In the following description, references made to other publications are indicated with numerals enclosed in square brackets, whereby relevant text of such mentioned references are included as part of this disclosure as they provide technical information that a skilled person in the art could find useful for understanding the background for particulars of this invention. The list of references is given at the end of this document.
Security attacks, particularly the new industrial-targeted attacks or Advanced Persistent Threats (APT), such as exemplary Stuxnet, have the potential of espionage, sabotage, stopping or delaying operations and fabricating information. Furthermore, such security attacks may have the capability to significantly damage or even take down industrial control systems (ICSs), relevant networks and systems. Industrial control systems are used in a variety of industries, such as in electrical, water, oil, gas and data industries, though the invention should not be construed as limited to this non-exhaustive list.
The industrial-targeted security attacks Stuxnet, discovered in 2010, and Flame, discovered in 2012, represent a paradigm shift for security attacks. The new security attacks target industrial systems, such as ICSs, and are difficult to detect. For example, it is believed that Flame operated for several years before it was discovered. Controls, operational and production systems are the prey of the new security attacks, possibly leading to stop in operations or destruction of equipment or other incidents. The implications of such a security attack may be catastrophic. Details on how Stuxnet caused massive destructions in the Iranian power plant Natanz are described in reference [6].
The security attack Flame was a sophisticated espionage software, and similar malicious software might infiltrate ICSs in a vast amount of industries relying on control systems. Another significant security concern is sabotage malware; software programmed to slowly destroy a control system, specific controllers or part of a system. Sabotage malware might lead to abnormal activity and malfunction that are hard to detect.
Some known control systems may have security events and anomalistic events detection capabilities. However, known systems may not detect industrial targeted attacks or previously unknown security events, zero-days attacks and otherwise unknown or unrecognizable security-relevant events.