SYSTEM AND METHOD FOR COUNTERACTING EFFECTS OF IMPROPER NETWORK TRAFFIC

A monitoring system includes a processor configured to perform operations including: place the monitoring system into a training mode to generate a model of an industrial process; receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
RELATED APPLICATION

This application is a continuation-in-part of U.S. patent application Ser. No. 17/106,060 entitled “METHOD AND SYSTEM OF DEDUCING STATE LOGIC DATA WITHIN A DISTRIBUTED NETWORK” filed Nov. 27, 2020 by Paul Williams; which claims the benefit of the priority date of U.S. Provisional Application 62/941,576 entitled “METHOD AND SYSTEM OF DEDUCING STATE LOGIC DATA WITHIN A DISTRIBUTED NETWORK” filed Nov. 27, 2019 by Paul Williams; the disclosures of each of which are incorporated herein by reference for all purposes. This application also claims the benefit of the priority date of each of U.S. Provisional Application 63/445,654 entitled “SYSTEM AND METHOD FOR COUNTERACTING EFFECTS OF CYBER SECURITY BREACH OR OTHER DISRUPTION IN NETWORK COMMUNICATIONS” filed Feb. 14, 2023 by Paul Williams; and of U.S. Provisional Application 63/445,663 entitled “SYSTEM AND METHOD FOR ENHANCING COMPUTER NETWORK RELIABILITY AND COUNTERACTING EFFECTS OF A CYBER SECURITY BREACH” filed Feb. 14, 2023 by Paul Williams; the disclosures of each of which are also incorporated herein by reference for all purposes.

BACKGROUND 1. Technical Field

The present disclosure relates to the field of cybersecurity, specifically counteracting the effects of an ongoing cybersecurity breach or other disruption on communications among devices.

2. Description of the Related Art

It has become commonplace to employ computing devices to control industrial processes, including and not limited to, chemical processes, automated assembly lines, and the provision of various utilities, including electric power. Unfortunately, this has opened the door to cyber attacks affecting the control of industrial processes, thereby creating the relatively new concern that cybersecurity breaches of computing devices may additionally result in the compromising of industrial processes. Accordingly, a new form of malicious activity has been created in which cybersecurity breaches are committed for the very purpose of disrupting and/or otherwise compromising industrial processes.

By way of example, a computing device involved in the control of an industrial process may be successfully compromised by malicious software such that it becomes remotely controllable for the purpose of disrupting that industrial process. It may be that such a compromised computing device is caused to cease issuing proper operational commands in a proper order with proper timings and/or parameters, and instead, is caused to issue improper operational commands that cause improper operation of robotic arms/actuators, conveyor motors, power relays, welding devices, valves, heating and/or cooling units, etc. Such devices may be caused to operate outside of equipment design limitations, and/or with incorrect timings that violate operational and/or safety requirements. Beyond simply impairing the correct performance of an industrial process, the results could include wasting raw materials, releasing and/or spilling hazardous materials, destroying sub-assemblies, damaging equipment and/or facilities, and/or placing personnel in physical danger.

The malicious operational commands that are so issued may be altered versions of proper operational commands such that the operational commands may actually be issued when they are expected to be issued, but may include incorrect parameters that specify one or more incorrect values, such as an incorrect device identifier, temperature, pressure, direction of movement, extent of movement, countdown time, upper or lower limit, etc. Alternatively or additionally, the malicious operational commands actually may be proper operational commands for the industrial processing being performed, but they may be issued at improper times and/or out of proper sequence. As still another alternative, it may simply be that entirely new malicious operational commands are issued without any connection to the content and/or timing of proper operational commands.

The use of cyber attack techniques in such attacks on industrial processes often begets the temptation to focus on using longstanding cybersecurity measures to counter them. Such longstanding cybersecurity measures include, and are not limited to, the use of various types of digital signatures to detect 1) the transmission, receipt and/or storage of particular sequences of executable instructions of malicious pieces of software, 2) the transmission of particular malicious combinations of operational commands across a network by a computing device, and/or 3) the performance of particular malicious combinations of actions by a computing device. Such approaches have been useful in attempting to prevent the infiltration and/or execution of malicious software, and/or halting further execution of malicious software. However, as will be familiar to those skilled in the art, such approaches often set up a form of “arms race” between developers of malicious software and developers of the signatures used in such detection.

Unavoidably, there is a delay between the deployment of new malicious software and the development of corresponding signatures such that it is inevitable that at least some of such software will be successful in causing harm before it can be detected. As a result, such approaches usually do little to address the harm done to industrial processes in situations where malicious software or other unexpected and/or nefarious activity is not yet detected until after it has been active for at least some amount of time, or has been detected, but not yet remediated or otherwise mitigated.

The present invention addresses these and other drawbacks of the prior art by providing a unique approach to mitigating the effects of such events on computing devices involved in the performance of industrial processes, where one or more malicious and/or invalid or harmful alterations of normal and/or expected communications between those computing devices have occurred.

BRIEF SUMMARY

Techniques are described for providing a system of one or more devices that implements a method for counteracting the effects of an ongoing cybersecurity breach or other disruption on communications among devices.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into a training mode to generate a model of an industrial process; receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into an operating mode to use a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process; receive, from one or more interchange devices, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and compare received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper operational command associated with the industrial process.

A method of generating a model of an industrial process includes: receiving, by a processor of a monitoring system, and from an interchange device of a monitored system, indications of observed transmissions, through the interchange device, of operational commands among multiple monitored devices of the monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generating, by the processor, the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

A method of using a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process includes: receiving, by a processor of a monitoring system, and from at least one interchange device of a monitored system, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and comparing, by the processor, received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper and expected operational command associated with the industrial process.

BRIEF DESCRIPTION OF THE DRAWINGS

The disclosure will be better understood and when consideration is given to the drawings and the detailed description which follows. Such description makes reference to the annexed drawings wherein:

FIGS. 1A, 1B and 1C, together, provide block diagrams of an example embodiment of a combination of a monitored system used to control a process of an external system, and monitoring system used to monitor communications within a monitored system.

FIGS. 2A, 2B and 2C, together, provide a more detailed presentation of monitoring of communications within the monitored system by the monitoring system in the example combination of FIGS. 1A-C.

FIGS. 3A, 3B, 3C, 3D and 3E, together, provide a more detailed presentation of one example embodiment of preparing the monitoring system for use in monitoring communications within the monitored system in the example combination of FIGS. 1A-C.

FIGS. 4A, 4B, 4C and 4D, together, provide a more detailed presentation of another example embodiment of preparing the monitoring system for use in monitoring communications within the monitored system in the example combination of FIGS. 1A-C.

FIGS. 5A, 5B, 5C, 5D and 5E, together, present details of an embodiment of counteracting the effects of a transmission of an improper operational command.

FIGS. 6A and 6B, together, present details of another embodiment of counteracting the effects of a transmission of an improper operational command.

 DETAILED DESCRIPTION

In the following detailed description, reference is made to the accompanying drawings that form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.

Disclosed herein is a system of one or more devices that implements a method for counteracting the effects of an ongoing cybersecurity breach or other disruption on communications among devices.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into a training mode to generate a model of an industrial process; receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into an operating mode to use a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process; receive, from one or more interchange devices, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and compare received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper operational command associated with the industrial process.

A method of generating a model of an industrial process includes: receiving, by a processor of a monitoring system, and from an interchange device of a monitored system, indications of observed transmissions, through the interchange device, of operational commands among multiple monitored devices of the monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generating, by the processor, the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

A method of using a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process includes: receiving, by a processor of a monitoring system, and from at least one interchange device of a monitored system, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and comparing, by the processor, received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper and expected operational command associated with the industrial process.

FIGS. 1A, 1B and 1C, taken together, present an example of a monitoring system 1000 employed to monitor transmissions of operational commands and/or operational information among monitored devices 2300 within a monitored system 2000, where one or more of the monitored devices 2300 of the monitored system 2000 are involved in controlling at least some aspects of an industrial process or other type of process performed within an external system 3000. Additionally, the particular external system 3000 that is controlled by the monitored system 2000 may be one of multiple external systems 3000 that cooperate to define an external domain 4000 by which products may be produced; utility services may be monitored, controlled and/or provided; etc.

Turning to FIG. 1A, in some embodiments, the monitored system 2000 may include a variety of computing devices interconnected by a communications network 2999. Among such computing devices may be multiple monitored devices 2300 that are involved in controlling the industrial process or other type of process that occurs within the one of the external systems 3000 that is depicted as being coupled to one of the monitored devices 2300. As part of being used together in a cooperative manner to control that process, various operational commands or information may be transmitted through the network 2999 among at least a subset of those monitored devices 2300.

For purposes of this patent application, it is important to note that the use of such terms as “monitoring” and “monitored” refer to the monitoring of communications among the monitored devices 2300 of the monitored system 2000 as part of providing reliability and/or cyber security services for the monitored system 2000. Thus, these terms do not refer to the use of the monitored system 2000 to control of any industrial process or other type of process performed within an external system 3000.

Also connected to the network 2999 may be one or more unmonitored devices 2100 where none of the communications therewith through the network 2999 are monitored by the monitoring system 1000. It may be that the one or more of the unmonitored devices 2100 do engage in communications with one or more of the monitored devices 2300 through the network 2999. However, it may also be that none of those communications are associated with controlling an industrial process or other type of process within an external system 3000, and therefore, it may be deemed unnecessary to monitor those communications.

As depicted, the monitoring of the transmission of operational commands and/or operational information among the monitored devices 2300 through the network 2999 by the monitoring system 1000 may be through one or more interchange devices 2700 that make up part of the network 2999. Each such interchange device 2700 may be any of a variety of types of network device, including and not limited to, a router, network switch, wireless network access point, network bridge, etc. It may be that the monitoring system 1000 is remotely located from the monitored system 2000 such that it may be deemed to be entirely separate therefrom. Alternatively, it may be that the monitoring system 1000 is co-located with at least a portion of the monitored system 2000, and/or is otherwise integrated with the monitored system 2000, such that it may be deemed to be included therein.

As additionally depicted, the monitoring system 1000 may include one or more monitoring devices 1500. It may be that each of the one or more monitoring devices 1500 of the monitoring system 1000 is still another computing device. As will be explained in greater detail, each of the one or more monitoring devices 1500 may be configured to monitor the transmissions of at least operational commands or information through the network 2999 among the monitored devices 2300 as part of detecting an instance of a transmission of an improper or invalid operational command. The transmission of an improper or invalid operational command may be the result of causes such as an honest operator mistake, equipment malfunction or a deliberate cyber attack intended to adversely control aspects of an industrial process occurring within one of the depicted external systems 3000. The improper or invalid operational command may be an operational command to take an improper or invalid action, and/or to take an action with improper parameter(s).

