OpenTalks.AI - Андрей Лаврентьев, Using Neural Networks to Protect ICS from Cyber and Physical Attacks OpenTalks.AI

Transcript

1. Andrey Lavrentyev Head of Technology Research Department, Future Technologies, Kaspersky

   Lab Using Neural Networks to Protect ICS from Cyber and Physical Attacks OpenTalks.AI Feb. 7, 2018

2. Plant PLC SCADA INDUSTRIAL DATA: • Multi-channel ~ 104 signals

   • Real-time flow ~ 100 ms • Big history ~ years • Noise, jitter, gaps, faults • Cross-channel correlation ICS PLC – Programmable Logic Controller SCADA - Supervisory Control and Data Acquisition system

3. Control Loop Set points Actuators Disturbance Controlled variables Cyber-Physical System

   Sensors Controller

4. Plant PLC SCADA Physical attacks Cyber attacks 0101010101010101 1010101010101010 ICS

   under Attack Attacks may target: - information technology (IT) or - operational technology (OT)

5. Attacks on OT are the most dangerous - quick damage

   to physical equipment - severe financial losses

6. How to detect attacks on OT? A clue: In any

   real-world plant, all industrial signals (sensor and actuator values, control logic parameters) are correlated and governed by physical laws An attack that modifies one signal causes corresponding changes to other signals. These correlations between signals can be established using ML

7. MLAD - Machine Learning for Anomaly Detection Plant PLC SCADA

   Physical attacks Cyber attacks Traffic Mirroring OT Security Monitor DPI MLAD

8. Data-Driven Anomaly Detection 1. Training under normal operating conditions Recurrent

   Neural Network Data: Multivariate Time Series 2. Online anomaly detection via prediction error  Anomaly interpretation based on matching errors to specific signals  Early detection

9. Understanding Anomalies VALUE Change PERIOD Change PHASE Change

10. LSTM Recurrent Neural Network • 2 layers (2 x 64)

    • Input window size = prediction horizon (w) • Regularization – Dropout • Optimization algorithm – RMSProp • Loss function – MSE Activation: ReLU Activation: Linear

11. Anomaly Detection

12. Tennessee Eastman Process (TEP) Reactor Separator Condenser Stripper Purge Product

    G/H Inlet gases A, D, E and C

13. 13 TEP

14. 14 TEP

15. MLAD Key Features:  Early anomaly detection in OT telemetry

     Anomaly interpretation  No dependence on the nature of an attack  Seamless integration with conventional ICS cybersecurity  Additional important layer of ICS cybersecurity focused on OT protection

16. References www.kaspersky.com [email protected] [1] MLAD: Machine Learning for Anomaly Detection

    https://www.youtube.com/watch?time_continue=2&v=1z4nNh9kgbU https://ics-cert.kaspersky.com/reports/2018/01/16/mlad-machine-learning-for-anomaly-detection [2] RNN-based Early Cyber-Attack Detection for the Tennessee Eastman Process. ICML 2017 Time Series Workshop, Sydney, Australia, 2017. https://arxiv.org/abs/1709.02232 [3] Multivariate Industrial Time Series with Cyber-Attack Simulation: Fault Detection Using an LSTM-based Predictive Data Model. NIPS 2016 Time Series Workshop, Barcelona, Spain, 2016. http://arxiv.org/abs/1612.06676 [4] MLAD Presentation https://youtu.be/xXWjfYcPi_Q

17. Thank you!