“Irregularity, dissimilarity from the general rule, or from a structure”: this is how the Treccani encyclopaedia defines anomaly, one of the words that are starting to scare us even in the industrial sector.
But why are anomalies so important?
The answer is quite simple: when a given o an event presents itself differently than we would expect, we could be facing not only a malfunction of a system, but also a possible intrusion or sabotage IT systems (also at the production level).
The real difficulty lies in detecting and understanding anomalies.
This is one of the topics that we will discuss on 6 February 2019 in Milan within the Industrial Software Forum: are you already registered?
Why bother with even a small variation?
Sometimes even small deviations from the norm could be an indication of something not working as it should.
Shall we give an example? Let's consider a PLC is trade normally about fifty kilobytes di data collected for each work shift (for example 45 outgoing and 5 incoming) with the industrial PC on which the supervisory system runs via a given port. Suppose, at some point, the data exchange between those two machines becomes 100 kilobytes. “That's just 50 kilobytes more, there must have been a few more signals transmitted,” we might think.
Meanwhile let us consider that without a system that monitors continuously, automatic and "silent" communications from our factory devices, those extra 50 kilobytes would have gone completely unnoticed.
But let's look together at what can be hidden behind a small anomaly like this.
Let's try, for example, to investigate the exchange of data that took place at the time of the anomaly and we discover that those 100 kbytes consists of 95 kilobytes of incoming data and only 5 kilobytes of outgoing data.
In practice, 90 kilobytes more than usual entered the PLC, while 40 kilobytes less than usual were transmitted.
There is definitely something wrong, don't you think?
What a fright! What can it depend on?
The first thing that makes us think is that the PLC has transmitted less data than usual, even if we haven't changed anything in the configuration.
The cause, however, could be precisely in that extra data that has entered.
Where does the incoming logged traffic come from? Here's the surprise!
The incoming traffic to the PLC has arrived through the port dedicated to remote assistance!
It begins to appear more clearly to us what could have happened: if the remote maintenance workers had sent some firmware updates, this would also explain why the PLC sent only a little data. A round of phone calls and we find out that's exactly what happened.
Our remote service has started (without consulting us and agreeing on the most appropriate moment) a process of updating the firmware of our PLC.
Luckily nothing irreparable happened this time: we lost something in production, but luckily we understood what happened and we lectured our partners explaining to them that they must notify us before carrying out such operations.
Lessons Learned
With this simple example we have seen how even small variations in the communication activities between the devices of an industrial network can be a symptom of problems.
In this case the variations were due to lawful access to the machine, but the cause could also have been sabotage or illegal access from the outside. We also understood that detecting certain anomalies "by eye" is an almost impossible undertaking.
Today, fortunately, there are technological solutions that allow automatic detection of anomalies (known as "anomaly detection").
But how do they work? These solutions are "appliances", i.e. systems made up of an intelligent box (also replaceable with a "virtual device") and software.
The box connects to the network and the first two things it does are:
- "listening" to communication activities
- rebuild a map of the devices present on the network
No fear, it is a "passive" listening that does not interfere in any way with communications.
Once finished this training phase (we decide whether to make it last an hour, a day or a week, depending on how long our work cycles normally last), the system has learned what are the normal types and quantities of communications.
At this point we just have to explain to the system which thresholds and which behaviors are to be considered normal and which instead should trigger an alarm.
That's it! At this point it is enough to activate the operating mode and we will have an always active guardian to detect anomalies.
The hidden benefits
As we said, a system of anomaly detection it is very useful to detect any suspicious network behavior.
Each anomaly can thus be verified in a short time, understanding the reasons and establishing any necessary remedies. We can summarize in these few points the advantages offered by a system anomaly detection:
- It installs easily and has no impact on system performance
- It can be easily "scaled" if we want to extend it to other areas of the network
- Centrally supervise and monitor large distributed industrial networks
- Quickly recognizes anomalies
- Easily track assets and recognize cybersecurity risks
- Significantly reduces troubleshooting time
- Quickly detect cybersecurity threats, risks, and incidents
Now that we understand the importance of having an anomaly detection system, what are we waiting for to get one of the best around? An example? Click below…
This is one of the topics that we will discuss on 6 February 2019 in Milan within the Industrial Software Forum: are you already registered?