A transmission of an improper operational command may be most likely to arise as a result of the monitored device 2300 that transmits that improper operational command having succumbed to malicious software or other form of cyber attack that either, itself, causes the particular monitored device 2300 to transmit the improper operational command, or enables the monitored device 2300 to be remotely commanded to do so. However, it should be noted that such an attempt may be caused by some form of hardware and/or software malfunction that may have occurred within the particular monitored device 2300 or elsewhere within and/or proximate to the network 2999 (e.g., interfering electrical activity caused by a lightning strike), instead of malicious software.

As will additionally be explained in greater detail, the monitoring device(s) 1500 of the monitoring system 1000 may be configured to respond to the transmission of such an improper operational command through the network 2999 by taking any of a variety of actions. By way of example, in some embodiments, the monitoring device(s) 1500 may simply provide an alert to designated personnel of such a transmission (e.g., providing an audible and/or visual alert, and/or transmitting an electronic alert message, such as a text message or phone call). Alternatively or additionally, in other embodiments, the monitoring device(s) 1500 may, through the interchange device(s) 2700, block the transmission of such an improper operational command such that it is not received at whichever monitored device 2300 was the intended destination, and/or cause the transmission of a proper operational command that replaces and/or countermands the improper operational command.

More precisely, in some embodiments, it may be that the monitoring device(s) 1500 operate the interchange device(s) 2700 to cause the interchange device(s) 2700 to intercept each operational command that is transmitted by one of the monitored devices 2300 that meets various pre-selected parameters (e.g., type of operational command, protocol used, destination, etc.). Each such operational command may initially be relayed to the monitoring device(s) 1500 for analysis, instead of being relayed onward to its intended destination. The analysis that is performed may be based on machine learning where correct transmissions of operational commands associated with controlling industrial processes through the network 2990 have been observed over time to build up a knowledge base of what transmissions of operational commands are expected to occur and when. Where the analysis results in a determination that the operational command is proper, then the interchange device(s) 2700 may be directed to proceed with relaying the operational command onward towards its intended destination. However, where the analysis results in a determination that the operational command is improper or invalid, then, at a minimum, the interchange device(s) 2700 may be directed to refrain from relaying the operational command onward towards its intended destination.

Still further action may be taken by the monitoring device(s) 1500 in response to an improper operational command based on various factors. By way of example, where a transmitted improper or invalid operational command is the type of operational command that is expected, is transmitted at the expected time, and to the expected destination, but includes wrong parameter(s), then the monitoring device(s) 1500 may transmit a corrected version of that improper operational command, through interchange device(s) 2700, and onward to the same destination, so as to cause the proper operational command to be received at that destination at the expected time.

Alternatively, in other embodiments, it may be that the interchange device(s) 2700 do not, in any way, intercept the operational commands that are transmitted therethrough. Instead, for each operational command that is transmitted by one of the monitored devices 2300 that meets various pre-selected parameters (e.g., type of operational command, protocol used, destination, etc.), a copy is relayed to the monitoring device(s) 1500 for analysis as it is also relayed onward to its intended destination. Again, the analysis that is performed may be based on machine learning or by a comparison against a database of expected operational commands. Where the analysis results in a determination that the operational command is proper, then no further action may be taken. However, where the analysis results in a determination that the operational command is improper, then further action may be taken by the monitoring device(s) 1500, such as sending an alert or transmitting an additional operational command(s), through interchange device(s) 2700, and onward to the same destination. The additional operational command(s) may be generated based on an analysis of the improper or invalid operational command to countermand the action specified in the improper operational command.

Turning to FIG. 1B, as will be explained in greater detail, the industrial process or other type of process performed within one of the external systems 3000 that is controlled from within the monitored system 2000 may have multiple states where particular action(s) are to be performed and/or where particular event(s) are to occur within each state. The performance of that process may, therefore, progress through a tree of such states with particular transitions occurring between particular states at particular times, in a particular order, and/or in response to particular conditions.

As will also be explained in greater detail, there may be particular transmissions of operational commands and/or operational information among particular ones of the monitored devices 2300 that are associated with different ones of such transitions between states of such a process within an external system 3000. By way of example, it may be that a particular operational command or operational information is meant to be transmitted through the network 2999 within a particular span of time in response to the occurrence of particular conditions, such as a transition into a particular state. Or, by way of another example, it may be that a particular operational command or operational information is meant to be transmitted through the network 2999 within a particular span of time, and/or as part of a particular sequence of operational commands and/or operation information, to cause a transition into a particular state. A transmission of an improper operational command to take an improper action, or to take an action with improper parameter(s), may result in a transition to another state that occurs out of proper sequence, or may result in a transition to an improper state that is entirely outside of such a tree.

As will be familiar to those skilled in the art, an external system 3000 in which a process is performed, such as the depicted external system 3000x in which a process 3003x may is performed, may include multiple sensing devices 3200 to detect various conditions, and/or multiple effecting devices 3800 able to be commanded to perform various functions. Depending on what the nature of the depicted process 3003x that is performed within the external system 3000x, each of the sensing devices 3200 may be any of a variety of type of sensing device based on any of a variety of technologies to sense any of a variety of conditions, including and not limited to, a temperature sensor, pressure sensor, light sensor, vibration sensor, accelerometer, gyroscope, spectrometer, chemical release sensor, particle emission detector, manually-operable control, manual data input device, air speed sensor, RADAR, LIDAR, SONAR, RPM sensor, etc. Correspondingly, depending on the nature of the process 3003x that is performed within the external system 3000x, each of the effecting devices 3800 may be any of a variety of type of effecting device based on any of a variety of technologies to effect any of a variety of actions, including and not limited to, a robotic arm, gantry crane, remotely controllable mobile platform, welding device, metal press, valve, heater, cooler, power supply, magnet or set of magnets, data storage device, display system, aerofoil or hydrofoil control surface, rudder, magnetron, radiation source, electric motor, internal combustion engine, turbine engine, etc.

As depicted, it may be that one of the monitored devices 2300, such as the depicted monitored device 2300x, is coupled to individual ones of the sensing devices 3200 and/or the effecting devices 3800 of the external system 3000x. Thus, the effecting devices 3800 of the external system 3000x may be operated in a concerted manner by the monitored device 2300x to perform various steps of the process 3003x, while being guided by data received by the monitored device 2300x from the sensing devices 3200 of the external system 3000x.

As also depicted, the monitored device 2300x may include one or more processors 2350x, a storage 2360x, and/or a port 2390x to couple the monitored device 2300x to the network 2999. The storage 2360x and/or the port 2390x may each be communicatively coupled to the processor(s) 2350x to exchange executable instructions and/or data therewith through the exchange of electrical, optical, magnetic and/or other signals through one or more buses and/or other form of interconnect within the monitored device 2300x. Further, the storage 2360x may store a control routine 2340x that may include instructions executable by the processor(s) 2350x to cause the processor(s) 2350x to perform various functions.

In various embodiments, it may be that the control routine 2340x is operative on the processor(s) 2350x of the monitored device 2300x to cause the processor(s) 2350x to monitor the sensing devices 3200 of the external system 3000x to monitor aspects of the process 3003x performed within the external system 3000x, and/or to command the effecting devices 3800 of the external system 3000x in a manner that causes the processor(s) 2350x to put the external system 3000x into at least a subset of the multiple states of the process 3003x. Stated differently, the control routine 2340x may be capable of causing the processor(s) 2350x to monitor for and/or to implement at least a subset of those multiple states of the process 3003x.

While the monitored device 2300x may be so coupled to the external system 3000x so as to be capable of monitoring for and/or implementing states of the process 3003x performed therein, it may be that the overall actual performance of the process 3003x is controlled by another of the monitored devices 2300, such as the depicted monitored device 2300a. More precisely, it may be that the monitored device 2300a transmits operational commands and/or operational information to the monitored device 2300x to cause the monitored device 2300x to implement at least a subset of the transitions between states within the external system 3000x as part of causing the process 3003x to be performed. It may also be that the monitored device 2300x transmits operational information to the monitored device 2300a indicative of data received from one or more of the sensing devices 3200 to enable the monitored device 2300a to determine when particular ones of such transitions between states of the process 3003x should occur.

As depicted, the monitored device 2300a may include one or more processors 2350a, a storage 2360a, and/or a port 2390a to couple the monitored device 2300a to the network 2999. The storage 2360a and/or the port 2390a may each be communicatively coupled to the processor(s) 2350a to exchange executable instructions and/or data therewith through the exchange of electrical, optical, magnetic and/or other signals through one or more buses and/or other form of interconnect within the monitored device 2300a. Further, the storage 2360a may store a control routine 2340a that may include instructions executable by the processor(s) 2350a to cause the processor(s) 2350a to perform various functions.

In various embodiments, it may be that the control routine 2340a is operative on the processor(s) 2350a of the monitored device 2300a to cause the processor(s) 2350a to transmit operational commands to the monitored device 2300x to control the performance of the process of the external system 3000x based, at least in part, on operational information received from the monitored device 2300x. Stated differently, the control routine 2340a may be capable of causing the processor(s) 2350a to command the occurrence of transitions among at least a subset of the states of the process of the external system 3000x, thereby causing the process to be performed. Thus, in this more specific example provided in FIG. 1B, the monitored devices 2300a and 2300x, together, may implement the logic of a finite state machine for the process performed within the external system 3000x.

Turning to FIG. 1C, as previously discussed, the network 2999 includes one or more interchange devices 2700 such that operational commands and/or operational information that are transmitted through the network 2999 are necessarily also transmitted through one or more of such interchange devices 2700.

As depicted, each such interchange device 2700 may include one or more processors 2750, a storage 2760, multiple bi-directional ports 2790, and/or a span port 2795. The storage 2760, the ports 2790 and/or the span port 2795 may each be communicatively coupled to the processor(s) 2750 to exchange executable instructions and/or data therewith through the exchange of electrical, optical, magnetic and/or other signals through one or more buses and/or other form of interconnect within each interchange device 2700. Further, the storage 2760 may store a control routine 2740 that may include instructions executable by the processor(s) 2750 to cause the processor(s) 2750 to perform various functions. Alternatively or additionally, a portion of the storage 2760 may be allocated to serve as a buffer 2766.

