3D Printing – Arquimedes Martinez Canedo, Livio Dalloro, Dong Wei, Benjamin Collar, Siemens Corp
Abstract for “System and Method for Cyber-Physical Security”
“A system and method are provided to facilitate cyber-physical security. The system could include a controller with at least 1 processor, a monitor system with at least 1 processor, and multiple sensors that can capture measurements of at least one component of the hardware. There may be at least two sensors: at most one controller sensor, which communicates with controller; and at minimum one side-channel sensor, which communicates only with the monitor system. The controller’s first processor may be programmed to allow it to control the hardware component using measurements from the controller sensor. The second processor in the monitor system could be set up to receive measurements from sensors, determine whether they are indicative of cyberattacks on at least one component of the hardware, and generate at most one notification indicating that a cyberattack has occurred based on the findings.
Background for “System and Method for Cyber-Physical Security”
“Security systems can monitor network activity and software changes in order to detect viruses, worms or other cyber-attacks. These security systems could be improved.
A cyber-physical system refers to a physical system (hardware part) that is controlled and monitored using a computer or controller. There are many disclosed embodiments that include methods and systems that can be used to enhance cyber-physical security. A system could include at least one controller with at least one processor. A monitor system with at least one second CPU may be included in the system. The system may also include a number of sensors that can capture multiple measurements of at least one component of the hardware. At least one sensor may communicate with at least the controller and at most one sensor that communicates side-by side with the monitor system, but not with the controller. The at most one processor can be set up to allow the controller to control at least one component of the hardware. This is based at minimum in part on the measurements taken by the controller sensor. The measurements may be received by the second processor of the monitor. The second processor can also be set up to determine if the measurements indicate a possible attack on at least one component of the hardware. The second processor can also be set up to generate at most one notification in the event of a cyberattack, based on whether the measurements are indicative.
“Another example is that a method of cyber-physical security might involve at least one processor in a monitor system receiving multiple measurements from a plurality sensors associated with at most one hardware component. These sensors include at least two: at most one controller sensor, which communicates with at minimum one controller; and at the least one side-channel sensor, which communicates only with the monitor system. At least one controller could include a processor that allows the controller to control at least 1 hardware component using measurements from at least 1 controller sensor. The method can also be performed by the processor of the monitor system. It may include: determining if the measurements indicate a potential cyber-attack on at least one component; and generating at most one notification indicating that a cyberattack has occurred based on the determination of possible cyberattack.
“Another example could include a non-transitory computer-readable medium that encodes executable instructions (such a software component on an storage device), which when executed causes at least one processor the described method.”
“Another example could include an apparatus that includes at least one hardware-software and/or firmware-based processor, computer or component controller, means, module and/or unit for carrying out functionality similar to the described method.”
“The disclosure has been described in a broad manner, so that people skilled in the art can better comprehend the details that follow. The claims will also describe additional features and benefits of the disclosure. The disclosure can be used by those skilled in the arts to modify or design other structures that serve the same purpose. These equivalent constructions are not inconsistent with the spirit and scope disclosed in its broadest form.
“Also understand that this patent document contains various definitions of certain words and phrases. Those of ordinary skill will be able to see that these definitions are applicable in many instances to both past and future uses of such words and phrases. Although some terms may encompass many different embodiments, the appended Claims may limit such terms to certain embodiments.
“Variable technologies that relate to systems and methods that facilitate cyberphysical security will be described in the following drawings. Like reference numerals refer to like elements throughout. These drawings and the various embodiments that describe the principles of this patent disclosure are intended to be used as illustrations only. They should not be taken to limit the scope. The principles of the disclosure can be applied in any suitable arrangement, as those skilled in the arts will know. Multiple elements can perform functionality described as being performed by system elements. An element can be configured to perform functionality described as being performed by multiple elements. With reference to examples of non-limiting embodiments, the numerous inventive teachings of this application will be described.
“With reference to FIG. “With reference to FIG. 1, an example system 100 illustrates cyber-physical security. System 100 may contain at least one controller, 102, and at most one first processor 104. This processor is designed to execute instructions that correspond to at least 1 application component 108 (e.g. software/firmware) from the memory 106. An application component can be programmed to instruct the first processor to perform various acts and functions as described in this document.
“Example: The described controller 102 could correspond to a supervisory control and data acquisition system (SCADA), a programmable logic control (PLC), or other type industrial control system. It may also correspond to a supervisory control and data acquisition system (SCADA), other type of industrial control system, or any other type data processing system that is designed to control hardware components 110 (e.g., a furnace, electric transformer, or packaging production line). This controller could be connected directly or indirectly to an IP-based first network (134) or any other network that might be subject to cyberattack.
Cyberattack is defined as an attempt by hackers in cyberspace to hack into a system to steal data or sabotage its operations. FIG. FIG. 1 shows the network 134 that could be accessed by a local hacker who has access to it via a LAN or remote hacker who uncovers a security breach to gain access via a WAN or the Internet. IT cybersecurity systems 144, including firewalls and antivirus software, may be used to detect and prevent cyberattacks.
“But, IT cybersecurity is constantly changing. As an example, security mechanisms are constantly being developed and deployed. Hackers find ways to exploit computers and networks and bypass them. Instead of relying solely on IT cybersecurity, some embodiments of system 100 could use the physical status of 110 of one or several machines 156 controlled by one or more potentially vulnerability controllers 102 (e.g. PLCs) in order to detect potential cybersecurity breaches that were not detected by IT cybersecurity mechanisms.
“Example embodiments could take advantage of cyberattacks that can change the physical behavior the hardware component (e.g. the cyberattack against a German steel plant in 2014. and Slammer Worm infiltration at an Ohio nuclear power plant in 2015. The system 100 could be set up to monitor the physical effects of hardware components, such as vibrations, thermals, and noise; detect anomalies; classify anomalies as threats; trigger alarm notifications to cyber security systems or the responsible human users for further investigation.
“In general, IT-based cyber security systems can include software applications that are designed to prevent, detect or counteract cyberphysical security threats (e.g. viruses, worms). These solutions can monitor network activity and software on a workstation, server, or human machine interface (HMI), 158 or any other machine that manages PLCs and/or controllers, and/or hardware components, in order to detect and attempt removing and/or isolating such threats.
Cyberattacks are not always carried out in a direct manner to target an end-point with known viruses or worm software. Instead, they may be broken down into smaller (and often seemingly innocuous) steps that allow the attacker to gain incremental access over time until the hacker is ready. These step-wise attacks can be difficult to detect because they may take place over a long time. A cyberattack can take weeks, months, or even days to deploy, making it difficult for IT security systems to identify the cyberattack from events in the system. These sophisticated attacks can be difficult to detect and avoid. This makes it challenging for IT-based cyber security systems to identify the vulnerabilities.
These cyberattacks could also be directed at critical infrastructure (e.g. power distribution, transmission networks and manufacturing plants). These attacks could be directed at changing the parameters 138-142 and/or sensors of the targeted controllers and hardware components and/or sensors. IT-based cyber security systems 144 such as firewalls and anti-virus software may not be able to detect cyberattacks directed at physical machines, such as lower level controllers (e.g. PLCs and computer) that monitor and control physical machines and their components (e.g. via actuators or sensors).
“The system 100 is designed to overcome weaknesses in IT-based cybersecurity software and firewalls to detect cyberattacks that target physical machines. One example of such cyberattack is an intrusion that alters one or more parameters 138 in controller 102, such as a PLC that changes the angular speed a drive. This attack could be caused by a flaw in software that is embedded in a manufacturing system (e.g. an HMI 158), which has been undetected using traditional IT methods (e.g. a zero-day vulnerability). This system may be able to detect such an attack by monitoring how the physical properties of the hardware components affected by modified software/firmware or parameters changes after the attack has been deployed.
“As illustrated at FIG. 1. The system 100 may include a communication separated monitor system 112 that is connected to and/or included in the machine 156 and at least one of the described hardware components 110 and/or controllers 102. A monitor system could be “air gaped?” Or?air gaped? in which bi-directional network communications are prevented from machine 156 and/or network 134 to the monitor system.
“The monitor system 112 could include at least one second CPU 114. This second processor is designed to execute instructions that correspond to at least one app component 118 (e.g. software/firmware) from the memory 116 accessible by the second processor. An application component can be programmed to instruct the second processor to perform various acts and functions as described in this document.
“In some embodiments, the second CPU may be configured so that it receives a plurality 126 measurements from a plurality 120 sensors 120. These sensors are used to sense the behavior of the at least one component 110 (such the hardware component and/or associated processes). These sensors can include at least one controller sensor 122, and at most one side-channel sensor 124. A controller sensor 122 is a sensor that can detect and communicate measurements to both the controller 102 (or the monitor system 112) as defined in this document. A side-channel sensor (124), as described herein, is a sensor that can detect and communicate measurements with the controller 102 and monitor system 112. A controller sensor doesn’t necessarily need to be mounted on a controller board. It may instead correspond to a sensor that communicates directly with the controller.
