of cyber-security risk associated with the custom rule and information to be used to discover whether the cyber-security risk is present in one or more devices or systems of an industrial process control and automation system. The method also includes providing information associated with the custom rule for collection of information related to the custom rule from the one or more devices or systems. The method further includes analyzing the collected information related to the custom rule to identify at least one risk score associated with the one or more devices or systems and/or the industrial process control and automation system. In addition, the method includes presenting the at least one risk score or information based on the at least one risk score.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.

Abstract: This disclosure provides an apparatus and method for near-real-time export of cyber-security risk information, including but not limited to in industrial control systems and other systems. A method includes monitoring, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes detecting a cyber-security risk to one or more of the devices being monitored. The method includes identifying an external system to be notified of the detected cyber-security risk. The method includes sending cyber-security risk data to the external system according to the detected cyber-security risk and at least one filtering option.