As previously discussed, each interchange device 2700 may be any of a variety of types of network device. Thus, in some embodiments, the depicted interchange device 2700 may be a relatively simple hub device in which execution of the control routine 2740 by the processor(s) 2750 may cause the processor(s) 2750 to, in response to receiving a transmission at one of the ports 2790, output the very same transmission in a broadcasting manner at all other ports 2790. Alternatively, in other embodiments, the depicted interchange device 2700 may be a relatively more sophisticated device in which execution of the control routine 2740 by the processor(s) 2750 may cause the processor(s) 2790 to use internally stored address information associated with each port 2790 to more selectively relay a transmission received at one port 2750 to just one other port 2750 or just a subset of the other ports 2750.

Regardless of the level of sophistication of the depicted interchange device 2700, it may be that received transmissions are temporarily stored within the buffer 2766 for a predetermined period of time and/or until there is an indication of success in being relayed onward through the network 2999. This may be done to enable one or more attempts at retransmission to be performed in response to an indication of failure in an initial attempt at relaying onward through the network 2999.

Further, the span port 2795 may be implemented as an output-only port that relays a copy and/or an indication of each transmission that is received at any port 2790 of the interchange device 2700. Thus, as depicted, the span port 2795 may be coupled to a monitoring device 1500 of the monitoring system 1000 to enable copies and/or indications of some or all traffic that passes through the interchange device 2700 to be provided to that monitoring device 1500. As will be discussed in greater detail, this enables that monitoring device 1500 to detect an instance in which an improper transmission of an operational command and/or operational information among the monitored devices 2300 occurs. As additionally, depicted, the same depicted monitoring device 1500 may also be coupled to the depicted interchange device 2700 via another of the ports 2790. As will also be explained in greater detail, such an additional coupling therebetween may enable the monitoring device 1500 to respond to such an occurrence of an improper transmission by providing a corrected transmission, itself.

In embodiments in which the interchange device 2700 is of a more sophisticated variety, it may be that execution of the control routine 2740 causes the processor(s) 2750 thereof to respond to commands received from such a monitoring device 1500 to limit the copies and/or indications of network traffic that are provided through the span port 2795 to transmissions of particular types and/or to transmissions associated with particular devices. In this way, it may be that the depicted interchange device 2700 is caused to cooperate with the depicted monitoring device 1500 to limit the copies and/or indications of network traffic that are output to the monitoring device 1500 to operational commands and/or operational information exchanged among monitored devices 2300.

Alternatively or additionally, in embodiments in which the interchange device 2700 of a more sophisticated variety, it may be that the execution of the control routine 2740 causes the processor(s) 2750 thereof to respond to commands received from such a monitoring device 1500 to at least temporarily retain transmissions meeting one or more specified criteria within the buffer 2766. In this way, it may be that the depicted interchange device 2700 is caused to cooperate with the depicted monitoring device 1500 to at least temporarily delay allowing a transmission to proceed through the interchange device 2700 from one monitored device 2300 to another monitored device 2300, thereby at least providing the monitoring device 1500 with an amount of time needed to analyze aspects of the transmission to determine whether it is a proper transmission so as to be able to determine whether to command the interchange device 2700 to allow it to continue onward to the other monitored device 2300.

As depicted, each such monitoring device 1000 may include one or more processors 1550, a storage 1560, and/or one or more ports 1590 for coupling to one or more interchange devices 2700 of the network 2999. The storage 1560 and/or the port(s) 1590 may each be communicatively coupled to the processor(s) 1550 to exchange executable instructions and/or data therewith through the exchange of electrical, optical, magnetic and/or other signals through one or more buses and/or other form of interconnect within each monitoring device 1500. Further, the storage 1560 may store a control routine 1540 that may include instructions executable by the processor(s) 1550 to cause the processor(s) 1550 to perform various functions. Alternatively or additionally, the storage 1560 may store a database 1530 of information concerning states, operational commands and/or operational information associated with one or more processes that may be performed within one or more external systems 3000, as well as information concerning actions to be taken in response to situations observed on the network 2999 that at least appear to fall outside what is expected to occur during the performance of each of those one or more processes.

Returning to FIG. 1A, although the monitored system 2000 has been discussed as being made up of multiple networked computing devices 2100, 2300 and/or 2700, in alternate embodiments, it may be that the monitored system 2000 is, itself, a single computing device. In such alternate embodiments, the device(s) 2100, 2300 and/or 2700 may be components of that single computing device that are interconnected by an internal network of buses 2999. In such alternate embodiments, it may be that each of the one or more interchange devices 2700 is an integrated circuit providing a form of crosspoint switch function for the network of buses 2999 by which commands and/or data are exchanged among the other devices 2100 and/or 2300.

Further, in such alternate embodiments, it may additionally be that the monitoring system 1000 is implemented using one or more microcontrollers that may be physically incorporated into the single computing device of the monitored system 2000. However, it may also be that the monitoring system 1000 is otherwise isolated from the central processing units (CPUs) thereof of that single computing device.

Still further, and regardless of whether the monitored system 2000 is made up of multiple networked computing devices, or is, itself, a computing device, it may be that the monitoring system 1000 is implemented via public or private cloud-based network computing resources.

FIGS. 2A, 2B and 2C, taken together, present various aspects of example implementations of the network 2999, including example implementations of the interchange device(s) 2700.

Turning to FIG. 2A, each of the ports 2790 of an interchange device 2700 of the one or more interchange devices 2700 may be coupled by a separate link 2990 to a separate unmonitored device 2100 or monitored device 2300. As those skilled in the art will readily recognize, this may create a form of hub-and-spoke topology, or other electrically similar topology, in which an interchange device 2700 may be at the center of a set of point-to-point connections to a corresponding set of multiple devices 2100/2300. Turning briefly to FIG. 2B, along with FIG. 2A, in larger embodiments of the monitored system 2000, it may be that multiple interchange devices 2700 are coupled together to form a larger version of such a hub-and-spoke topology.

Returning to FIG. 2A, for each monitored system 2000, the span port 2795 of at least a single interchange device 2700 may be coupled by a separate link 2995 to at least a single monitoring device 1500 of a monitoring system 1000. As the devices 2100 and/or 2300 of the monitored system 2000 engage in communications thereamong through the network 2999, copies and/or indications of at least operational commands and/or operational information that are transmitted among at least the monitored devices 2300 may be relayed to the one or more monitoring devices 1500 via the span port(s) 2795 and links 2995. In some embodiments, it may be that such a single monitoring device 1500 is additionally or alternatively coupled, by a link 2995, to a bi-directional port 2790 of such a single interchange device 2700 to enable the single monitoring device 1500 to control one or more the interchange devices 2700 and/or to transmit an operational command or operational information to a monitored device 2300 therethrough.

Turning again briefly to FIG. 2B, along with FIG. 2A, where there are multiple interchange devices 2700 incorporated into an embodiment of the monitored system 2000, it may be that each one of the multiple interchange devices 2700 incorporates a separate span port 2795. The span port 2795 of each of those multiple interchange devices 2700 may then be separately coupled by a separate link 2995 to one or more monitoring devices 1500 of the monitoring system 1000 of that embodiment, thereby enabling each one of those multiple interchange devices 2700 to directly relay copies and/or indications of at least operational commands and/or operational information that are transmitted among at least the monitored devices 2300 thereto. Alternatively, it may be that just a single one of those multiple interchange devices 2700 is so coupled to a single monitoring device 1500, and that single interchange device 2700 may relay copies and/or indications of such operational commands and/or operational information conveyed through all of the multiple interchange devices 2700 through the single span port 2795 and single link 2995.

Regardless of the quantity of interchange devices 2700 and/or the exact manner in which those interchange device(s) 2700 are coupled to one or more monitoring devices 1500, as previously discussed, the interchange device(s) 2700 may include the ability to be programmed to specify a particular subset of transmissions for which copies and/or indications thereof are relayed to the monitoring device(s) 1500. Such a subset may be specified by identifiers of devices involved, types of transmission, types of protocol used, size of what is transmitted, time of day or day of week of transmissions, etc. Indeed, in some embodiments, it may be the use of identifiers of devices in defining such a subset that effectively defines which devices within the monitored system 2000 are the monitored devices 2300, versus which devices are the unmonitored devices 2100.

In embodiments in which the monitored system 2000 is made up of a set of networked computing devices, each link 2990 and/or 2995 may be implemented using any of a variety of wireless and/or cabling-based network technologies, including and not limited to, Bluetooth, Wi-Fi, cellular signaling, twisted-pair electrical cabling, coaxial electrical cabling, and fiber optic cabling. Such wireless and/or cabling-based technologies may adhere to any of a wide variety of specifications, including and not limited to, Ethernet and/or TCP/IP. In embodiments in which the monitored system 2000 is made up of a single computing device, each link 2990 and/or 2995 may be implemented using any of a variety of widely used and accepted internal bus specifications, including and not limited to, PCI-Express bus, and I2C bus.

Turning to FIG. 2C, in some embodiments, it may be that a monitored device 2300 includes multiple components 2303 where transmissions of operational commands or operational information thereto and/or therefrom are at least able to be observed through the link 2990 by which that monitored device 2300 is coupled to an interchange device 2700. More specifically, it may be that a single monitored device 2300 incorporates multiple components 2303 that are each able to be separately addressed and communicated with through that link 2990 in a manner almost akin to being entirely separate devices. Alternatively or additionally, it may be that transmissions of operational commands or operational information among multiple components 2303 within a single monitored device 2300 are also reflected on that link 2990.

Thus, and by way of example, where the depicted monitored component 2303A of the depicted monitored device 2300 transmits an operational command or operational information to another depicted monitored component 2303B within the same monitored device 2300, a copy of that transmission may also be transmitted onto the depicted link 2990, thereby enabling the depicted interchange device 2700 to relay a copy and/or indication of that transmission onward to the depicted monitoring device 1500. As still another alternative, it may be that such a transmission between the depicted monitored components 2303A and 2303B is performed by the monitored component 2303A transmitting the operational command or operational information out to the depicted interchange device 2700, followed by the interchange device 2700 relaying that operational command or operational information back along the same link 2990 to the monitored component 2303B.

Regardless of the exact manner in which transmissions of operational commands or operational information are relayed to the monitoring device(s) 1500 of the monitoring system 1000, as will shortly be explained in greater detail, the copies and/or indications of operational commands or operational information that are so relayed may be compared to information stored within the database 1530 concerning what transmissions of operational commands or operational information are expected to occur (and when) as part of identifying instances in which observed transmissions of operational commands or operational information deviate from what is expected.