“Example: The controller could correspond to a controller that communicates with the hardware component 110 and controller sensors 122 via fieldbus 146 (e.g. Profibus Foundation Fieldbus or other bidirectional wired/wireless communication system). The described side-channel sensor cannot be connected to controller 102 via fieldbus 146. Therefore, it is not capable of carrying out bidirectional communications. The side-channel sensor sensor 124 can be used to transmit sensor measurements to the controller 102 via a separate network such as a fieldbus, or another type of wired or WiFi connection to the monitor 112.
“In some embodiments, the monitor system could be set up to determine if the measured are indicative of a cyberattack on at least one component. The monitor system can also be set up to output at least one notification 132, indicating a potential cyberattack 128 upon determining that the measurements are indicative.
“In some embodiments, a monitor system may include or communicate with at least one output device (138) that is a visible or audible alarm device that outputs the notification 132. This device can be a visible light or an audible sound to notify users of a potential cyberattack. This output device may be embedded in the machine, 110, or located remotely in a room or control panel, where users can receive notification of a possible cyberattack via a screen and/or audible alarm.
“Also, in certain embodiments, the monitor can be configured to send a notification 132 to another system responsible for detecting, reporting, and responding to cyberattacks. This could include the IT-based security system 144, which notifies via an audio alarm and/or a display screen. The IT-based security system, monitor system, and/or IT based security system can be configured to send an electronic message to the appropriate user corresponding to notification 132. This electronic message could be an SMS, e-mail, instant message or voice message that notifies a user about a possible cyberattack.
“In such an instance, to keep the?air gaped?” Or?air walled?” configuration of the monitor 112, the notification 132 may be transmitted to the security systems 144 via unidirectional communication filter circuit. This allows the notification to be sent from the monitoring device but prevents it from receiving communications from security system144. These could include a virus, worm, or hacker communication.
“In one embodiment, sensors 120 can be used to measure physical information associated with hardware components (i.e. measurements of hardware components and/or the process or system controlled by the hardware components). The sensors 120, for example, may be used to monitor temperature of heating elements and/or fluids being heated by them.
“The monitor system can fingerprint the physical sensor data in order to identify anomalies in hardware components controlled by the controller 102 that could be related with cyberattacks. The monitor system can create fingerprints 150 that correspond with time-based behavior signatures using sensor measurements. These fingerprints are then compared to predetermined and classified fingerprints 152 (e.g. classified as normal activity, wear related, failure related and/or any other behavior classifications applicable to the particular hardware component or process being measured).
The monitor system can determine whether activity corresponds to a cyberattack or a mechanical issue based on the results of the fingerprint comparison. This example monitor system could be used to detect cyberattacks and other mechanical issues in a system. It may also output notifications that indicate each type of detection, such as cyberattack notification or mechanical problem notification. In other embodiments, however, the monitor system might only send notifications relating to cyberattacks. In some embodiments, you can also control the types of notifications that are generated and outputted from the monitor system using the software components of its application software.
“Example embodiments may include information such as diagnostic information about the source of the attack and the basis to indicate why the anomaly is being considered a cyberattack. The notification could include the following subject matter: “A possible cybersecurity breach has been detected in motor #4; the motor’s physical behavior is not related to wear and tear over the past two days at an average speed of 60 rpm.”
“In one embodiment, the user who received the notification may review the anomaly found in the notification by monitor system to confirm that there has been a cyberattack. The user might review the parameters of the controller or the hardware component that controls the angular velocity for motor #4. A cyberattack could be considered if such parameters are changed and not made by an authorized user. Research may be done to find out if any other parameters or software were maliciously altered. Research may also be done to identify the source and mechanism of the cyberattack. Corrective actions can be taken to fix any software/parameters that were altered. Corrective actions can be taken to stop malicious activity, access or further cyberattacks.
“Inversely, if the review uncovers a mechanical problem that is responsible for the anomaly in the notification, a hacker attack may be unlikely.” To correct or compensate for the mechanical problem, maintenance may be performed on the affected hardware.
An example embodiment of the monitor system described may allow for feedback on whether the notification accurately identified a cyberattack and/or a mechanical problem. The at least one second processor (114) of the monitor system could be set up to respond to an input device 136 that indicates a positive confirmation 130 that at least one notification is indicative of a hacker attack to modify or generate classified fingerprints 152 which are used to identify other behavior and cyberattacks.
“To maintain the previously mentioned?air gapped? “Air walled” or “air gapped?” The input device 136 can be connected directly to the monitor system. This could include a touch screen, keyboard or pointer device. A monitor system may also be used to provide a user interface, such as a GUI (graphical user interface), through an output device 138 that is also connected to the system. This could include a display screen or touch screen. This GUI could be used to view notifications 132 and provide confirmations 130.
It should be noted that the input device 136 and the output device 138 described may not be directly connected with the monitor system. The monitor system 112 could be connected to a second network, 148 which is separate from the first network 134 through which controllers 102 might be connected. To prevent cyber-attacks through the first network 134, a second network 148 can be isolated from the first one 134.
“As we have discussed, the 120 sensors connected to the monitor systems include side-channel sensors 122, and controller sensors 122. These controller sensors 122 could correspond to sensors that are necessary for controlling the hardware components or the process they are performing. A controller sensor could correspond to a temperature sensor in the fieldbus used by controller 102 to maintain chemical reactions at 70C.
“In some cases, controller sensors in fieldbus sensors can be used to collect measurements (such temperature, motion pressure, flow rate and acceleration or any other physical property) in industrial automation. For example, fieldbus data can be used to implement the controller’s measurements from controller sensors 122 at the SCADA or PLC level. The controller 102 and the monitor system 112 may also benefit from timestamps in fieldbus data. The monitor system 112 could be set up to perform time series analysis of fieldbus data from controller sensors 122 in order to generate fingerprints 150. The controller 102 is directly linked to fieldbus data. Therefore, the monitor system 112 may use the existing semantics of the process domain to detect anomalies that could be related to cyber-attacks. The monitor system can be set up to detect cyberattacks on temperature sensors and controllers, for example, if the temperature measured by a process exceeds the physical limit of the process (as defined by classified fingerprints 152).
Side-channel sensors can gather information as a result of hardware component operation. For example, sensors that detect electromagnetic radiation emitted from power sources and controllers. Side-channel sensors can be retrofitted to hardware components or used in conjunction with environmental sensors that identify side-channel information. Side-channel sensors can also include a microphone array that is used in gas turbines to collect side channel data. This information can be used to predict failures and/or thermal, electro-magnetic and vibrational cameras.
Side-channel sensors can also measure behaviors that controller sensors cannot. A controller sensor and a sensor on the side can be used to measure the exact same property (e.g. the temperature of a reaction). The monitoring software can be set up to detect if current measurements are inconsistent with those from at least one controller sensor.
“The monitor system may continuously collect side-channel measurements from side-channel sensors 124, and fieldbus measurements of controller sensors 122 to create time-based fingerprints 150 for the hardware and processes being observed. These fingerprints can then be used to determine if the current behavior in the fingerprints is consistent with what was expected (in the predetermined classified fingerprints 152). The monitor system could include a memory or a data store that stores fingerprint data 150,152 for detection of possible cyberattacks.
“The fingerprinting could be based upon an observation that the behavior signature due to wear & tear, mechanical malfunctions, or cyberattack may be different. It either shows a completely new behavioral pattern (i.e. a new fingerprint), or it matches a known one (matching a classified wear fingerprint, but with a shorter time-scale) (i.e. malicious attempts to mask attack. As wear and tear can be identified through their accelerated livescycle).
“A cyberattack can be further identified by the monitor system using a set of fingerprints that represent a series of discrete, non-continuous events that causes distinct behavior signatures. A set of predetermined, classified fingerprints may also be used to identify mechanical problems with the monitor system. These fingerprints are indicative of preliminary continuous signs and degradation.
“Example embodiments may use machine learning techniques to continuously analyze fingerprints over time using a combination unsupervised and supervised learning. This learning may be used by the monitor system to identify and distinguish among the many events that are occurring continuously in the system, which events have the greatest probability of being related to a cyberattack on controllers, hardware components and/or controller sensors.
“Note: The expected behavior signatures (e.g. normal or expected fingerprints), may correspond to characteristic curves that are obtained over time by the monitor system. These include (1) recording the machine’s behavior during normal operation (in an unsanctioned environment); (2) simulating machine behavior using synthetic data or filed input data; and/or (3) testing a physical machine in a controlled environment.
