The number of attacks on industrial systems continues to rise. With the growth of the industrial Internet of Things, attacks on industrial facilities will only expand

Attacks that are capable of disrupting operating technologies are the most dangerous for an industrial facility because they could reduce the quality of the industrial process and even cause irreversible damage to equipment, thereby leading to enormous financial losses and a damaged reputation.

A facility may have a large number of processes, and therefore a malfunction could go unnoticed for a long time. During an attack, hackers usually try to conceal their malicious impact as long as possible. Under these types of conditions, traditional solutions are insufficient for protecting an industrial environment against threats aimed at the process infrastructure.

Kaspersky Machine Learning for Anomaly Detection (Kaspersky MLAD) is an innovative system that employs a neural network to simultaneously monitor a large number of telemetry indicators and detect anomalies in the operation of cyber-physical systems comprising state-of-the-art industrial facilities.

Kaspersky MLAD can help cybersecurity experts and industrial process operators/specialists do the following

Control

Detect deviations in equipment operation caused by an error or attack, and prevent a dangerous situation at the earliest stages of its development

Monitoring

Identify fraud and sabotage at a facility

Effectiveness

Enhance the effectiveness of the industrial process by identifying and rectifying hard-to-detect malfunctions of the industrial process

Security

Bring the security of a facility into compliance with the requirements of regulators

Kaspersky MLAD doesn't require additional sensors

Our system analyzes the copy of the industrial process telemetry: setpoints, commands, and sensor readings.


Kaspersky MLAD data receiving scheme

Kaspersky MLAD deployments schemes

Process parameters are closely interdependent

These dependencies between parameters are established when designing the ICS control logic, and are determined by the physical laws of the process stream, operating conditions, input settings of production, and other factors. Therefore, an attack that impacts some process parameters will inevitably result in changes to other parameters.

The neural network within Kaspersky MLAD studies these interdependencies and uses them to identify anomalies, which are deviations from the normal process stream.

Kaspersky MLAD identifies anomalies irrespective of their causes, which may include the following

Cyberattacks

Such as spoofing of data regarding the industrial process

Physical factors

Such as damage to equipment and malfunctioning sensors

Human factors

Such as intentional or inadvertent inappropriate actions of the operator, improper configuration of equipment, change of operating modes or setpoints, or switching to manual control

Monitors

thousands of process parameters and analyzes their deviations from normal conditions in near-real time

Displays

charts showing the changes of the most significant process parameters and their predicted values

Identifies

anomalies at the earliest stages of their development when deviations of individual process parameters are not yet raising the suspicions of operators and are not yet triggering emergency prevention rules

Notifies

of anomalies if the total deviation from the normal process stream is higher than the threshold determined during the neural network learning stage.

Notifications can be sent through the web interface, by email, or by sending messages to Kaspersky Industrial CyberSecurity for Networks

Logs

anomaly detection events for their subsequent analysis by industrial process experts

Is flexible

In contrast to traditional security solutions, you do not need to create a large number of rules and therefore not expend a lot of work on keeping them up to date

The provided information enables the operator to understand where exactly the malfunction occurred in the system, and what caused it. This helps with the interpretation of anomalies

By receiving information about what exactly went wrong in the system, ICS operators and cybersecurity experts can more quickly localize the anomaly, understand its causes, and rectify them.


Spoofing detected at A-C gas reactor inlet flow sensor

Kaspersky MLAD saves the history of actual process parameter values and their predicted values, maintains a log of registered anomalies, and provides a graphical interface for analyzing this data

For each detected anomaly, our system saves detailed information on the process parameters that display the highest deviations from the norm. An authorized expert (ICS operator or process engineer) can add an anomaly analysis results assessment to the log.

Kaspersky MLAD automatically groups similar anomalies

An authorized expert has the capability to assign a severity level, name, and recommended operator actions to a specific anomaly group. If similar anomalies are subsequently detected, they will be automatically assigned to this group and will receive the prepared expert assessment.

The scope of application of our system includes

Petrochemical industry and transportation of petroleum products

Chemical industry

Pharmaceutical industry

Assembly line production

Smart building management

Agriculture

Smart cities

Water treatment and supply

Energy

Gas supply, etc.