FIGS. 3A, 3B, 3C, 3D and 3E, taken together, present various aspects of an example embodiment of preparing a monitoring device 1500 for monitoring transmissions 3400 through a network 2999 of an embodiment of the monitored system 2000, and/or for taking action to address anomalies associated with therewith. In so doing, FIGS. 3A-E depict further aspects of the example process 3003x that was earlier introduced in connection with FIG. 1B.

Turning to FIG. 3A, as previously discussed, and as depicted, a process performed within one of the external systems 3000 may be defined as having a tree of multiple states that is traversed during its performance, such as the depicted process states 3600p1, 3600p2, etc., of the depicted process 3003x performed within the depicted external system 3000x. As also previously discussed, such an external system as the depicted external system 3000x may include one or more sensing devices 3200 to monitor various aspects of the process 3003x performed therein, and/or one or more effecting devices 3800 to effect various aspects of a performance of the process 3003x therein.

As also previously discussed, one or more transmissions 3400 through the network 2999 may be associated with the beginning of a performance of the process 3003x, such as the depicted one or more transmissions 3440np. More specifically, in various embodiments, there may be one or more transmissions 3440np that trigger the commencement of the process 3003x. By way of example, there may be transmission(s) 3400np that convey operational command(s) between monitored devices 2300 (e.g., the depicted monitored devices 2300a and 2300x) through the network 2999 to prepare for beginning the process 3003x, and/or to actually begin the process 3003x. Such operational command(s) may, in turn, cause one or more effecting devices 3800 to be commanded to perform operations that implement such preparations, and/or that actually begin the process 3003x at the depicted process state 3600p1. Alternatively or additionally, there may be transmission(s) 3440np that convey operational information between monitored devices 2300 through the network 2999 that preparations for beginning the process 3003x have been completed, and/or that the process 3003x has begun. Such operational information may include data collected by one or more sensing devices 3200.

Further, as has additionally been discussed, there may be one or more transmissions 3400 that are not associated within performing the process 3003x, and that don't occur during a performance of the process 3003x, such as the depicted one or more transmissions 3400n. Such transmissions 3400n may be associated with maintaining the external system 3000x in the depicted non-process state 3600n, such as a distinct “off” state, a “sleep” state, or a “standby” state. As will be familiar to those skilled in the art, such a non-process state 3600n may be configured to minimize the consumption of energy, to maintain device(s) in a known inactive state, and/or maintain substance(s) in a known safe storage state. Such a minimal consumption of energy may be directed toward maintaining a cache of pre-loaded data in readiness for a future performance of the process 3003x, and/or such a safe storage state may preserve substances in a condition for use in a future performance of the process 3003x. By way of example, there may be transmission(s) 3400n that convey operational command(s) between monitored devices 2300 through the network 2999 to effect and/or maintain the non-process state 3600n. Such operational command(s) may, in turn, cause one or more effecting devices 3800 to be command to perform operations that implement and/or maintain various aspects of the non-process state 3600n. Alternatively or additionally, there may be transmission(s) 3400n that convey operational information between monitored devices 2300 through the network 2999 concerning aspects of maintaining the non-process state 3600n. Such operational information may include data collected by one or more sensing devices 3200 about the ongoing preservation of data, and/or about the ongoing preservation of substance(s) in storage.

As has also been additionally discussed, it may be that a particular transmission 3400n of the non-process state 3600n, a particular transmission 3400np associated with commencing the process 3003x, or a combination of multiple transmissions 3400n and/or 3400np, are selected to serve as an indication that is observable on the network 2999 that the process 3003x has begun. Thus, by monitoring transmissions 3400 occurring on the network 2999 (through one or more interchange devices 2700), a monitoring device 1500 may identify instances in which such particular transmissions 3400n and/or 3400np (or such a combination thereof) have occurred on the network 2999, and use such instances as an indication of when to begin monitoring the network 2999 for transmissions 3400 associated with the process 3003x.

As previously discussed, just as there may be transmissions 3400n and/or 3400np that are associated with the beginning of a performance of a process, such as the depicted process 3003x, there may also be various transmissions 3400 between monitored devices 2300 that may be associated with transitions between process states 3600p, such as the depicted one or more transmissions 3400pp associated with transitioning between the process states 3600p1 and 3600p2. More specifically, and as previously discussed, for each process state 3600p, there may be one or more transmissions 3400pp that are associated with the beginning of that process state 3600p, and/or there may be one or more transmissions 3400pp that are associated with the ending of that process state 3600p. Again, this may arise from the fact that some transmissions 3400pp may trigger the beginning of a process state 3600p, some transmissions 3400pp may be caused to occur by the beginning of a process state 3600p, some transmissions 3400pp may trigger the ending of a process state 3600p, and/or some transmissions 3400pp may be caused to occur by the ending of a process state 3600p. In a manner similar to the commencement of the process 3003x, ones of the transmissions 3400pp that trigger the beginning or the ending of a process state 3600p may convey operational command(s) that, in turn, cause effecting device(s) 3800 to be commanded to perform operations that effectuate such a beginning or ending. Correspondingly, ones of the transmissions 3400pp that are caused to occur by the beginning or the ending of a process state 3600p may convey operational information that includes data collected by one or more sensing device 3200 associated with such a beginning or ending.

As also previously discussed, there may be transmissions 3400 that convey operational commands and/or operational information between monitored devices 2300 during one or more of the process states 3600p, such as the depicted transmissions 3400p occurring during each of the depicted process states 3600p1 and 3600p2. Again, such transmissions 3400p may convey operational information that may include data collected by sensing devices 3200 that is indicative of various measurements associated with a portion of a process 3003 that occurs during a process state 3600p. Alternatively or additionally, such transmissions 3400p may convey operational commands that, in turn, cause effecting device(s) 3800 to perform various operations during a process state 3600p.

FIG. 3B depicts aspects of various causal relationships among various aspects of a performance of a process, such as the depicted process 3003x. More specifically, there may be causal relationships between transmissions 3400 and at least a subset of the process states 3600p. As those skilled in the art will readily recognize, such causal relationships may dictate what transmissions 3400 are to occur on the network 2999, the type of transmission (e.g., a transmission conveying operational command(s), a transmission conveying operational information, or a transmission conveying non-operational information), aspects of the content of each transmission (e.g., which operational command is conveyed, what parameters accompany each command, and/or what data values are included in operational information that is conveyed), and/or the timing of each transmission (e.g., when each transmission is expected to occur on the network 2999).

As previously discussed, there may be one or more transmissions 3400np that may trigger the beginning of a performance of the process 3003x, and various aspects of such transmission(s) 3400np may be dictated by various requirements associated with the process 3003x. By way of example, it may be that the protocol used to control the process 3003x dictates that at least one particular operational command be transmitted to triggering the commencement of the process 3003x. This may dictate that a transmission 3400np of a type that conveys an operational command is required, and that the particular operational command specified by the protocol is the one that is to be conveyed. The same protocol may also dictate one or more of the parameters that are to be included with the particular operational command in that transmission 3400np.

Again, the transmissions 3400n that occur during the depicted non-process state 3600n may be associated with monitoring and/or maintaining aspects of the non-process state 3600n, and may not be associated with the process 3003x. However, it may also be that there is a causality between the occurrence of such a transmission 3400n during the non-process state 3600n, and a later transmission 3400np that triggers the commencement of the process 3003x. By way of example, it may be that operational information that is conveyed in one or more of the transmissions 3400n includes data indicative of measurements taken during the non-process state 3600n that in some way influences a parameter of an operational command that is later conveyed in a transmission 3400np that triggers the commencement of the process 3003x. As those skilled in the art will readily recognize, such a situation may arise where a measurement of an aspect of a device and/or of a substance that is taken during the non-process state 3600n may influence an aspects of how the process 3003x is to begin, such as a temperature reading taken during the non-process state 3600n that affects of a parameter for controlling heating or cooling within an operational command for triggering the commencement of the process 3003x. As will be discussed further, there may be logic employed in the control of the process 3003x that is used to derive a value for such a parameter based on such input as an earlier-collected measurement.

As also previously discussed, there may be one or more transmissions 3400np that are caused to occur by the commencement of the process 3003x. By way of example, it may be that the protocol used to control the process 3003x dictates that operational information be conveyed that includes an indication of success or failure in commencing performance of the process 3003x, along an indication of the type of failure in situations where failure occurs. This may dictate that a transmission 3400np of a type that conveys operational information is required, as well as dictating what operational information is to be included. The same protocol may also dictate one or more aspects of the formatting of the data values that are used to represent that operational information in that transmission 3400np. As will be discussed further, there may be logic employed in the control of the process 3003x that is used to identify such a failure, and thereby determine the particular indication of type of failure that may be included in such operational information.

In a manner similar to the transmission(s) 3400np associated with the commencement of a process 3003, there may be one or more transmissions 3400pp that may trigger a transition between process states 3600, such as the depicted transition from the process state 3600p1 to the process state 3600p2 of the depicted process 3003x. This may include transmission(s) 3400pp that separately trigger the ending of one process state 3600p, and/or transmission(s) 3400pp that separately trigger the beginning of the next process state 3600p, as well as transmission(s) 3400pp that may serve both purposes. Also in a similar manner, various aspects of such transmission(s) 3400pp may be dictated by various requirements associated with the process 3003x, and/or dictated by various requirements of the particular process states 3600 between which the transition occurs. Again, such aspects may include requirements for the transmission(s) 3400pp based on protocols uses. Also, and as will be discussed further, there may be logic employed in the control of the process 3003x that is used to determine what operational commands and/or what operational information is to be transmitted, used to derive values for parameters of operational commands that may be transmitted, and/or used to derive data values included in operational information that may be transmitted.

Again, the transmissions 3400p that occur during each of process state 3600p may be associated with monitoring and/or controlling operations that are performed during each of the process states 3600p as part of performing the process 3003x. As depicted, there may be causality between such transmissions 3400p and preceding transmissions 3400np for the commencement of the process 3003x and/or preceding transmissions 3400pp for a preceding transition between process states 3600p. Alternatively or additionally, there may be causality between such transmissions 3400p and subsequent transmissions 3400pp for a subsequent transition between process states 3600p. Also alternatively or additionally, there may be causality among such transmissions 3400p associated with a single process state 3600p, or among multiple process states 3600p. Each of such causalities may include influences that previously transmitted operational commands, parameters of previously transmitted operational commands, and/or data values in previously transmitted operational information, may exert on subsequently transmitted operational commands, parameters of subsequently transmitted operational commands, and/or data values in subsequently transmitted operational information. Again, there may be logic employed in the control of the process 3003x that is used to determine what operational commands and/or what operational information is to be transmitted, used to derive values for parameters of operational commands that may be transmitted, and/or used to derive data values included in operational information that may be transmitted.