“The classification of these behavior signs (as expected or normal fingerprints) can easily be achieved using the supervised learning algorithms that the monitor system uses with respect to the sensed data of each physical domain involved, such as temporal, frequency and thermal, electrical-magnetic. As mentioned previously, the monitoring system can also incorporate real-world feedback (via confirmation inputs 130) or post-mortem analysts (via use GUI generated by monitor system) to classify fingerprints and/or sets of fingerprints as cyberattacks or not (e.g. wear or malfunctions) based on the expert assessment of the user. As the monitoring algorithms improve, the classification of fingerprints as cyberattacks or cyberattacks may become less important over time.
“It is important to understand that the monitor system can perform machine learning based upon fingerprints for similar machines in situations where fingerprint data may not be initially available (such legacy machines for which design or test information are not available). The monitor system might classify current behavior signatures by using unsupervised learning algorithms. This is done by looking at the physical domains and the correlations with the fingerprints of similar machines. This allows the monitor system to access fingerprints that have been identified as cyberattacks or not (e.g. wear or malfunctions) and use them to determine if fingerprints generated by similar machines are cyberattacks.
“It is important to understand that the monitor system 112 can be used to monitor multiple machines (as well as the associated hardware components) and may also use fingerprints from similar machines to detect cyber attacks. The described monitor system 112 can be used to access process data 154 that is related to the operations being performed by the machines being monitored. The monitor system described may be set up to detect discrepancies in the process data accessed and the actual process results produced by the hardware components measured using the sensors 150.
“For instance, a machine 156 that is being monitored by the monitor system 112 could correspond to a 3-D (3D) printer. This 3D printer could include at least one controller, 102, and a number of hardware components 110 (e.g. deposition head or laser, build platform, etc.). For example, the sensors 120 could include a side channel sensor 124 that counts the layers being deposited using the 3D printer. This is used to build all or a portion of the part. In this case, the monitor system 112 may be set up to access process data 54 from a memory/data storage that specifies the first number of layers that are being added by the 3D printer for any or all of the parts. The monitor system 112 could be configured with at least one additional processor 114 to detect a possible cyberattack if the sensors measure a second number for the portion of the 3D printed part (determined using the side-channel sensor 124) which is different from the process data.
“With reference to FIG. 2 illustrates and describes various examples of methodologies. Although the methods are described as a series or acts performed in a specific order, it should be noted that the sequence of acts may not limit the possibilities. Some acts might occur in a different order to what is listed herein. A second act can occur simultaneously with an act. In some cases, however, not all actions are required in order to implement the methodology described herein.
It is important to remember that although the disclosure describes a functional system, it does not include a series or acts. However, those skilled in art will recognize that at least some of the disclosed mechanism and/or described acts can be distributed as computer-executable instruction contained in non-transitory computer-usable or computer-readable media in any number of forms. The present disclosure applies regardless of what type of instruction, data bearing medium, storage medium, or medium used to distribute the information. Examples of non-transitory machines usable/readable/computer-readable mediums are: ROMs and EPROMs; magnetic tape, floppy drives, hard disk drives, SSDs; flash memory, CDs and DVDs; Flash media such as ROMs and EPROMs. Computer-executable instructions can include routines, sub-routines, programs, applications modules, libraries, etc. Further, the results of the methods may be stored on a computer-readable medium and displayed on a display device or the like.
“Referring to FIG. “Referring now to FIG. 2, is illustrated a methodology 200 that facilitates cyber-physical safety. The method may begin at 202. It may include multiple acts that are performed by at least 1 processor of a monitoring system, including the act 204 of receiving measurements from a plurality sensors associated with at minimum one hardware component. These sensors include at least 1 controller sensor that communicates to at least 2 controllers; and at most one side-channel sensor which communicates with the monitoring system but not with the controller. The at most one controller could include at minimum one processor, which is designed to allow the controller to control at least one component of the hardware component using measurements from at least part of the controller sensor. The methodology can also include the operation of at least one processor in the monitor system. Act 206 is for determining whether measurements are indicative a possible hacker attack on at least one component. Act 208 is for generating at most one notification indicating that there has been a cyberattack. The methodology can be ended at 210.
“It is important to note that the methodology 200 could include other acts or features previously discussed with respect to system 100. The example controller could correspond to a programmable controller (PLC). The at least one controller sensor could also be a fieldbus sensor. The operation of at least 1 processor in the monitor system may also include the determination that measurements are indicative for a cyberattack when they are inconsistent with the measurements from at least one controller sensor.
“Also the methodology 200 could include the operation of at least 1 processor of the monitor, an act to generate time-based fingerprints associated to at least 1 hardware component based upon measurements received from at minimum one of the sensors; an act to compare the generated fingerprints with predetermined fingerprints, in order to determine if the measurements are indicative for a cyberattack.”
“Further,” the methodology 200 could include operation of at least one processor on the monitor system. This is an act to determine that the measured fingerprints are indicative of possible cyberattacks when they do not match predetermined fingerprints.
“The 200-described methodology may also include the operation of at least one processor on the monitor system. This is a way of determining whether the fingerprints are indicative of a cyberattack when they match predetermined fingerprints that are representative of normal wear but performed in a determined accelerated timeline compared to those fingerprints.
“In addition to this, the methodology 200 could also include the operation of at least 1 processor of the monitor, an act of creating or modifiing a classification for predetermined fingerprints to reflect whether or not the fingerprint is indicative of possible cyber-attacks, responsive to at most one input from an input devices indicative of positive or negative confirmation that at least one notification was indicative of a hacker attack.”
“A machine that corresponds to a 3D printing device may also include at least one controller as well as at least one component. The methodology could include the operation of the monitor system. This includes accessing process data that specifies at least one portion of a part to be additively produced via the 3D Printer; and determining whether the measurements are indicative for a cyber-attack when they indicate a second layer for the portion of that part actually generated using the 3D Printer.
As we have discussed, these acts (other than manual acts) can be performed by one or more processors. These processors may be part of one or more data processing system, such as those that execute software components (such the application software component), operative to cause the acts to be performed by one or more processors. These software components could include computer-executable instructions that correspond to routines, sub-routines, programs, applications modules, libraries, threads of execution and/or other similar functions. Further, it should be appreciated that software components may be written in and/or produced by software environments/languages/frameworks such as Java, JavaScript, Python, C, C#, C++ or any other software tool capable of producing components and graphical user interfaces configured to carry out the acts and features described herein.”
“As mentioned previously, controller 102 could correspond to a PLC. Alternate embodiments of the controller could correspond to a different form factor for a microprocessor, such as a general-purpose data processing system. The described monitor system can be implemented in many microprocessor form factors, including a general-purpose data processing system. FIG. FIG. 3 shows a block diagram for a data processing device 300 (also known as a computer-system). This system can implement an embodiment, such as as a part of the controller, HMI or security system and/or any other system discussed herein. The data processing system depicted includes at least one processor 302 (e.g., a CPU) that may be connected to one or more bridges/controllers/buses 304 (e.g., a north bridge, a south bridge). One or more I/O buses, such as a PCI Express, could be connected to one of the buses 304. A main memory 306 or RAM, and a graphics controller 318, may be connected to the various buses. One or more display devices 310 may be connected to the graphics controller 308 In some embodiments, one or more controllers, e.g. graphics, south bridge, may be integrated with CPU (on the same chip, die). There are several CPU architectures, including x86-64 and IA-32.
“Another peripheral connected to one or several buses may include communication controllers 312, (Ethernet controllers. WiFi controllers. Cell controllers) operative for connecting to a local network (LAN), Wide Area Networks (WAN), cellular network and/or other wired/wireless networks 314 or communications equipment.
“Further components may be connected to different busses include one or several I/O controllers316 such as USB controllers and Bluetooth controllers and/or dedicated Audio controllers (connected with speakers and/or microphones). You should also know that different peripherals can be connected to the I/O control(s) via various connections, including input devices 318 (e.g. keyboard, pointer and mouse, trackball, trackball, buttons keypad, game controller, controller, gamepad, camera controller, microphone, scanners or motion sensing devices that capture movement gestures), output device 320 (e.g. printers, speakers, or any other device that is operative in order to receive inputs from or receive outputs of the data processing system). It should also be noted that input devices and output devices can both receive inputs from the data processing system. The processor 302 could be integrated into a housing, such as a tablet, that has a touch screen that can serve as both an input device and display device. It should also be noted that input devices such as laptops may contain a variety of input devices, including touch screens, touch pads, keyboards, etc. It should also be noted that peripheral hardware 322 connected with the I/O controllers316 could include any type or machine or component that can communicate with a data processing device.
