Security provider, CyberX, was awarded a patent for its ICS-aware risk analytics and machine learning technology.
As industrial and critical infrastructure organizations look to safeguard Industrial Internet of Things (IIoT) and Industrial Control Systems (ICS) networks from cyberattacks that can result in costly production downtime, catastrophic safety failures, and environmental incidents, they are looking for new ways to rapidly detect and respond to advanced Zero Day threats that can bypass conventional perimeter and endpoint security solutions.
The patent covers methods and systems for learning ICS network behavior and accurately identifying anomalous activities.
It relies on a new way of using finite-state machine (FSM) modeling techniques to analyze ICS environments and machine-to-machine (M2M) communications.
“CyberX was founded in 2013 with the mission of reducing ICS risk for industrial and critical infrastructure organizations,” said Omer Schneider, CEO and co-founder of CyberX. “This patent is further recognition that we’re delivering highly differentiated technology to support our customers’ business objectives.”
“Rising threats to IIoT and ICS environments demonstrate that threat actors such as nation-states and cybercriminals are not standing still in the cyber arms race,” said Nir Giller, CyberX CTO, EMEA GM and co-founder.
The patent covers analytics for detecting anomalous behavior in ICS networks incorporating specialized ICS protocols such as Modbus and DNP3, and specialized ICS devices such as Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs). The technology works by:
• Capturing all ICS network traffic and performing deep packet inspection (DPI) to analyze specific fields of ICS packet data that are unique to each ICS protocol.
• Modeling ICS network behavior as deterministic sequences of states and transitions.
• Generating real-time alerts whenever observed behavior deviates from the expected sequence of ICS network states, based on advanced machine learning and probabilistic algorithms.
• Identifying other types of anomalous conditions independent of baseline deviations, such as the use of packet structures and field values that violate ICS protocol specifications as defined by industrial automation vendors. These can indicate misuse of the ICS protocol to exploit particular device or network vulnerabilities.
• Identifying insider threats such as suspicious or unauthorized activities performed by authorized privileged users within the ICS network.