FIG. 3C depicts aspects of various timing relationships among various aspects of a performance of a process, such as the depicted process 3003x. More specifically, there may be timing relationships between transmissions 3400 and at least a subset of the process states 3600p. The earlier discussed causal relationships may at least partially dictate aspects of the timing of at least a subset of the transmissions 3400n, 3400np, 3400p and/or 3400pp.

More specifically, the start times (Tstart), the stop times (Tstop) and/or the transmission duration times (Txmt) for at least a subset of these transmissions may be at least partially determined by whether each of such transmissions is causes or is caused by the commencement of the process 3003x, and/or causes or is caused by a transition between process states 3600p. Thus, although FIG. 3C depicts an example transmission 3400np as occurring at least partially simultaneously with the transition from the non-process state 3600n and to the process state 3600p1, the entirety of this same example transmission 3400np could occur entirely before that transition or entirely afterward. Similarly, although an example transmission 3400pp is depicted as occurring at least partially simultaneously with the transition from the process state 3600p1 and to another process state 3600p, the entirety of this same example transmission 3400pp could occur entirely before that transition or entirely afterward.

Also depicted is an example transmission 3400n that occurs entirely within the non-process state time period (Tnps) of the non-process state 3600n, and an example transmission 3400p that occurs entirely within the process state time period (Tps) of the process state 3600p1.

However, despite the role that causality in connection with such transitions may play in at least partially dictating timing of various ones of these transmissions 3400n, 3400np, 3400p and/or 3400pp, other factors unrelated to such transitions may also play a role. By way of example, during the portion of the performance of the process 3003x that occurs during the depicted process state 3600p1, a circumstance may arise that triggers the occurrence of a transmission 3400p during that process state that conveys operational information indicative of a milestone in the process 3003x having been reached, or of an anomalous event having been detected by one of the sensing devices 3200 (e.g., a high temperature reading, or of a lack of imminent lack of available data storage space). While such a transmission 3400p may occur entirely within the Tps of the process state 3600p1, its occurrence may be entirely based on logic used to trigger such notification transmissions, and may not actually be dictated by any direct constraint relative to either the start or end of that time period beyond the fact that such logic may only be used during the process state 3600p1.

Turning to FIG. 3D, as previously discussed, it may be that portions of the logic for controlling a process 3003 may be distributed among multiple ones of the monitored devices 2300, such as the depicted monitored devices 2300a and 2300x associated with controlling the example process 3003x within the depicted external system 3000x. As also depicted, it may be that still another portion of such logic is distributed to one or more components within the external system 3000x (e.g., to one or more sensing devices 3200 and/or to one or more effecting devices 3800 therein).

Again, it may be that a monitored device 2300 that is in direct communication with an external system 3000 (e.g., the monitored device 2300x in direct communication with the external system 3000x) may implement lower level portions of logic associated with controlling individual effecting devices 3800 to implement specific details of at least a subset of the process states 3600 of a process 3003. Alternatively or additionally, a monitored device 2300 that is in such direct communication with an external system 3000 may implement lower level portions of logic for receiving data from sensing devices 3200 and/or for responding to such data by transmitting operational information to one or more other monitored devices 2300 implementing other portions of the logic for controlling a process 3003.

Also, it may be that a monitored device 2300 that is not in direct communication with an external system 3000 (e.g., the monitored device 2300a that communicates with the monitored device 2300x concerning the external system 3000x) may implement higher level portions of logic associated with using received operational information to determine whether a transition between process states 3600 has occurred in a process 3003, and/or when to command that a transition between process states 3600 is to be caused to occur. Alternatively or additionally, a monitored device 2300 that is not in direct communication with an external system 3000 may provide a user interface to an operator tasked with overseeing the performance of a process 3003 within an external system 3000.

Further, it may be that components of an external system 3000, such as sensing devices 3200 and/or effecting devices 3800 of the external system 3000x, may incorporate or otherwise implement various forms of relatively simple logic for locally handling various specific events. Such events may include loss of communication with a monitored device 2300 that would otherwise monitor and control the external system 3000, such that the locally implemented logic serves as a backup form of monitoring and/or control for a limited period of time until such communication is reestablished. Alternatively or additionally, such events may include an emergency situation, such as the outbreak of a fire or other condition that triggers the locally implemented logic to independently act to quickly implement a transition to a known failsafe state.

As part of preparing a monitoring device 1500 for use in monitoring and addressing anomalies in transmissions 3400 among monitored devices 2300 through the network 2999 concerning a process 3003, it may be deemed desirable to provide details of such portions of the logic for controlling that process 3003 to the monitoring device 1500. Doing so may enable the monitoring device 1500 to internally simulate the such logic as that process is performed, and thereby anticipate each transmission 3400 that is expected to occur on the network 2999 in connection with that process, and/or anticipate when each such transmission 3400 is to occur. In this way, the monitoring device 1500 may be prepared to analyze such communications and recognize instances in which anomalies in such communications occur. This may also enable the monitoring device 1500 to identify one or more transmissions 3400 that provide an indication that the performance of a particular process 3003 has begun and/or is being triggered to begin.

Thus, as depicted, it may be that the control routine 1540 of the depicted monitoring device 1500 incorporates an intake component 1544 that, when executed by processor(s) 1550 thereof, causes the intake and/or interpretation of such portions of such logic. It may be that each such portion of such logic is described and/or implemented in one or more scripting languages, logic tables, etc. As those skilled in the art will readily recognize, due to the vast variety of available control components based on a vast variety of widely differing processers, microcontrollers, etc., it may be that different portions of such logic are encoded in any of a wide variety of different scripting languages, logic tables, etc. Thus, the processor(s) 1550 may be caused, by execution of the intake component 1544, to employ a variety of interpretation components thereof to parse each portion of logic.

Turning to FIG. 3E, as depicted, the database 1530 may include multiple entry sets 1531 that are each employed to store details of the logic of a different process 3003. As also depicted, each entry set 1531 may include multiple state entries 1533 that each store various details of a single state of a process 3003. Again, it may be that a process 3003 that may be performed within one of the external systems 3000 may be definable as a set of states 3600p among which particular transitions occur at particular times and/or in response to particular conditions. As also previously discussed, it may be that each such transition between states 3600p is associated with the transmission of one or more particular operational commands or operational information among monitored devices 2300 through the network 2999.

More specifically, each state entry 1533 may include a description of the logic that triggers entry into the corresponding state 3600p, the logic that triggers exiting therefrom, and/or the logic for selecting the next state 3600p that is to be transitioned to. Each state entry 1533 may include various details associated with each transmission 3400 that may occur on the network 2999 in connection with the corresponding state 3600p, including and not limited to, the logic for selecting the type of transmission that is to occur, the logic for selecting what command(s) and/or parameter values are to be included in each transmission of operational command(s), the logic for deriving the data value(s) that are to be included in each transmission of operational information, and/or the logic for determining the timing(s) of when each transmission is to occur.

Still further, each state entry 1533 may include various other details that may also be provided from such an intake of details of portions of logic, and/or that may be learned through observation of transmissions 3400 that occur during one or more performances of the corresponding process 3003. Such additional details may include, but not be limited to, what operational command(s) or operational information are observed as being transmitted through the network, what other state(s) may validly be transitioned from to enter the corresponding state, what other state(s) may validly be transitioned to from the corresponding state, identifiers of those monitored devices 2300, and/or the frequency with which each is observed to occur.

Such additional details may also include, but not be limited to, observations of the timings with which each transmission 3400 occurs. More precisely, each state entry 1533 may specify span(s) of time in which particular operational command(s) or operational information are expected to be transmitted. Again, such spans of time may be associated with an occurrence of a transition between states, or may be associated with a particular set of conditions having been met such that transmissions of particular operational commands or operational information may be relied upon to cause a transition between states. Over time, as such transmissions 3400 are observed to occur, it may be that, for each transmission, a model is derived of the span of timing in which each transmission is expected to occur and/or of the relative probabilities of when each transmission is expected to occur. In some embodiments, it may be that the span of time is at least partially derived from a statistical analysis of observations of timing of multiple observed instances of transmissions 3400 of operational commands or operational information associated with an industrial process. Such a statistical derivation of timing may allow for variances in the timing of transmission(s) 3400 that have not been observed, but which are deemed to be at least statistically plausible based on such observations.

Additionally, each state entry 1533 may also include at least one identification (ID) entry 1532 that describes transmission(s) 3400 or a sequence of transmissions 3400 that, if observed as occurring on the network 2999, serve as an indication that the corresponding process 3003 has begun, or is being triggered to begin. Such details may include the types of the one or more transmissions 3400, the particular commands and associated parameters that may be included in particular transmission(s) 3400 of operational commands, and/or aspects of the particular data that may be included in particular transmission(s) 3400 of operational information.

Thus, and briefly returning to FIG. 3D, it may be that the control routine 1540 also incorporates a learning component 1543 that, when executed by the processor(s) 1550, cause the processor(s) 1550 to monitor the transmissions 3400 that are associated with the corresponding process 3003, as those transmissions 3400 occur, to observe their timings. This may be done in recognition that the descriptions of the logic that lead to the occurrences of those transmissions 3400 may not provide a complete enough picture. As those skilled in the art will readily recognize, numerous factors concerning the selection of devices and/or components of devices within a monitored 2000, and/or within the network 2999 thereof, can affect the timings of each transmission 3400. In particular, delays in the propagation of a transmission 3400 through a network 2999 are incurred as that transmission 3400 makes its way through each component of that network 2999. Additionally, there may be numerous additional variables in the internal operation of each monitored device 2300 that impose a varying amount of delay from the time when a determination is made to transmit an operational command or operational information, and to the time at which that transmission 3400 emanates from the network interface 2390 of that monitored device 2300. Thus, even though the logic for controlling a process 3003 may control when the determination is made to cause a transmission 3400 to occur on the network 2999, there is likely to be some amount of delay until when that transmission 3400 actually does occur on the network 2999.