“Additional components connected to different busses may include one (or more) storage controllers 324, e.g. SATA. A storage controller can be connected to a storage device 326, such as one or more storage devices and/or any associated removable media. This could be any non-transitory, machine-readable storage medium. These include volatile devices, nonvolatile, volatile, read-only devices, ROMs and EPROMs as well as magnetic tape storage. In some cases, an SSD storage device may also be connected to an I/O bus304 such as a PCI Express bus.
A data processing system according to an embodiment of this disclosure could include an operating system, software/firmware, and data storage 332 (which may be stored on a storage unit 326 or the memory 336). This operating system can use a command-line interface (CLI), and/or a graphic user interface (GUI). Multiple display windows can be displayed simultaneously in the GUI shell. Each window provides an interface to either a different application, or an instance of the same program. The graphical user interface can be controlled by the user using a touch screen or mouse to manipulate the cursor/pointer. To trigger a desired response, the cursor/pointer can be moved and/or an event (such as touching a touch screen or clicking a mouse button) may be generated. Microsoft Windows, Linux and UNIX are some examples of operating systems that can be used in a data processing platform. Data stores can also include data files, tables, relational databases (e.g. Oracle, Microsoft SQL Server), and database servers. Any other structure or device that is capable to store data that can be retrieved by a processor is an example of a data store.
“The communication controllers 312, may be connected to network 314 (not part of data processing systems 300), which can include any network, public or private, or combination thereof, as well as the Internet. Data processing system 300 may communicate with one or more data processing systems, such as a 334 (also not part the data processing system 300). An alternative data processing system could be a collection of processors that are part of a distributed system. These processors may communicate with each other via one or more network connections. They may then perform tasks previously described as being done by one data processing system. It is important to understand that a data processing system can be implemented by multiple data processing systems in a distributed system communicating with each other over a network.
Further, the term “controller” refers to any device, system or part thereof that controls at least one operation. Any device, system, or part of a controller that controls at most one operation. This can be implemented in hardware, firmware or software, or a combination of both. The functionality associated with any controller can be distributed or centralized, locally or remotely.
“It should also be noted that data processing systems can be implemented in virtual machines within a cloud or virtual machine architecture. The processor 302 and its components could be a virtual machine that executes in a virtual environment with one or more servers. There are many virtual machine architectures, including VMware ESCi and Microsoft Hyper-V.
“Those with ordinary skill in the arts will recognize that hardware used for data processing systems may differ for different implementations. The data processing system 300 may be a controller, workstation or server, a computer, laptop, notebook, computer, tablet, phone, or any other apparatus/system that can process data and perform the functionality described herein. This illustration is for explanation purposes only. It is not intended to be a limitation on architectural design of the present disclosure.
“It should also be noted that the processor described in this document may be located on a remote server from the input and display devices described herein. The client device, which communicates with the server and/or virtual machine running on the server via a wired or wireless network that may include the Internet, may contain the above-described display device and input device. One embodiment of remote desktop protocols may be executed by such a client device. It may also correspond to a portal device. This device sends inputs to the server from an input device and receives visual information from the server for display on a display device. Remote desktop protocols such as Teradici’s PCoIP and Microsoft’s RDP are examples. Another example is that such a client device could correspond to a computer using a thin client application or a web browser. The web browser and thin client applications may transmit inputs to the server to be evaluated by the server. Once rendered, the server sends back an image or series of images to the client to be displayed by either the thin client app or the web browser. In some cases, the remote processor described in this article may also be a combination of a real processor and a physical processor running in the server.
“Component” and?system? are used herein. “Component” and “system” are interchangeable terms. These terms can be used to refer to hardware, software, or a combination thereof. A system or component could be, for instance, a process, a program executing on a CPU, or both. A component or system can be distributed over multiple devices or may be located on one device.
A processor is also used to refer to any electronic device configured using hardware circuits, firmware, and/or software to process data. The processors described herein could be one or more of the following: a CPU, FPGA or ASIC or any other integrated device (IC) capable of processing data in any data processing system. This may include a controller board or computer, server, mobile phone and/or any other electronic device.
“Those who are skilled in the art will know that the entire structure and operation all data processing systems compatible with the present disclosure is not being described or depicted herein. Instead, the disclosure only describes and depicts a portion of the data processing system that is relevant to the present disclosure. The rest of the construction and operation 300 of data processing system 300 can be conformed to any of various implementations or practices currently known in the art.
“It should also be understood that the terms or phrases used in this document should be interpreted broadly, except where specifically stated otherwise. The terms “include” and “comprise” are examples. For example, the terms?include? und?comprise? refer to inclusion without limitation. as well as their derivatives, means inclusion without limitation. The singular forms??a?,??an????????????????????????????????? and?the????????????????????????????? The singular forms?a?,?an???? and?the???????????????? are intended to include the plural forms. Unless the context indicates otherwise, they are meant to be inclusive of plural forms. The term “and/or” is also used herein. The term?and/or? as used herein refers and includes all combinations of any or all of the listed items. The term “or” is inclusive, meaning and/or. The term?or? is inclusive, meaning both or, unless otherwise stated. The phrases?associated? The phrases?associated with? and?associated therewith? and?associated therewith,?
“Also the terms ‘first?,?second?, and?third? may be used, but they should not be considered as limiting. These terms may be used to describe elements, functions or acts. However, the meaning of these terms should not limit these elements, functions or acts. These numeral adjectives serve to distinguish elements, functions, and acts from one another. A first element, function or act might be called a second element or function or act. A second element or function or act could also be called a second element or function or act without departing from this disclosure.
“In addition, phrases like “processor is configured? “Processor is configured to perform one or more functions. This could indicate that the processor can be operatively or operably configured for the function or process via software, firmware and/or wired circuits. A processor that is capable of carrying out a function/process could be a processor that executes the software/firmware. Or it may be a processor with the software/firmware stored in a storage device or memory that can be used by the processor to execute the function/process. A processor that is configured to perform a function/process may also correspond to a processor that executes the software/firmware. A processor that is?configured to? perform one or more functions, could also correspond with a specially fabricated or wired processor circuit. To perform the functions or processes (e.g. an ASIC or FPGA) The phrase “at least one” is also used. An element (e.g. a processor) configured to perform more than one function can correspond to one or two elements (e.g. processors) and each of these functions. It may also correspond with two or more elements (e.g. processors), that carry out different functions.
“In addition, the expression?adjacent? may mean: “Adjacent to” could also refer to: an element that is relatively close to, but not in direct contact with, another element; or that the element has contact with the other portion, unless the context clearly states otherwise.
“Even though an exemplary embodiment has been described in great detail, those with skill in the art will realize that there are many modifications, substitutions and improvements that can be made to the disclosed disclosure without departing from its spirit and scope in its broadest form.”
“None of this description should be taken to imply that any element, step or act is essential. The scope of patent subject matter can only be defined by the permitted claims. These claims do not intend to invoke a claim construction of a means and function unless the exact words “means for” are included. are followed by a participle.
Summary for “System and Method for Cyber-Physical Security”
“Security systems can monitor network activity and software changes in order to detect viruses, worms or other cyber-attacks. These security systems could be improved.
A cyber-physical system refers to a physical system (hardware part) that is controlled and monitored using a computer or controller. There are many disclosed embodiments that include methods and systems that can be used to enhance cyber-physical security. A system could include at least one controller with at least one processor. A monitor system with at least one second CPU may be included in the system. The system may also include a number of sensors that can capture multiple measurements of at least one component of the hardware. At least one sensor may communicate with at least the controller and at most one sensor that communicates side-by side with the monitor system, but not with the controller. The at most one processor can be set up to allow the controller to control at least one component of the hardware. This is based at minimum in part on the measurements taken by the controller sensor. The measurements may be received by the second processor of the monitor. The second processor can also be set up to determine if the measurements indicate a possible attack on at least one component of the hardware. The second processor can also be set up to generate at most one notification in the event of a cyberattack, based on whether the measurements are indicative.
“Another example is that a method of cyber-physical security might involve at least one processor in a monitor system receiving multiple measurements from a plurality sensors associated with at most one hardware component. These sensors include at least two: at most one controller sensor, which communicates with at minimum one controller; and at the least one side-channel sensor, which communicates only with the monitor system. At least one controller could include a processor that allows the controller to control at least 1 hardware component using measurements from at least 1 controller sensor. The method can also be performed by the processor of the monitor system. It may include: determining if the measurements indicate a potential cyber-attack on at least one component; and generating at most one notification indicating that a cyberattack has occurred based on the determination of possible cyberattack.
“Another example could include a non-transitory computer-readable medium that encodes executable instructions (such a software component on an storage device), which when executed causes at least one processor the described method.”
