Industrial asset control systems that operate physical systems (e.g., associated with power turbines, jet engines, locomotives, autonomous vehicles, etc.) are increasingly connected to the Internet. As a result, these control systems may be vulnerable to threats, such as cyber-attacks (e.g., associated with a computer virus, malicious software, etc.), that could disrupt electric power generation and distribution, damage engines, inflict vehicle malfunctions, etc. Current methods primarily consider threat detection in Information Technology (“IT,” such as, computers that store, retrieve, transmit, manipulate data) and Operation Technology (“OT,” such as direct monitoring devices and communication bus interfaces). Cyber-threats can still penetrate through these protection layers and reach the physical “domain” as seen in 2010 with the Stuxnet attack. Such attacks can diminish the performance of a control system and may cause a total shut down or even catastrophic damage to a plant. Currently, Fault Detection Isolation and Accommodation (“FDIA”) approaches only analyze sensor data, but a threat might occur in connection with other types of threat monitoring nodes. Also note that FDIA is limited only to naturally occurring faults in one sensor at a time. FDIA systems do not address multiple simultaneously occurring faults as in the case of malicious attacks. Moreover, there may be a number of different ways of measuring the performance of a threat detection system (e.g., false alerts when no threats are present, failures to create alerts when threats are in fact present, how rapidly threats can be detected, etc.). As a result, creation of a suitable threat detection system can be difficult—especially when a substantial number of monitoring nodes of different types are evaluated and various performance metrics need to be considered.
In addition, some unauthorized commands might be able to cause severe damage to an industrial asset within a few milliseconds. For example, opening or closing a breaker might cause components to rapidly become unstable and, in some cases, elements of the machine could even explode. It can be difficult to detect such quick acting problems using traditional cyber-threat detection techniques. It would therefore be desirable to facilitate creation of a suitable threat detection system to protect an industrial asset control system from cyber threats in an automatic and accurate manner.