Continuing with FIG. 3D, it may be that the learning component 1543 also causes observations to be made of the data values that are included within transmissions 3400 of operational information that occur on the network 2999 in connection with one or more performances of a process 3003. As those skilled in the art will readily recognize, although it may be the case that the logic for controlling a process 3003 dictates at least a subset of the data values that are included in transmissions 3400 of operational information between monitored devices 2300, there may be other data values in such transmissions 3400 that are indicative of, or based on, data collected by sensing devices 3200. Since such collected data may be influenced by any of a variety of conditions occurring during a process 3003, at least a subset of the transmissions 3400 of operational information may include data values that are not predictable based on the logic for controlling that process 3003. Thus, observations made of data values included in transmissions 3400 of operational information may be used to derive models of expected ranges of data values and/or of the relative probabilities thereof. In this way, an monitoring device 1500 may be provided to determine what data values to expect in such transmissions 3400 during subsequent performances of that same process 3003.

FIGS. 4A, 4B, 4C and 4D, taken together, present various aspects of another example embodiment of preparing a monitoring device 1500 for monitoring transmissions 3400 through a network 2999 of an embodiment of the monitored system 2000, and/or for taking action to address anomalies associated with therewith. In so doing, FIGS. 4A-D again depict further aspects of the example process 3003x that was earlier introduced in connection with FIG. 1B. Unlike the example embodiment of FIGS. 3A-E where the monitoring device 1500 was provided with descriptions of the logic used to control the process 3003x, the example embodiment of FIGS. 4A-D is of a situation in which such logic is not so provided. Thus, the example embodiment of FIGS. 4A-D illustrates preparing a monitoring device 1500 based on machine learning from observations of network traffic during multiple performances of the process 3003x.

FIG. 4A, when compared to FIG. 3D, illustrates this difference in approach to preparing a monitoring device 1500. With no provision of information concerning any portion of the logic used to control the process 3003x in the external system 3000x, the processor(s) 1550 of the depicted monitoring device 1500 are caused, by execution of the learning component 1543, to rely largely (if not entirely) on observations of transmissions 3400 that occur on the network 2999 during multiple performances of the process 3003x. Thus, in addition to observations of timings of transmissions 3400 and/or observations of data values in transmissions 3400 of operational information (as described above in reference to FIG. 3D), the monitoring device 1500 may also rely on observations of types of transmissions 3400 occur (and in what order), and relies on observations of what commands and/or parameters are included in transmissions 3400 of operational commands.

FIG. 4B, when compared to FIG. 3B, illustrates causality information that is not provided to the monitoring device 1500 as a result of not being provided with a description of the logic for controlling the process 3003x. In some embodiments, indications that are manually entered by an operator of what transmission(s) 3400, or sequence of transmissions 3400, are associated with the beginning of the process 3003x may be relied upon by the monitoring device 1500 to serve as an indicator for when a performance of the process 3003x has begun and/or is being triggered to begin. Thus, as depicted, it may still be possible for the monitoring device 1500 to correlate specific transmission(s) 3400 (e.g., one or more of the depicted transmissions 3400n, 3400np and/or 3400p1) with the beginning of a performance of the process 3003x.

However, even with the benefit of an operator of the monitored system 2000 providing manual identification of each transmission 3400 that is associated with the process 3003x versus other transmissions 3400 that are not associated with the process 3003x, there remains no information provided to the monitoring device 1500 that correlates individual process states 3600p to individual transmissions 3400p (e.g., the specifically labeled transmissions 3400p1, 3400p2, and so on). As a result, identifying instances of causality between particular process states 3600p and the occurrence and/or content of particular transmissions 3400p, and/or identifying instances of causality between particular transitions between process states 3600p and the occurrence and/or content of particular transmissions 3400p, may not be possible.

FIG. 4C, when compared to FIG. 3C, illustrates timing information that is not provided to the monitoring device 1500 as a result of not being provided with a description of the logic for controlling the process 3003x. Again, indications that are manually entered by an operator of what transmission(s) 3400, or sequence of transmissions 3400, are associated with the beginning of the process 3003x may be relied upon by the monitoring device 1500 to serve as an indicator for when a performance of the process 3003x has begun and/or is being triggered to begin. Thus, as depicted, it may still be possible for the monitoring device 1500 to correlate the timings of specific transmission(s) 3400 (e.g., one or more of the depicted transmissions 3400n, 3400np and/or 3400p1) with the beginning of a performance of the process 3003x.

However, even with the benefit of an operator of the monitored system 2000 providing manual identification of each transmission 3400 that is associated with the process 3003x versus other transmissions 3400 that are not associated with the process 3003x, there remains no information provided to the monitoring device 1500 that correlates the timings of the start and/or ending of individual process states 3600p to individual transmissions 3400p (e.g., the specifically labeled transmissions 3400p1, 3400p2, and so on). As a result, identifying specific times at which particular transmissions 3400p are expected to occur based on the when particular process states 3600p start and/or end may not be possible.

Thus, and turning to FIG. 4D, such a lack of access to a description of the logic for controlling the process 3003x, the monitoring device 1500 may be rely on the aforedescribed observations of the type, content and timing of transmissions 3400 as inputs to deriving models 3404p for each transmission 3400p that is to occur during a performance of the process 3003x. By way of example, and as depicted, individual models 3404p1, 3404p2 and 3404p3 may be derived for each of the depicted transmissions 3400p1, 3400p2 and 3400p3, respectively.

Regarding timings, with no access to information concerning the logic for determining when any particular transmission 3400p is to be expected to occur, each of the models 3404p1-p3 may include a model for the time at which to begin its corresponding transmission 3400p1-p3 that is based on the time period from when the last transmission 3400p ended (i.e., Tbetw). Such a model of timing may also be derived to include some degree of variation (including relative probabilities) for when to begin transmitting based on observations of such variations across multiple performances of the process 3003x.

Regarding what commands and/or associated parameters are to be transmitted in transmissions of operational commands, each one of the models 3404p1, 3404p2 and/or 3404p3 that is associated with a transmission 3400p1, 3400p2 and/or 3400p3 that is of a type for transmitting an operational command may include a model for the selection of the particular command to be transmitted and/or a model for the selection of the parameter(s) to be included therewith. Such a model may take into account timings relative to one or more preceding transmissions 3400p, along with the content of one or more preceding transmissions 3400p.

Regarding what data values are to be transmitted in transmissions of operational information, each one of the models 3404p1, 3404p2 and/or 3404p3 that is associated with a transmission 3400p1, 3400p2 and/or 3400p3 that is of a type for transmitting operational information may include a model for the derivation of data values to be transmitted therein. Again, such a model may take into account timings relative to one or more preceding transmissions 3400p, along with the content of one or more preceding transmissions 3400p.

As such models for each transmission 3400p are developed and/or refined based on observations from multiple performances of the process 3003x, an entry set 1531 for the process 3003x may be generated and stored in the database 1530. Such an entry set 1531 may have an organizational structure similar to what was previously described in connection with FIG. 3E.

Again, with the lack of provision of information concerning the logic for controlling the process 3003x, there may be no information available concerning any aspect of the set of process states 3600p of the process 3003x. In some embodiments, the set of process states 3600p may be inferred from the observed transmissions 3400p. More specifically, from observations of the transmissions 3400p that occur on the network 2999 during multiple performances of the process 3003x, the beginnings and endings of different process states 3600p may be inferred to be associated with each instance in which there appears to be a point in the multiple performances at which a selection is made from among multiple observed possibilities of what transmission 3400p is to occur.

By way of example, where there is observed to be some variation between the transmission of one command or another among the multiple performances, or where there is observed to some variation between the transmission of an operational command and the transmission of operational information, the processor(s) 1550 may be caused by execution of the learning component 1543, to infer that one process state 3600p ends at that point, and that there is a selection of what process state 3600p is to begin at that point.

FIGS. 5A, 5B, 5C, 5D and 5E, taken together, present various aspects of an example embodiment of training a monitoring device 1500 to address instances in which an improper or invalid operational command is transmitted, and then an example embodiment of additionally using that monitoring device 1500 to effectuate the transmission of a corrected and/or countermanding operational command.

Turning to FIG. 5A, the depicted monitoring device 1500 may be coupled to the depicted interchange device 2700 by its port 1590 and through the depicted link 2955. As previously discussed, in executing the learning component 1543, the processor(s) 1550 may be caused to place the monitoring device 1500 in a training mode in which observations are made of the occurrence of transmissions 3440 on the network 2999 (e.g., through the depicted links 2990a and 2990b, and through the depicted interchange device 2700). More specifically, copies and/or indications of transmissions 3400 of operational commands and/or operational information among particular monitored devices 2300 that are associated with controlling a particular process 3003 are relayed by the interchange device 2700 to the monitoring device 1500. Within the monitoring device 1500, the received copies and/or indications of such transmissions 3400 may be used, as previously discussed, to generate and/or augment information stored within an entry set 1531 of the database 1530 that corresponds to the process 3003.

More specifically, and as previously discussed, in embodiments where the monitoring device 1500 was earlier provided with descriptions of portions of the logic used by monitored devices 2300 and/or by components of an external system 3000 to control the process 3003, the entry set 1531 may have already been generated at an earlier time based on such descriptions of such logic. Again, such descriptions of such logic may include descriptions of aspects of the process states 3600, along with descriptions of aspects of transmissions 3400p associated with individual process states 3600p, and/or descriptions of aspects of transmissions 3400pp associated with transitions between process states 3600p. As previously discussed, in such embodiments, the timings and/or data values of at least some of the transmissions 3400p and/or 3400pp, for which copies and/or indications are relayed to the monitoring device 1500, are correlated to indications in the entry set 1531 of expected transmissions 3400p and/or 3400pp. The observed timings and/or data values may be used to derive models that are descriptive of variations observed in those timings and/or data values, as well as being descriptive of relative probabilities of such variations. Alternatively or additionally, the observed timings and/or data values may be used to derive and/or train models based on neural networks and/or other forms of machine learning.

Alternatively, in other embodiments where the monitoring device 1500 was not earlier provided with descriptions of portions of the logic used to control the process 3003, the entry set 1531 may be generated from the observations made of transmissions 3400 among the particular monitored devices 2300 that are associated with controlling the process 3003. More specifically, the copies and/or indications of such transmissions 3400 that are relayed to the monitoring device 1500 may be analyzed for their timings, for the types of the transmissions 3400, for what commands and/or parameters were included in transmissions 3400 of the type used to convey operational commands, and/or for what data values were included in transmissions 3400 of the type used to convey operational information. As previously discussed, with there being no access to data concerning the process states 3600p of the process 3003 with which such transmissions are associated, the analysis of at least observed variations in what types of transmissions occur and/or in what commands are transmitted may be used as a basis for deriving a set of process states 3600p of the process 3003. Again, models based on statistical analyses and/or models based on any of a variety of machine learning technologies may be derived based on observed variations in commands and/or parameters transmitted, variations in data values transmitted, and/or variations in timings of the transmissions 3400.