“Another example could include an apparatus that includes at least one hardware-software and/or firmware-based processor, computer or component controller, means, module and/or unit for carrying out functionality similar to the described method.”
“The disclosure has been described in a broad manner, so that people skilled in the art can better comprehend the details that follow. The claims will also describe additional features and benefits of the disclosure. The disclosure can be used by those skilled in the arts to modify or design other structures that serve the same purpose. These equivalent constructions are not inconsistent with the spirit and scope disclosed in its broadest form.
“Also understand that this patent document contains various definitions of certain words and phrases. Those of ordinary skill will be able to see that these definitions are applicable in many instances to both past and future uses of such words and phrases. Although some terms may encompass many different embodiments, the appended Claims may limit such terms to certain embodiments.
“Variable technologies that relate to systems and methods that facilitate cyberphysical security will be described in the following drawings. Like reference numerals refer to like elements throughout. These drawings and the various embodiments that describe the principles of this patent disclosure are intended to be used as illustrations only. They should not be taken to limit the scope. The principles of the disclosure can be applied in any suitable arrangement, as those skilled in the arts will know. Multiple elements can perform functionality described as being performed by system elements. An element can be configured to perform functionality described as being performed by multiple elements. With reference to examples of non-limiting embodiments, the numerous inventive teachings of this application will be described.
“With reference to FIG. “With reference to FIG. 1, an example system 100 illustrates cyber-physical security. System 100 may contain at least one controller, 102, and at most one first processor 104. This processor is designed to execute instructions that correspond to at least 1 application component 108 (e.g. software/firmware) from the memory 106. An application component can be programmed to instruct the first processor to perform various acts and functions as described in this document.
“Example: The described controller 102 could correspond to a supervisory control and data acquisition system (SCADA), a programmable logic control (PLC), or other type industrial control system. It may also correspond to a supervisory control and data acquisition system (SCADA), other type of industrial control system, or any other type data processing system that is designed to control hardware components 110 (e.g., a furnace, electric transformer, or packaging production line). This controller could be connected directly or indirectly to an IP-based first network (134) or any other network that might be subject to cyberattack.
Cyberattack is defined as an attempt by hackers in cyberspace to hack into a system to steal data or sabotage its operations. FIG. FIG. 1 shows the network 134 that could be accessed by a local hacker who has access to it via a LAN or remote hacker who uncovers a security breach to gain access via a WAN or the Internet. IT cybersecurity systems 144, including firewalls and antivirus software, may be used to detect and prevent cyberattacks.
“But, IT cybersecurity is constantly changing. As an example, security mechanisms are constantly being developed and deployed. Hackers find ways to exploit computers and networks and bypass them. Instead of relying solely on IT cybersecurity, some embodiments of system 100 could use the physical status of 110 of one or several machines 156 controlled by one or more potentially vulnerability controllers 102 (e.g. PLCs) in order to detect potential cybersecurity breaches that were not detected by IT cybersecurity mechanisms.
“Example embodiments could take advantage of cyberattacks that can change the physical behavior the hardware component (e.g. the cyberattack against a German steel plant in 2014. and Slammer Worm infiltration at an Ohio nuclear power plant in 2015. The system 100 could be set up to monitor the physical effects of hardware components, such as vibrations, thermals, and noise; detect anomalies; classify anomalies as threats; trigger alarm notifications to cyber security systems or the responsible human users for further investigation.
“In general, IT-based cyber security systems can include software applications that are designed to prevent, detect or counteract cyberphysical security threats (e.g. viruses, worms). These solutions can monitor network activity and software on a workstation, server, or human machine interface (HMI), 158 or any other machine that manages PLCs and/or controllers, and/or hardware components, in order to detect and attempt removing and/or isolating such threats.
Cyberattacks are not always carried out in a direct manner to target an end-point with known viruses or worm software. Instead, they may be broken down into smaller (and often seemingly innocuous) steps that allow the attacker to gain incremental access over time until the hacker is ready. These step-wise attacks can be difficult to detect because they may take place over a long time. A cyberattack can take weeks, months, or even days to deploy, making it difficult for IT security systems to identify the cyberattack from events in the system. These sophisticated attacks can be difficult to detect and avoid. This makes it challenging for IT-based cyber security systems to identify the vulnerabilities.
These cyberattacks could also be directed at critical infrastructure (e.g. power distribution, transmission networks and manufacturing plants). These attacks could be directed at changing the parameters 138-142 and/or sensors of the targeted controllers and hardware components and/or sensors. IT-based cyber security systems 144 such as firewalls and anti-virus software may not be able to detect cyberattacks directed at physical machines, such as lower level controllers (e.g. PLCs and computer) that monitor and control physical machines and their components (e.g. via actuators or sensors).
“The system 100 is designed to overcome weaknesses in IT-based cybersecurity software and firewalls to detect cyberattacks that target physical machines. One example of such cyberattack is an intrusion that alters one or more parameters 138 in controller 102, such as a PLC that changes the angular speed a drive. This attack could be caused by a flaw in software that is embedded in a manufacturing system (e.g. an HMI 158), which has been undetected using traditional IT methods (e.g. a zero-day vulnerability). This system may be able to detect such an attack by monitoring how the physical properties of the hardware components affected by modified software/firmware or parameters changes after the attack has been deployed.
“As illustrated at FIG. 1. The system 100 may include a communication separated monitor system 112 that is connected to and/or included in the machine 156 and at least one of the described hardware components 110 and/or controllers 102. A monitor system could be “air gaped?” Or?air gaped? in which bi-directional network communications are prevented from machine 156 and/or network 134 to the monitor system.
“The monitor system 112 could include at least one second CPU 114. This second processor is designed to execute instructions that correspond to at least one app component 118 (e.g. software/firmware) from the memory 116 accessible by the second processor. An application component can be programmed to instruct the second processor to perform various acts and functions as described in this document.
“In some embodiments, the second CPU may be configured so that it receives a plurality 126 measurements from a plurality 120 sensors 120. These sensors are used to sense the behavior of the at least one component 110 (such the hardware component and/or associated processes). These sensors can include at least one controller sensor 122, and at most one side-channel sensor 124. A controller sensor 122 is a sensor that can detect and communicate measurements to both the controller 102 (or the monitor system 112) as defined in this document. A side-channel sensor (124), as described herein, is a sensor that can detect and communicate measurements with the controller 102 and monitor system 112. A controller sensor doesn’t necessarily need to be mounted on a controller board. It may instead correspond to a sensor that communicates directly with the controller.
“Example: The controller could correspond to a controller that communicates with the hardware component 110 and controller sensors 122 via fieldbus 146 (e.g. Profibus Foundation Fieldbus or other bidirectional wired/wireless communication system). The described side-channel sensor cannot be connected to controller 102 via fieldbus 146. Therefore, it is not capable of carrying out bidirectional communications. The side-channel sensor sensor 124 can be used to transmit sensor measurements to the controller 102 via a separate network such as a fieldbus, or another type of wired or WiFi connection to the monitor 112.
“In some embodiments, the monitor system could be set up to determine if the measured are indicative of a cyberattack on at least one component. The monitor system can also be set up to output at least one notification 132, indicating a potential cyberattack 128 upon determining that the measurements are indicative.
“In some embodiments, a monitor system may include or communicate with at least one output device (138) that is a visible or audible alarm device that outputs the notification 132. This device can be a visible light or an audible sound to notify users of a potential cyberattack. This output device may be embedded in the machine, 110, or located remotely in a room or control panel, where users can receive notification of a possible cyberattack via a screen and/or audible alarm.
“Also, in certain embodiments, the monitor can be configured to send a notification 132 to another system responsible for detecting, reporting, and responding to cyberattacks. This could include the IT-based security system 144, which notifies via an audio alarm and/or a display screen. The IT-based security system, monitor system, and/or IT based security system can be configured to send an electronic message to the appropriate user corresponding to notification 132. This electronic message could be an SMS, e-mail, instant message or voice message that notifies a user about a possible cyberattack.
“In such an instance, to keep the?air gaped?” Or?air walled?” configuration of the monitor 112, the notification 132 may be transmitted to the security systems 144 via unidirectional communication filter circuit. This allows the notification to be sent from the monitoring device but prevents it from receiving communications from security system144. These could include a virus, worm, or hacker communication.
“In one embodiment, sensors 120 can be used to measure physical information associated with hardware components (i.e. measurements of hardware components and/or the process or system controlled by the hardware components). The sensors 120, for example, may be used to monitor temperature of heating elements and/or fluids being heated by them.
