The number of attacks on industrial systems continues to rise.
And with the development of the industrial internet of things (IIoT) the attack surface will only increase

Attacks targeting operational technologies (OT) are the most dangerous for industrial facilities because they can disrupt the technological process and do irreversible damage to equipment, resulting in major financial and reputational losses. Some attacks on OTs do not come from inside the digital environment (reflashing the controller or spoofing sensor readings), but are purely physical (shutting off a valve, removing a sensor, or attaching a false sensor). There are so many processes inside an enterprise that the harmful effects can go unnoticed for a long time, especially since the attackers usually try to hide their malicious actions. In such conditions, traditional solutions are unable to protect the industrial environment from threats aimed at technological infrastructure.

Kaspersky Machine Learning for Anomaly Detection (Kaspersky MLAD) is an innovative system that uses a neural network to simultaneously monitor a wide range of telemetry data and identify anomalies in the operation of cyber-physical systems, which is what modern industrial facilities are.

Kaspersky MLAD assists cybersecurity professionals, operators, and process engineers


Detects deviations in equipment operation caused by an attack or an error, and eliminates danger in the very early stages of development


Identifies fraud and sabotage in the enterprise


Improves performance by identifying and eliminating hard-to-detect deviations in technological processes


Ensures the level of protection in the enterprise complies with regulatory requirements

Kaspersky MLAD does not require the installation of additional sensors

Our system is configured to receive mirrored traffic from an existing ICS and analyze the existing telemetry data flow of the technological process: setpoints, commands, and sensor readings.

Kaspersky MLAD analyzes mirrored traffic from an existing ICS

Kaspersky MLAD deployment options

Process parameters are closely interconnected

These connections between parameters are set in the control logic of an ICS during its design, and are determined by the physical laws of the process flow, operating conditions, input parameters, and other factors. Consequently, an attack that affects some process parameters inevitably produces changes in others.

The Kaspersky MLAD neural network learns these interconnections and uses them to identify anomalies – that is, deviations from the normal process flow.

Kaspersky MLAD detects anomalies, whatever the cause


For example, spoofing of process data

Physical causes

For example, equipment or sensor failure

Human factors

For example, incorrect actions by the operator (intentional or unintentional), incorrect equipment settings, changing modes or setpoints, or switching to manual control


of thousands of technological parameters and analysis of deviations from the norm in real time

Graphical display

of changes in the most significant technological parameters and their predicted values

Anomaly detection

in the early stages of development, before the deviation has aroused operator suspicions or triggered emergency protection rules

Anomaly alerts

if the overall deviation from the normal process flow is greater than the threshold defined at the neural network training stage

Alerts can be sent through the web interface by email or by sending messages to Kaspersky Industrial CyberSecurity for Networks


the anomaly detection in the event log for subsequent analysis by process engineers


Unlike traditional security solutions, there is no need to draw up a long list of rules and expend time and effort on keeping them up to date

This information tells the operator what is wrong in the system and where. This brings us to the topic of anomaly interpretation

Having received information from our system about the exact nature of the problem, the ICS operators and cybersecurity experts can quickly localize the anomaly, understand its causes, and eliminate them.

An anomaly in the vacuum column temperature

Kaspersky MLAD keeps a historical record of technological parameter values and their predicted values, maintains a log of recorded anomalies, and provides a graphical interface for analyzing this data

For each anomaly detected, our system stores detailed information about the process parameters that deviate furthest from the norm. Experts (process engineers or ICS operators) can add their conclusions to the log, based on the results of the anomaly analysis.

Kaspersky groups similar anomalies automatically

Experts can assign a severity level, name, and recommended operator actions to the group of anomalies. If similar anomalies are subsequently detected, they are automatically assigned to this group and receive a predefined expert assessment.

Kaspersky MLAD is a tool for cybersecurity experts, process engineers, and operators serving complex cyber-physical systems with large telemetry data flows

Areas of application include:

Petrochemical industry and transportation of petroleum products

Chemical industry

Pharmaceutical industry

Assembly line production

Smart building management


Smart cities

Water treatment and supply

Energy industry

Gas supply

If you have any questions or would like to discuss opportunities for cooperation, please use the feedback form

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.