Regardless of the exact manner in which the various entry sets 1531 are generated and/or augmented, the processor(s) 1550 may be caused, by further execution of the learning component 1543, to transition the monitoring device 1500 out of such a training mode upon reaching a predefined threshold, such as a threshold quantity of performances of the process 3003 from which observations of transmissions of operational commands or operational information are made, and/or a threshold amount of time spent in the training mode.

It should be noted that, in some embodiments, use of such a training mode may be entirely obviated by pre-loading the monitoring device 1500 with a database 1530 that has already been previously generated, either within the very same monitored system 2000, or within another monitored system that is similar enough that any variations in timings of transmissions 3400 therein are relatively small such that proper operation of the monitoring device 1500 with the monitored system 2000 is not impaired. In some of such embodiments, it may be that the database 1530 was previously generated through earlier training using another monitoring device 1500 that was trained based on observing the same monitored system 2000, or such another sufficiently similar monitored system.

Turning to FIG. 5B, the control routine 1540 may incorporate a monitoring component 1545 that, when executed by the processor(s) 1550, may cause the monitoring device 1500 to enter into an operating mode in which the monitoring device 1500 is used to detect and address instances in which transmissions 3400 of operational commands or operational information are observed among the monitored devices 2300 that do not conform to what is expected, according to the database 1530.

By way of example, the depicted monitored device 2300A outputs, onto its link 2990A with the depicted interchange device 2700, a transmission 3400 of an operational command associated with a process 3003. At the interchange device 2700, the operational command may be intercepted (such that the transmission 3400 of the operational command is not allowed to reach its destination, at least not initially) by being stored within the buffer 2766 therein. A copy or indication of the operational command is then relayed by the interchange device, on the depicted link 2995, to the depicted monitoring device 1500 for analysis. Within the monitoring device 1500, further execution of the monitoring component 1545 by the processor(s) 1550 may cause the processor(s) 1550 to refer to an entry set 1531 of the database 1530 that corresponds to the process 3033 as part of analyzing the operational command to determine whether its type, its content (including any parameter values therein), the timing of its transmission, its order of transmission relative to other transmitted operational commands and/or to transmitted operational information, and/or still other aspects, conform to what is expected for the particular industrial process.

Turning to FIG. 5C, if the processor(s) 1550 determine that the transmission 3400 received from the monitored device 2300A (and being held at the interchange device 2700) conveys an operational command of proper type, content, transmission timing, transmission order relative to other commands, etc., then the monitoring device 1500 may transmit an instruction along the link 2995 to the interchange device 2700 to proceed with relaying the transmission 3400, with its operational command, onward to its intended destination (i.e., the depicted monitored device 2300B), thereby allowing the operational command to be received at its intended destination.

However, and turning to FIG. 5D, if the processor(s) 1550 determine that the transmission 3400 received from the monitored device 2300A (and being held at the interchange device 2700) conveys an operational command that is improper in type, content, transmission timing, transmission order relative to other commands, etc., then the processor(s) 1550 may be caused to generate alert(s) of various types and/or to operate the port 1590 to transmit instruction(s) along the link 2995 to instruct the interchange device 2900 to refrain from relaying that transmission 3400 onward to its destination (i.e., the depicted monitored device 2300B), thereby preventing the reception of that operational command at its intended destination.

Turning to FIG. 5E, as previously discussed, in some embodiments, and under various pre-selected circumstances, it may be that, in addition to instructing the interchange device 2700 to refrain from relaying the improper operational command onward to its destination, the processor(s) 1550 of the monitoring device 1500 may be further caused to generate and transmit a substitute proper operational command. More precisely, and as depicted, the control routine 1540 may incorporate a correction component 1547. In being executed by the processor(s) 1550, and in response to circumstances in which the improper operational command was transmitted at a time at which it was expected that a proper operational command was to be transmitted, the processor(s) 1550 may be caused to generate a substitute proper operational command that is of the expected type and that includes expected parameter(s). Stated differently, the processor(s) 1550 may be caused to use information stored within the entry set 1531 in the database 1530 that correspond to the process 3003 to, itself, generate the proper operational command that should have been transmitted. The processor 1550 may then operate the port 1590 to output a transmission 3400 onto the link 2995 that conveys the generated proper operational command to the interchange device 2700, along with instructions to relay it to the expected destination (i.e., the monitored device 2300B). In effect, the monitoring device 1500 is caused to take the place of the monitored device 2300A for purposes of transmitting the proper operational command to the monitored device 2300B.

As part of generating and/or transmitting such a substitute proper operational command to the monitored device 2300B, the processor 1550(s) may be caused to refer to indications stored in the depicted entry set 1531 database 1530 concerning various protocol details to be adhered to in transmitting it. Among such protocol details may be the need to include one or more identifiers with the command that may specify the destination for the transmission, that identify the iteration of the process 3003 that the particular command is directed to, etc. Also among such protocol details may be an indication of a need to generate a command sequence number that identifies the relative position of the proper operational command among other operational commands that are transmitted as part of controlling the industrial process (i.e., this command sequence number should not be confused with the sequence numbers used in TCP/IP). By way of example, such a command sequence number may need to be generated by incrementing the command sequence number of the last operational command associated with the process 3003 that was observed to have been transmitted.

FIGS. 6A and 6B, taken together, present various aspects of another example embodiment of using a monitoring device 1500 to address instances in which an improper operational command is transmitted by effectuating the transmission of a corrected and/or countermanding operational command.

Turning to FIG. 6A, in a manner similar to what was discussed above in reference to FIG. 5B, the processor(s) 1550 of the depicted monitoring device 1500 may be caused, by execution of the monitoring component 1545 of the control routine 1540, to place the monitoring device 1500 into an operating mode in which the monitoring device 1500 is used to detect and address instances in which transmissions of operational commands are observed among the monitored devices 2300 that do not conform to what is expected, according to the database 1530.

By way of example, and similar to what was discussed above in reference to FIG. 5B, the depicted monitored device 2300A outputs, onto its link 2990A with the depicted interchange device 2700, a transmission 3400 of an operational command associated with a process 3003. Unlike the interchange device 2700 of FIGS. 5A-E, the interchange device 2700 of FIGS. 6A-B may not incorporate the ability to intercept and temporarily store the transmission 3400 as part enabling the operational command that it conveys to be conditionally allowed to be relayed onward to its intended destination. Instead, the interchange device 2700 of FIGS. 6A-B may simply proceed with relaying the transmission 3400 onward to its intended destination (i.e., the monitored device 2300B).

However, as the interchange device 2700 so relays the transmission 3400 onward to the monitored device 2300B via its corresponding link 2990B, a copy and/or indication of the transmission 3400, including the operational command therein, is relayed along the depicted link 2995 to the monitoring device 1500 for analysis. As has been discussed, within the monitoring device 1500, the processor(s) 1550 may be caused by caused by execution of the monitoring component 1545 to refer to the entry set 1531 of the database 1530 that corresponds to the process 3003 in analyzing the transmission 3400, including the operational command therein, to determine whether the type of the transmission 3400, its content (including any parameter values of the operational command), the timing of the transmission 3400, its order of being transmitted relative to other transmissions, and/or still other aspects, conform to what is expected for the process 3003. If the processor(s) 1550 determine that the transmission 3400 is proper (e.g., conveys an operational command of proper type and parameters, with proper transmission timings, in proper order relative to other transmissions, etc.), then the processor(s) 1550 may be caused to take no further action regarding the transmission 3400, since it has already been relayed to the monitored device 2300B.

However, and turning to FIG. 6B, if the processor(s) 1550 determine that the transmission 3400 received from the monitored device 2300A, and at the interchange device 2700, conveys an operational command is improper in type, content, transmission timing, transmission sequence order relative to other commands, etc., then the processor(s) 1550 may be caused to generate and transmit one or more operational commands to countermand the improper operational command and/or to provide an expected proper operational command.

More specifically, the processor(s) 1550 of the monitoring device 1500 may be further caused by execution of the correction component 1547 to generate at least one countermanding operational command that serves to stop and/or reverse whatever action or non-action was ordered to be taken by the improper operational command. In so doing, the processor 1550 may be caused to use both the contents of the improper operational command and information about expected transmissions of expected operational commands stored within the corresponding entry set 1531 of the database 1530 to generate such countermanding operational command(s). The processor 1550 may then be caused to operate the port 1590 to output at least one transmission 3400 of the at least one countermanding operational command onto the link 2995 to the interchange device 2900 along with instructions to relay the at least one transmission to the same destination as the improper operational command (i.e., the monitored device 2300B).

Also more specifically, and either in addition to or in lieu of the generation and transmission of at least one countermanding operational command, where the improper operational command was transmitted at a time at which it was expected that a proper operational command was to be transmitted, the processor 1550 may generate a substitute proper operational command that is of the expected type and that includes expected parameter(s). Again, in so doing, the processor(s) 1550 may be caused to use information stored within the corresponding entry set 1531 of the database 1530 about expected transmissions of operational commands to generate such a proper operational command. Again, the processor(s) 1550 may then be caused to operate the port 1590 to output a transmission 3400 conveying the generated proper operational command onto the link 2995 to the interchange device 2900 along with instructions to relay it to the same destination as the improper operational command (i.e., the monitored device 2300B). In effect, and in a manner similar to what was discussed in reference to FIG. 5E, the monitoring device 1500 is caused to take the place of the monitored device 2300A for purposes of transmitting the proper operational command to the monitored device 2300B.

It should be noted that, in various situations, it may be that the generation and transmission of the proper command also serves the purposes of countermanding the improper command operational command, such that the generation and transmission of separate and distinct countermanding operational command(s) is unnecessary. Again, as part of generating and transmitting either or both of distinct countermanding operational command(s) and a proper operational command, the processor 1550 may be caused to refer to indications of various protocol details stored in the corresponding entry set 1531 of the database 1530.

There is thus disclosed a system of one or more devices that implements a method for counteracting the effects of an ongoing cybersecurity breach or other disruption on communications among devices. The features set forth below may be combined in any of a variety of ways to create any of a variety of embodiments of such a system and/or of a method of decision making augmentation that may incorporate such a system.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into a training mode to generate a model of an industrial process; receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

The multiple monitored devices may be incorporated into a monitored system; the monitored system may include at least one interchange device to which each monitored device of the multiple monitored device is separately coupled; the transmissions of operational commands among the multiple monitored devices may be conveyed through the one or more interchange devices; and the monitoring system may be coupled to the at least one interchange device to receive the indications of observed transmissions of operational commands among the multiple monitored devices.