“The monitor system can fingerprint the physical sensor data in order to identify anomalies in hardware components controlled by the controller 102 that could be related with cyberattacks. The monitor system can create fingerprints 150 that correspond with time-based behavior signatures using sensor measurements. These fingerprints are then compared to predetermined and classified fingerprints 152 (e.g. classified as normal activity, wear related, failure related and/or any other behavior classifications applicable to the particular hardware component or process being measured).
The monitor system can determine whether activity corresponds to a cyberattack or a mechanical issue based on the results of the fingerprint comparison. This example monitor system could be used to detect cyberattacks and other mechanical issues in a system. It may also output notifications that indicate each type of detection, such as cyberattack notification or mechanical problem notification. In other embodiments, however, the monitor system might only send notifications relating to cyberattacks. In some embodiments, you can also control the types of notifications that are generated and outputted from the monitor system using the software components of its application software.
“Example embodiments may include information such as diagnostic information about the source of the attack and the basis to indicate why the anomaly is being considered a cyberattack. The notification could include the following subject matter: “A possible cybersecurity breach has been detected in motor #4; the motor’s physical behavior is not related to wear and tear over the past two days at an average speed of 60 rpm.”
“In one embodiment, the user who received the notification may review the anomaly found in the notification by monitor system to confirm that there has been a cyberattack. The user might review the parameters of the controller or the hardware component that controls the angular velocity for motor #4. A cyberattack could be considered if such parameters are changed and not made by an authorized user. Research may be done to find out if any other parameters or software were maliciously altered. Research may also be done to identify the source and mechanism of the cyberattack. Corrective actions can be taken to fix any software/parameters that were altered. Corrective actions can be taken to stop malicious activity, access or further cyberattacks.
“Inversely, if the review uncovers a mechanical problem that is responsible for the anomaly in the notification, a hacker attack may be unlikely.” To correct or compensate for the mechanical problem, maintenance may be performed on the affected hardware.
An example embodiment of the monitor system described may allow for feedback on whether the notification accurately identified a cyberattack and/or a mechanical problem. The at least one second processor (114) of the monitor system could be set up to respond to an input device 136 that indicates a positive confirmation 130 that at least one notification is indicative of a hacker attack to modify or generate classified fingerprints 152 which are used to identify other behavior and cyberattacks.
“To maintain the previously mentioned?air gapped? “Air walled” or “air gapped?” The input device 136 can be connected directly to the monitor system. This could include a touch screen, keyboard or pointer device. A monitor system may also be used to provide a user interface, such as a GUI (graphical user interface), through an output device 138 that is also connected to the system. This could include a display screen or touch screen. This GUI could be used to view notifications 132 and provide confirmations 130.
It should be noted that the input device 136 and the output device 138 described may not be directly connected with the monitor system. The monitor system 112 could be connected to a second network, 148 which is separate from the first network 134 through which controllers 102 might be connected. To prevent cyber-attacks through the first network 134, a second network 148 can be isolated from the first one 134.
“As we have discussed, the 120 sensors connected to the monitor systems include side-channel sensors 122, and controller sensors 122. These controller sensors 122 could correspond to sensors that are necessary for controlling the hardware components or the process they are performing. A controller sensor could correspond to a temperature sensor in the fieldbus used by controller 102 to maintain chemical reactions at 70C.
“In some cases, controller sensors in fieldbus sensors can be used to collect measurements (such temperature, motion pressure, flow rate and acceleration or any other physical property) in industrial automation. For example, fieldbus data can be used to implement the controller’s measurements from controller sensors 122 at the SCADA or PLC level. The controller 102 and the monitor system 112 may also benefit from timestamps in fieldbus data. The monitor system 112 could be set up to perform time series analysis of fieldbus data from controller sensors 122 in order to generate fingerprints 150. The controller 102 is directly linked to fieldbus data. Therefore, the monitor system 112 may use the existing semantics of the process domain to detect anomalies that could be related to cyber-attacks. The monitor system can be set up to detect cyberattacks on temperature sensors and controllers, for example, if the temperature measured by a process exceeds the physical limit of the process (as defined by classified fingerprints 152).
Side-channel sensors can gather information as a result of hardware component operation. For example, sensors that detect electromagnetic radiation emitted from power sources and controllers. Side-channel sensors can be retrofitted to hardware components or used in conjunction with environmental sensors that identify side-channel information. Side-channel sensors can also include a microphone array that is used in gas turbines to collect side channel data. This information can be used to predict failures and/or thermal, electro-magnetic and vibrational cameras.
Side-channel sensors can also measure behaviors that controller sensors cannot. A controller sensor and a sensor on the side can be used to measure the exact same property (e.g. the temperature of a reaction). The monitoring software can be set up to detect if current measurements are inconsistent with those from at least one controller sensor.
“The monitor system may continuously collect side-channel measurements from side-channel sensors 124, and fieldbus measurements of controller sensors 122 to create time-based fingerprints 150 for the hardware and processes being observed. These fingerprints can then be used to determine if the current behavior in the fingerprints is consistent with what was expected (in the predetermined classified fingerprints 152). The monitor system could include a memory or a data store that stores fingerprint data 150,152 for detection of possible cyberattacks.
“The fingerprinting could be based upon an observation that the behavior signature due to wear & tear, mechanical malfunctions, or cyberattack may be different. It either shows a completely new behavioral pattern (i.e. a new fingerprint), or it matches a known one (matching a classified wear fingerprint, but with a shorter time-scale) (i.e. malicious attempts to mask attack. As wear and tear can be identified through their accelerated livescycle).
“A cyberattack can be further identified by the monitor system using a set of fingerprints that represent a series of discrete, non-continuous events that causes distinct behavior signatures. A set of predetermined, classified fingerprints may also be used to identify mechanical problems with the monitor system. These fingerprints are indicative of preliminary continuous signs and degradation.
“Example embodiments may use machine learning techniques to continuously analyze fingerprints over time using a combination unsupervised and supervised learning. This learning may be used by the monitor system to identify and distinguish among the many events that are occurring continuously in the system, which events have the greatest probability of being related to a cyberattack on controllers, hardware components and/or controller sensors.
“Note: The expected behavior signatures (e.g. normal or expected fingerprints), may correspond to characteristic curves that are obtained over time by the monitor system. These include (1) recording the machine’s behavior during normal operation (in an unsanctioned environment); (2) simulating machine behavior using synthetic data or filed input data; and/or (3) testing a physical machine in a controlled environment.
“The classification of these behavior signs (as expected or normal fingerprints) can easily be achieved using the supervised learning algorithms that the monitor system uses with respect to the sensed data of each physical domain involved, such as temporal, frequency and thermal, electrical-magnetic. As mentioned previously, the monitoring system can also incorporate real-world feedback (via confirmation inputs 130) or post-mortem analysts (via use GUI generated by monitor system) to classify fingerprints and/or sets of fingerprints as cyberattacks or not (e.g. wear or malfunctions) based on the expert assessment of the user. As the monitoring algorithms improve, the classification of fingerprints as cyberattacks or cyberattacks may become less important over time.
“It is important to understand that the monitor system can perform machine learning based upon fingerprints for similar machines in situations where fingerprint data may not be initially available (such legacy machines for which design or test information are not available). The monitor system might classify current behavior signatures by using unsupervised learning algorithms. This is done by looking at the physical domains and the correlations with the fingerprints of similar machines. This allows the monitor system to access fingerprints that have been identified as cyberattacks or not (e.g. wear or malfunctions) and use them to determine if fingerprints generated by similar machines are cyberattacks.
“It is important to understand that the monitor system 112 can be used to monitor multiple machines (as well as the associated hardware components) and may also use fingerprints from similar machines to detect cyber attacks. The described monitor system 112 can be used to access process data 154 that is related to the operations being performed by the machines being monitored. The monitor system described may be set up to detect discrepancies in the process data accessed and the actual process results produced by the hardware components measured using the sensors 150.
“For instance, a machine 156 that is being monitored by the monitor system 112 could correspond to a 3-D (3D) printer. This 3D printer could include at least one controller, 102, and a number of hardware components 110 (e.g. deposition head or laser, build platform, etc.). For example, the sensors 120 could include a side channel sensor 124 that counts the layers being deposited using the 3D printer. This is used to build all or a portion of the part. In this case, the monitor system 112 may be set up to access process data 54 from a memory/data storage that specifies the first number of layers that are being added by the 3D printer for any or all of the parts. The monitor system 112 could be configured with at least one additional processor 114 to detect a possible cyberattack if the sensors measure a second number for the portion of the 3D printed part (determined using the side-channel sensor 124) which is different from the process data.
“With reference to FIG. 2 illustrates and describes various examples of methodologies. Although the methods are described as a series or acts performed in a specific order, it should be noted that the sequence of acts may not limit the possibilities. Some acts might occur in a different order to what is listed herein. A second act can occur simultaneously with an act. In some cases, however, not all actions are required in order to implement the methodology described herein.
