Machine learning on guard at industrial facilities


Cybersecurity at industrial facilities is attuned to the fact that any attack can disrupt the technological process. This is potentially fraught with catastrophic consequences, not always financial. Therefore, effective protection of such facilities requires permanent monitoring of both information systems and operational processes. Happily, we have just the tool.

Today’s automated industrial control system (ICS) is a complex cyberphysical system. It comprises both computer elements that control devices and integral units and physical equipment. This expands attack surface and gives hackers trying to disrupt the system plenty of options. They can go after the information infrastructure, target the controllers in the digital environment, or physically intervene in the production process. Attacks on a cyberphysical system are generally far more sophisticated than conventional cyberattacks.

Attacks through information systems are more or less manageable. It is sufficient to carefully monitor the information flows between the programmable logic controllers and the SCADA system. But what if attackers interfere with signals between industrial sensors and controllers? What if they substitute the sensor data or destroy the sensor itself? We have developed a machine-learning technology able to identify this type of attack.

What’s needed to protect operational processes

Our technology is called Machine Learning for Anomaly Detection (MLAD). Everything required for its operation is basically already in place at most industrial facilities. After all, the entire production process is already outfitted with sensors. The modern automated ICS receives vast volumes of telemetry data. Tens of thousands of different tags, typically updated about 10 times each second, arrive from numerous sources. Moreover, information about normal system operation is accumulated and stored over years. These are ideal conditions in which to apply machine learning.

Thanks to the laws of physics, all process signals in the system are interconnected. For example, if a sensor on a valve indicates a blockage, other sensors elsewhere should show a corresponding change in pressure, volume, or temperature. All of these indicators correlate with each other. The slightest change in the production process leads to different readings on many sensors. The machine-learning system — trained on data collected under normal operating conditions — can study these correlations. Additionally, the MLAD engine can operate in self-learning mode in case new data, previously not taken into consideration, becomes available. As a result, it can spot any anomaly in the production process.

How it is applied in practice

Our Kaspersky Industrial CyberSecurity solution closely monitors process traffic using deep packet inspection (DPI). As such, it has access to sensor and command data. This information is analyzed in real time by the MLAD system (already trained on data collected under normal operating conditions) to predict what the normal system status should be in the short term (the exact time of this prediction can be adjusted).

Of course, the prediction will always differ from observed reality. The question is by how much. During the learning process, the system statistically calculates threshold values of the prediction error, divergence from which is considered an anomaly.
Andrey Lavrentyev presenting "Detecting ICS Attacks Using Recurrent Neural Networks" at S4x18 conference
MLAD is integrated with Kaspersky Industrial CyberSecurity at the protocol level. It requires telemetry data that supplied by Kaspersky Industrial CyberSecurity, but it can theoretically be switched to use technological data from our other solutions.

Advantages of our method

Unlike an expert system, which operates according to a set of strictly defined rules, a security solution based on machine-learning algorithms shows more flexibility. For an expert system to work in different operating conditions, its rules are often generalized, which can delay emergency responses. A machine-learning system, however, is free of this shortcoming.

Flexibility is also important if the enterprise needs to adjust the production process. With a machine-learning system, there is no need to tinker with the security system — it is enough simply to retrain MLAD. Not only that, Kaspersky Industrial CyberSecurity works with duplicate traffic; that is, it does not interfere directly with the production process.

Operational demo

A detailed mathematical model of the chemical industrial process of Tennessee Eastman has been available on the Internet for some time. It is often used for demonstrations and fine-tuning of control models. We used it as the basis to model the highly realistic operation of the MLAD module in an attack on an enterprise involving the substitution of sensor data, commands, and logic parameters. See for yourself how it works in the video below.

More details about Kaspersky Industrial CyberSecurity are available on its dedicated page.