The model may include a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

The model may include indications of ranges of expected values for parameters of operational commands associated with the industrial process that are expected to be transmitted, and the processor may be further configured to perform operations including: employ a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and add an indication of the expected value to the model.

A monitoring system includes a processor configured to perform operations including: place the monitoring system into an operating mode to use a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process; receive, from one or more interchange devices, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and compare received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper operational command associated with the industrial process.

The multiple monitored devices may be incorporated into a monitored system; the monitored system may include at least one interchange device to which each monitored device of the multiple monitored device is separately coupled; the transmissions of operational commands among the multiple monitored devices may be conveyed through the one or more interchange devices; and the monitoring system may be coupled to the at least one interchange device to receive the indications of observed transmissions of operational commands among the multiple monitored devices.

The at least one interchange device may intercept and store the particular transmitted operational command; and the processor may be further configured to respond to a determination that the particular transmitted operational command is a proper operational command associated with the industrial process by instructing the at least one interchange device to release the particular transmitted operational command from storage and allow the particular transmitted operational command to be relayed to its intended destination.

The at least one interchange device may intercept and store the particular transmitted operational command, and the processor may be further configured to respond to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations including: instruct the at least one interchange device to refrain from releasing the particular transmitted operational command and allowing the particular transmitted operational command to be relayed to its intended destination; generate a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmit the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

The at least one interchange device may not intercept and store the particular transmitted operational command, and allows the particular transmitted operational command to be relayed to its intended destination while a determination is made as to whether the particular transmitted operational command is a proper operational command associated with the industrial process. The processor may be further configured to respond to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations including: generate at least one of a countermanding operational command to cause stoppage or reversal of an action specified in the particular transmitted operational command, or a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmit the at least one of the countermanding operational command or the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

The model may include a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

The model may be generated from data descriptive of logic employed in performing the industrial process, wherein the generation of the model comprises deriving the multiple states from the logic.

A method of generating a model of an industrial process includes: receiving, by a processor of a monitoring system, and from an interchange device of a monitored system, indications of observed transmissions, through the interchange device, of operational commands among multiple monitored devices of the monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and from received indications of observed transmissions of operational commands associated with the industrial process, generating, by the processor, the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

The method may further include: employing, by the processor, a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and adding an indication of the expected value to the model.

The model may include a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

The model may include indications of ranges of expected values for parameters of operational commands associated with the industrial process that are expected to be transmitted, and the processor may be further configured to perform operations including: employ a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and add an indication of the expected value to the model.

A method of using a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process includes: receiving, by a processor of a monitoring system, and from at least one interchange device of a monitored system, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and comparing, by the processor, received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper and expected operational command associated with the industrial process.

The at least one interchange device may intercept and store the particular transmitted operational command; and the method may further include responding, by the processor, to a determination that the particular transmitted operational command is a proper and expected operational command associated with the industrial process by instructing the at least one interchange device to allow the particular transmitted operational command to be relayed to its intended destination.

The at least one interchange device may intercept and store the particular transmitted operational command, and the method may further include responding, by the processor, to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations including: instructing the at least one interchange device to refrain from relaying the allow the particular transmitted operational command to its intended destination; generating, by the processor, a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmitting the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

At least one the interchange device may not intercept and store the particular transmitted operational command, and allows the particular transmitted operational command to be relayed to its intended destination while a determination is made as to whether the particular transmitted operational command is a proper and expected operational command associated with the industrial process. The method may further include responding, by the processor, to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations including: generating, by the processor, at least one of a countermanding operational command to cause stoppage or reversal of an action specified in the particular transmitted operational command, or a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmitting the at least one of the countermanding operational command or the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

The model may include a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

The model may be generated from data descriptive of logic employed in performing the industrial process, wherein the generation of the model comprises deriving the multiple states from the logic.

Claims

1. A monitoring system comprising a processor configured to perform operations comprising:

place the monitoring system into a training mode to generate a model of an industrial process;
receive indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the multiple monitored devices is configured to control the industrial process; and
from received indications of observed transmissions of operational commands associated with the industrial process, generate the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

2. The monitoring system of claim 1, wherein:

the multiple monitored devices are incorporated into a monitored system;
the monitored system includes at least one interchange device to which each monitored device of the multiple monitored device is separately coupled;
the transmissions of operational commands among the multiple monitored devices are conveyed through the one or more interchange devices; and
the monitoring system is coupled to the at least one interchange device to receive the indications of observed transmissions of operational commands among the multiple monitored devices.

3. The monitoring system of claim 1, wherein the model comprises a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

4. The monitoring system of claim 1, wherein:

the model comprises indications of ranges of expected values for parameters of operational commands associated with the industrial process that are expected to be transmitted; and
the processor is further configured to perform operations comprising: employ a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and add an indication of the expected value to the model.

5. A monitoring system comprising a processor configured to perform operations comprising:

place the monitoring system into an operating mode to use a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process;
receive, from one or more interchange devices, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and
compare received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper operational command associated with the industrial process.

6. The monitoring system of claim 5, wherein:

the multiple monitored devices are incorporated into a monitored system;
the monitored system includes at least one interchange device to which each monitored device of the multiple monitored device is separately coupled;
the transmissions of operational commands among the multiple monitored devices are conveyed through the one or more interchange devices; and
the monitoring system is coupled to the at least one interchange device to receive the indications of observed transmissions of operational commands among the multiple monitored devices.

7. The monitoring system of claim 5, wherein:

the at least one interchange device intercepts and stores the particular transmitted operational command; and
the processor is further configured to respond to a determination that the particular transmitted operational command is a proper operational command associated with the industrial process by instructing the at least one interchange device to release the particular transmitted operational command from storage and allow the particular transmitted operational command to be relayed to its intended destination.

8. The monitoring system of claim 5, wherein:

the at least one interchange device intercepts and stores the particular transmitted operational command; and
the processor is further configured to respond to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations comprising: instruct the at least one interchange device to refrain from releasing the particular transmitted operational command and allowing the particular transmitted operational command to be relayed to its intended destination; generate a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmit the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

9. The monitoring system of claim 5, wherein:

the at least one interchange device does not intercept and store the particular transmitted operational command, and allows the particular transmitted operational command to be relayed to its intended destination while a determination is made as to whether the particular transmitted operational command is a proper operational command associated with the industrial process; and
the processor is further configured to respond to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations comprising: generate at least one of: a countermanding operational command to cause stoppage or reversal of an action specified in the particular transmitted operational command; or a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmit the at least one of the countermanding operational command or the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

10. The monitoring system of claim 5, wherein the model comprises a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

11. The monitoring system of claim 10, wherein the model is generated from data descriptive of logic employed in performing the industrial process, wherein the generation of the model comprises deriving the multiple states from the logic.

12. A method of generating a model of an industrial process comprising:

receiving, by a processor of a monitoring system, and from an interchange device of a monitored system, indications of observed transmissions, through the interchange device, of operational commands among multiple monitored devices of the monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and
from received indications of observed transmissions of operational commands associated with the industrial process, generating, by the processor, the model of the industrial process, wherein the model comprises indications of an expected order of transmissions of operational commands associated with the industrial process are expected to occur.

13. The method of claim 12, further comprising:

employing, by the processor, a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and
adding an indication of the expected value to the model.

14. The method of claim 12, wherein the model comprises a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

15. The method of claim 12, wherein:

the model comprises indications of ranges of expected values for parameters of operational commands associated with the industrial process that are expected to be transmitted; and
the processor is further configured to perform operations comprising: employ a statistical analysis to generate an expected value for a parameter of an operational command associated with the industrial process that is expected to be transmitted based on observations of prior instances of exchanging of the particular operational command in prior iterations of performing the industrial process; and model. add an indication of the expected value to the

16. A method of using a model of an industrial process to analyze observed transmissions of operational commands associated with the industrial process, the method comprising:

receiving, by a processor of a monitoring system, and from at least one interchange device of a monitored system, indications of observed transmissions of operational commands among multiple monitored devices of a monitored system, wherein at least one of the monitored devices is configured to control the industrial process; and
comparing, by the processor, received indications of observed transmissions of operational commands associated with the industrial process to indications in the model of expected transmissions of operational commands associated with the industrial process to determine whether a particular transmitted operational command is a proper and expected operational command associated with the industrial process.

17. The method of claim 16, wherein:

the at least one interchange device intercepts and stores the particular transmitted operational command; and
the method further comprises responding, by the processor, to a determination that the particular transmitted operational command is a proper and expected operational command associated with the industrial process by instructing the at least one interchange device to allow the particular transmitted operational command to be relayed to its intended destination.

18. The method of claim 16, wherein:

the at least one interchange device intercepts and stores the particular transmitted operational command; and
the method further comprises responding, by the processor, to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations comprising: instructing the at least one interchange device to refrain from relaying the allow the particular transmitted operational command to its intended destination; generating, by the processor, a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmitting the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

19. The method of claim 16, wherein:

at least one the interchange device does not intercept and store the particular transmitted operational command, and allows the particular transmitted operational command to be relayed to its intended destination while a determination is made as to whether the particular transmitted operational command is a proper and expected operational command associated with the industrial process; and
the method further comprises responding, by the processor, to a determination that the particular transmitted operational command is an improper operational command associated with the industrial process by performing operations comprising: generating, by the processor, at least one of: a countermanding operational command to cause stoppage or reversal of an action specified in the particular transmitted operational command; or a substitute proper operational command comprising a type of operational command based on an expected order of operational commands specified in the model, and comprising an expected parameter value based on the model; and transmitting the at least one of the countermanding operational command or the substitute proper operational command to the at least one interchange device to be relayed to an expected destination specified in the model.

20. The method of claim 16, wherein the model comprises a finite state model that includes indications of multiple states of the industrial processor and indications of valid transitions among the multiple states.

21. The method of claim 20, wherein the model is generated from data descriptive of logic employed in performing the industrial process, wherein the generation of the model comprises deriving the multiple states from the logic.

Patent History
Publication number: 20230328078
Type: Application
Filed: Jun 5, 2023
Publication Date: Oct 12, 2023
Inventor: Paul Williams (Spring, TX)
Application Number: 18/206,003
Classifications
International Classification: H04L 9/40 (20060101);