It is important to remember that although the disclosure describes a functional system, it does not include a series or acts. However, those skilled in art will recognize that at least some of the disclosed mechanism and/or described acts can be distributed as computer-executable instruction contained in non-transitory computer-usable or computer-readable media in any number of forms. The present disclosure applies regardless of what type of instruction, data bearing medium, storage medium, or medium used to distribute the information. Examples of non-transitory machines usable/readable/computer-readable mediums are: ROMs and EPROMs; magnetic tape, floppy drives, hard disk drives, SSDs; flash memory, CDs and DVDs; Flash media such as ROMs and EPROMs. Computer-executable instructions can include routines, sub-routines, programs, applications modules, libraries, etc. Further, the results of the methods may be stored on a computer-readable medium and displayed on a display device or the like.
“Referring to FIG. “Referring now to FIG. 2, is illustrated a methodology 200 that facilitates cyber-physical safety. The method may begin at 202. It may include multiple acts that are performed by at least 1 processor of a monitoring system, including the act 204 of receiving measurements from a plurality sensors associated with at minimum one hardware component. These sensors include at least 1 controller sensor that communicates to at least 2 controllers; and at most one side-channel sensor which communicates with the monitoring system but not with the controller. The at most one controller could include at minimum one processor, which is designed to allow the controller to control at least one component of the hardware component using measurements from at least part of the controller sensor. The methodology can also include the operation of at least one processor in the monitor system. Act 206 is for determining whether measurements are indicative a possible hacker attack on at least one component. Act 208 is for generating at most one notification indicating that there has been a cyberattack. The methodology can be ended at 210.
“It is important to note that the methodology 200 could include other acts or features previously discussed with respect to system 100. The example controller could correspond to a programmable controller (PLC). The at least one controller sensor could also be a fieldbus sensor. The operation of at least 1 processor in the monitor system may also include the determination that measurements are indicative for a cyberattack when they are inconsistent with the measurements from at least one controller sensor.
“Also the methodology 200 could include the operation of at least 1 processor of the monitor, an act to generate time-based fingerprints associated to at least 1 hardware component based upon measurements received from at minimum one of the sensors; an act to compare the generated fingerprints with predetermined fingerprints, in order to determine if the measurements are indicative for a cyberattack.”
“Further,” the methodology 200 could include operation of at least one processor on the monitor system. This is an act to determine that the measured fingerprints are indicative of possible cyberattacks when they do not match predetermined fingerprints.
“The 200-described methodology may also include the operation of at least one processor on the monitor system. This is a way of determining whether the fingerprints are indicative of a cyberattack when they match predetermined fingerprints that are representative of normal wear but performed in a determined accelerated timeline compared to those fingerprints.
“In addition to this, the methodology 200 could also include the operation of at least 1 processor of the monitor, an act of creating or modifiing a classification for predetermined fingerprints to reflect whether or not the fingerprint is indicative of possible cyber-attacks, responsive to at most one input from an input devices indicative of positive or negative confirmation that at least one notification was indicative of a hacker attack.”
“A machine that corresponds to a 3D printing device may also include at least one controller as well as at least one component. The methodology could include the operation of the monitor system. This includes accessing process data that specifies at least one portion of a part to be additively produced via the 3D Printer; and determining whether the measurements are indicative for a cyber-attack when they indicate a second layer for the portion of that part actually generated using the 3D Printer.
As we have discussed, these acts (other than manual acts) can be performed by one or more processors. These processors may be part of one or more data processing system, such as those that execute software components (such the application software component), operative to cause the acts to be performed by one or more processors. These software components could include computer-executable instructions that correspond to routines, sub-routines, programs, applications modules, libraries, threads of execution and/or other similar functions. Further, it should be appreciated that software components may be written in and/or produced by software environments/languages/frameworks such as Java, JavaScript, Python, C, C#, C++ or any other software tool capable of producing components and graphical user interfaces configured to carry out the acts and features described herein.”
“As mentioned previously, controller 102 could correspond to a PLC. Alternate embodiments of the controller could correspond to a different form factor for a microprocessor, such as a general-purpose data processing system. The described monitor system can be implemented in many microprocessor form factors, including a general-purpose data processing system. FIG. FIG. 3 shows a block diagram for a data processing device 300 (also known as a computer-system). This system can implement an embodiment, such as as a part of the controller, HMI or security system and/or any other system discussed herein. The data processing system depicted includes at least one processor 302 (e.g., a CPU) that may be connected to one or more bridges/controllers/buses 304 (e.g., a north bridge, a south bridge). One or more I/O buses, such as a PCI Express, could be connected to one of the buses 304. A main memory 306 or RAM, and a graphics controller 318, may be connected to the various buses. One or more display devices 310 may be connected to the graphics controller 308 In some embodiments, one or more controllers, e.g. graphics, south bridge, may be integrated with CPU (on the same chip, die). There are several CPU architectures, including x86-64 and IA-32.
“Another peripheral connected to one or several buses may include communication controllers 312, (Ethernet controllers. WiFi controllers. Cell controllers) operative for connecting to a local network (LAN), Wide Area Networks (WAN), cellular network and/or other wired/wireless networks 314 or communications equipment.
“Further components may be connected to different busses include one or several I/O controllers316 such as USB controllers and Bluetooth controllers and/or dedicated Audio controllers (connected with speakers and/or microphones). You should also know that different peripherals can be connected to the I/O control(s) via various connections, including input devices 318 (e.g. keyboard, pointer and mouse, trackball, trackball, buttons keypad, game controller, controller, gamepad, camera controller, microphone, scanners or motion sensing devices that capture movement gestures), output device 320 (e.g. printers, speakers, or any other device that is operative in order to receive inputs from or receive outputs of the data processing system). It should also be noted that input devices and output devices can both receive inputs from the data processing system. The processor 302 could be integrated into a housing, such as a tablet, that has a touch screen that can serve as both an input device and display device. It should also be noted that input devices such as laptops may contain a variety of input devices, including touch screens, touch pads, keyboards, etc. It should also be noted that peripheral hardware 322 connected with the I/O controllers316 could include any type or machine or component that can communicate with a data processing device.
“Additional components connected to different busses may include one (or more) storage controllers 324, e.g. SATA. A storage controller can be connected to a storage device 326, such as one or more storage devices and/or any associated removable media. This could be any non-transitory, machine-readable storage medium. These include volatile devices, nonvolatile, volatile, read-only devices, ROMs and EPROMs as well as magnetic tape storage. In some cases, an SSD storage device may also be connected to an I/O bus304 such as a PCI Express bus.
A data processing system according to an embodiment of this disclosure could include an operating system, software/firmware, and data storage 332 (which may be stored on a storage unit 326 or the memory 336). This operating system can use a command-line interface (CLI), and/or a graphic user interface (GUI). Multiple display windows can be displayed simultaneously in the GUI shell. Each window provides an interface to either a different application, or an instance of the same program. The graphical user interface can be controlled by the user using a touch screen or mouse to manipulate the cursor/pointer. To trigger a desired response, the cursor/pointer can be moved and/or an event (such as touching a touch screen or clicking a mouse button) may be generated. Microsoft Windows, Linux and UNIX are some examples of operating systems that can be used in a data processing platform. Data stores can also include data files, tables, relational databases (e.g. Oracle, Microsoft SQL Server), and database servers. Any other structure or device that is capable to store data that can be retrieved by a processor is an example of a data store.
“The communication controllers 312, may be connected to network 314 (not part of data processing systems 300), which can include any network, public or private, or combination thereof, as well as the Internet. Data processing system 300 may communicate with one or more data processing systems, such as a 334 (also not part the data processing system 300). An alternative data processing system could be a collection of processors that are part of a distributed system. These processors may communicate with each other via one or more network connections. They may then perform tasks previously described as being done by one data processing system. It is important to understand that a data processing system can be implemented by multiple data processing systems in a distributed system communicating with each other over a network.
Further, the term “controller” refers to any device, system or part thereof that controls at least one operation. Any device, system, or part of a controller that controls at most one operation. This can be implemented in hardware, firmware or software, or a combination of both. The functionality associated with any controller can be distributed or centralized, locally or remotely.
“It should also be noted that data processing systems can be implemented in virtual machines within a cloud or virtual machine architecture. The processor 302 and its components could be a virtual machine that executes in a virtual environment with one or more servers. There are many virtual machine architectures, including VMware ESCi and Microsoft Hyper-V.
“Those with ordinary skill in the arts will recognize that hardware used for data processing systems may differ for different implementations. The data processing system 300 may be a controller, workstation or server, a computer, laptop, notebook, computer, tablet, phone, or any other apparatus/system that can process data and perform the functionality described herein. This illustration is for explanation purposes only. It is not intended to be a limitation on architectural design of the present disclosure.
“It should also be noted that the processor described in this document may be located on a remote server from the input and display devices described herein. The client device, which communicates with the server and/or virtual machine running on the server via a wired or wireless network that may include the Internet, may contain the above-described display device and input device. One embodiment of remote desktop protocols may be executed by such a client device. It may also correspond to a portal device. This device sends inputs to the server from an input device and receives visual information from the server for display on a display device. Remote desktop protocols such as Teradici’s PCoIP and Microsoft’s RDP are examples. Another example is that such a client device could correspond to a computer using a thin client application or a web browser. The web browser and thin client applications may transmit inputs to the server to be evaluated by the server. Once rendered, the server sends back an image or series of images to the client to be displayed by either the thin client app or the web browser. In some cases, the remote processor described in this article may also be a combination of a real processor and a physical processor running in the server.
“Component” and?system? are used herein. “Component” and “system” are interchangeable terms. These terms can be used to refer to hardware, software, or a combination thereof. A system or component could be, for instance, a process, a program executing on a CPU, or both. A component or system can be distributed over multiple devices or may be located on one device.
A processor is also used to refer to any electronic device configured using hardware circuits, firmware, and/or software to process data. The processors described herein could be one or more of the following: a CPU, FPGA or ASIC or any other integrated device (IC) capable of processing data in any data processing system. This may include a controller board or computer, server, mobile phone and/or any other electronic device.
“Those who are skilled in the art will know that the entire structure and operation all data processing systems compatible with the present disclosure is not being described or depicted herein. Instead, the disclosure only describes and depicts a portion of the data processing system that is relevant to the present disclosure. The rest of the construction and operation 300 of data processing system 300 can be conformed to any of various implementations or practices currently known in the art.
“It should also be understood that the terms or phrases used in this document should be interpreted broadly, except where specifically stated otherwise. The terms “include” and “comprise” are examples. For example, the terms?include? und?comprise? refer to inclusion without limitation. as well as their derivatives, means inclusion without limitation. The singular forms??a?,??an????????????????????????????????? and?the????????????????????????????? The singular forms?a?,?an???? and?the???????????????? are intended to include the plural forms. Unless the context indicates otherwise, they are meant to be inclusive of plural forms. The term “and/or” is also used herein. The term?and/or? as used herein refers and includes all combinations of any or all of the listed items. The term “or” is inclusive, meaning and/or. The term?or? is inclusive, meaning both or, unless otherwise stated. The phrases?associated? The phrases?associated with? and?associated therewith? and?associated therewith,?
“Also the terms ‘first?,?second?, and?third? may be used, but they should not be considered as limiting. These terms may be used to describe elements, functions or acts. However, the meaning of these terms should not limit these elements, functions or acts. These numeral adjectives serve to distinguish elements, functions, and acts from one another. A first element, function or act might be called a second element or function or act. A second element or function or act could also be called a second element or function or act without departing from this disclosure.
“In addition, phrases like “processor is configured? “Processor is configured to perform one or more functions. This could indicate that the processor can be operatively or operably configured for the function or process via software, firmware and/or wired circuits. A processor that is capable of carrying out a function/process could be a processor that executes the software/firmware. Or it may be a processor with the software/firmware stored in a storage device or memory that can be used by the processor to execute the function/process. A processor that is configured to perform a function/process may also correspond to a processor that executes the software/firmware. A processor that is?configured to? perform one or more functions, could also correspond with a specially fabricated or wired processor circuit. To perform the functions or processes (e.g. an ASIC or FPGA) The phrase “at least one” is also used. An element (e.g. a processor) configured to perform more than one function can correspond to one or two elements (e.g. processors) and each of these functions. It may also correspond with two or more elements (e.g. processors), that carry out different functions.
“In addition, the expression?adjacent? may mean: “Adjacent to” could also refer to: an element that is relatively close to, but not in direct contact with, another element; or that the element has contact with the other portion, unless the context clearly states otherwise.
“Even though an exemplary embodiment has been described in great detail, those with skill in the art will realize that there are many modifications, substitutions and improvements that can be made to the disclosed disclosure without departing from its spirit and scope in its broadest form.”
“None of this description should be taken to imply that any element, step or act is essential. The scope of patent subject matter can only be defined by the permitted claims. These claims do not intend to invoke a claim construction of a means and function unless the exact words “means for” are included. are followed by a participle.
Click here to view the patent on Google Patents.How to Search for Patents
A patent search is the first step to getting your patent. You can do a google patent search or do a USPTO search. Patent-pending is the term for the product that has been covered by the patent application. You can search the public pair to find the patent application. After the patent office approves your application, you will be able to do a patent number look to locate the patent issued. Your product is now patentable. You can also use the USPTO search engine. See below for details. You can get help from a patent lawyer. Patents in the United States are granted by the US trademark and patent office or the United States Patent and Trademark office. This office also reviews trademark applications.
Are you interested in similar patents? These are the steps to follow:
1. Brainstorm terms to describe your invention, based on its purpose, composition, or use.
Write down a brief, but precise description of the invention. Don’t use generic terms such as “device”, “process,” or “system”. Consider synonyms for the terms you chose initially. Next, take note of important technical terms as well as keywords.
Use the questions below to help you identify keywords or concepts.
- What is the purpose of the invention Is it a utilitarian device or an ornamental design?
- Is invention a way to create something or perform a function? Is it a product?
- What is the composition and function of the invention? What is the physical composition of the invention?
- What’s the purpose of the invention
- What are the technical terms and keywords used to describe an invention’s nature? A technical dictionary can help you locate the right terms.
2. These terms will allow you to search for relevant Cooperative Patent Classifications at Classification Search Tool. If you are unable to find the right classification for your invention, scan through the classification’s class Schemas (class schedules) and try again. If you don’t get any results from the Classification Text Search, you might consider substituting your words to describe your invention with synonyms.
3. Check the CPC Classification Definition for confirmation of the CPC classification you found. If the selected classification title has a blue box with a “D” at its left, the hyperlink will take you to a CPC classification description. CPC classification definitions will help you determine the applicable classification’s scope so that you can choose the most relevant. These definitions may also include search tips or other suggestions that could be helpful for further research.
4. The Patents Full-Text Database and the Image Database allow you to retrieve patent documents that include the CPC classification. By focusing on the abstracts and representative drawings, you can narrow down your search for the most relevant patent publications.
5. This selection of patent publications is the best to look at for any similarities to your invention. Pay attention to the claims and specification. Refer to the applicant and patent examiner for additional patents.
6. You can retrieve published patent applications that match the CPC classification you chose in Step 3. You can also use the same search strategy that you used in Step 4 to narrow your search results to only the most relevant patent applications by reviewing the abstracts and representative drawings for each page. Next, examine all published patent applications carefully, paying special attention to the claims, and other drawings.
7. You can search for additional US patent publications by keyword searching in AppFT or PatFT databases, as well as classification searching of patents not from the United States per below. Also, you can use web search engines to search non-patent literature disclosures about inventions. Here are some examples:
- Add keywords to your search. Keyword searches may turn up documents that are not well-categorized or have missed classifications during Step 2. For example, US patent examiners often supplement their classification searches with keyword searches. Think about the use of technical engineering terminology rather than everyday words.
- Search for foreign patents using the CPC classification. Then, re-run the search using international patent office search engines such as Espacenet, the European Patent Office’s worldwide patent publication database of over 130 million patent publications. Other national databases include:
- European Patent Office (EPO) provides esp@cenet to access a network of Europe’s patent databases with access to machine translation of European patents.
- Japan Patent Office (JPO) – with access to machine translations of Japanese patents.
- World Intellectual Property Organization (WIPO) offers PATENTSCOPE with a full-text search of published international patent applications and machine translations for some documents, as well as a list of international patent databases.
- Korean Intellectual Property Rights Information Service (KIPRIS)
- State Intellectual Property Office (SIPO) with machine translation of Chinese patents.
- Other International Intellectual Property Offices with online patent databases include Australia, Canada, Denmark, Finland, France, Germany, Great Britain, India, Israel, Netherlands, Norway, Sweden, Switzerland, and Taiwan.
- Search non-patent literature. Inventions can be made public in many non-patent publications. It is recommended that you search journals, books, websites, technical catalogs, conference proceedings, and other print and electronic publications.
To review your search, you can hire a registered patent attorney to assist. A preliminary search will help one better prepare to talk about their invention and other related inventions with a professional patent attorney. In addition, the attorney will not spend too much time or money on patenting basics.
Download patent guide file – Click here