WO2020046371A1

WO2020046371A1 - Process control systems and devices resilient to digital intrusion and erroneous commands

Info

Publication number: WO2020046371A1
Application number: PCT/US2018/049088
Authority: WO
Inventors: Tao CUI; Kun Ji
Original assignee: Siemens Aktiengesellschaft; Siemens Corporation
Priority date: 2018-08-31
Filing date: 2018-08-31
Publication date: 2020-03-05

Abstract

Systems, techniques, and computer-program products are provided for protection of process control systems and control devices against digital intrusion and human error. In some embodiments, a computing system can configure a model of a physical industrial process executed in industrial equipment. The computing system can perform a simulation of the physical industrial process and, using at least an output of the simulation, the computing system can determine an anomaly state of a process control system that automates the physical industrial process. In some instances, the anomaly state can indicate the presence of an abnormal condition that corresponds to one of an occurrence of a digital intrusion or the issuance of an erroneous control command. The computing system also can perform other simulations of the physical industrial process to generate remediation plans to response to an abnormal condition.

Description

PROCESS CONTROL SYSTEMS AND DEVICES RESILIENT TO DIGITAL INTRUSION

AND ERRONEOUS COMMANDS

BACKGROUND

[1] Defense measures of oil and gas (O&G) process control systems against cyberattacks from a distributed control system (DCS) side usually leverage information technology (IT) layers to protect the system from intrusion and unauthorized command/operation of the system.

Although a wide range of IT layers are leveraged, including secured communications, cryptography, access managements, and the like, these IT layers are typically insufficient to protect O&G process control systems. For instance, if an adversary breaches an IT layer, then the adversary may have full access to the process control system.

[2] Further, human error from authorized personnel can be more likely to occur than actual attacks from cyberintruders. More importantly, human error can cause a same or even greater amount of harm to a DCS and O&G process.

[3] Therefore, much remains to be improved in technologies that protect industrial equipment from human errors and digital intrusion.

BRIEF DESCRIPTION OF THE DRAWINGS

[4] The accompanying drawings are an integral part of the disclosure and are

incorporated into the present specification. The drawings, which are not drawn to scale, illustrate example embodiments of the disclosure and, in conjunction with the description and claims, serve to explain at least in part various principles, features, or aspects of the disclosure. Some embodiments of the disclosure are described more fully below with reference to the

accompanying drawings. However, various aspects of the disclosure can be implemented in many different forms and should not be construed as being limited to the implementations set forth herein. Like numbers refer to like, but not necessarily the same or identical, elements throughout.

[5] FIG. 1 A presents an example of an operational environment for a process control system and devices resilient to digital intrusion and erroneous commands, in accordance with one or more embodiments of the disclosure. [6] FIG. IB presents an example of a computing system for a process control system and devices resilient to digital intrusion and erroneous commands, in accordance with one or more embodiments of the disclosure.

[7] FIG. 2 presents an example of a method for protecting a process control system against digital intrusion and human error, in accordance with one or more embodiments of the disclosure.

[8] FIG. 3 presents an example of a method for generating a response to an abnormal condition of a process control system and industrial equipment, in accordance with one or more embodiments of the disclosure.

[9] FIG. 4 presents an example of an operational environment in which protection of industrial equipment against digital intrusion and human error can be implemented in accordance with one or more embodiments of the disclosure.

DETAILED DESCRIPTION

[10] The disclosure recognizes and addresses, in at least some embodiments, the issue of digital intrusion detection and preservation of operational integrity in complex automated industrial processes. Distributed control system and supervisory control and data acquisition (SCAD A) system are critical infrastructures for safe and reliable operation of a process automation system in several industries, including oil and gas (O&G) industry. In particular, yet not exclusively, cyberattacks and/or human errors on DCS for O&G process control can cause serious damage and can have dire consequences in O&G industry equipment, including negatively impacting products and production of the products, damaging assets, causing harm to personnel, creating public safety issues, and even impacting energy security of society. Some of these potential security issues originate from a trend of digitalization and interconnectivity in the O&G industry. More specifically, connected sensor devices, controller devices, and actuator devices through a DCS and IT system, if not secured, can expose critical O&G assets to adversary parties and cyber criminals. Further, while interconnectivity and automation of field devices can increase convenience and productivity, such interconnectivity and automation can amplify the impact of human error from a control room because an error command can propagate rapidly to a large portion of industrial equipment due to automation, fast communication, and/or interconnection. [11] Accordingly, the disclosure provides comprehensive anomaly detection, control, and resilience techniques. More specifically, embodiments of the disclosure integrate a digital replica of a physical process to defend a physical industrial process. Such a digital replica can be referred to as a“digital twin” and embodies or constitutes a dynamic simulation model of the physical process. In some embodiments, the digital replica integrates at least some of the physics of the physical process; a logic that controls the physical process; and a simulation model of the physical process. The digital replica can utilize or otherwise leverage data-driven approaches that utilize machine-learning based methods. In addition, or in some embodiments, the digital replica can utilize or otherwise leverage model-driven approaches based on physical and/or chemical phenomena underlying an industrial process and rules of such process. Accordingly, in some instances, by incorporating a model of the physical industrial process, the digital replica can be synchronized with its physical counterpart in nearly real-time. The digital replica also permits or otherwise facilitates simulating and evaluating a state of the process before the state is achieved in the counterpart physical system. The digital twin can nearly continuously learn and can update itself from multiple sources to refine its real-time representation of the physical process. .

[12] In some embodiments, a process control system can learn from itself, using sensor data that conveys various aspects of an operating condition (or operating state) of industrial equipment that performs a physical process. The learning system also can integrate historical data into its digital model to create a comprehensive linkage between the physical and digital worlds to enable risk assessment, attack prevention, attack/fault detection, and attack/fault mitigation.

[13] As is described in greater detail below, the disclosure provides an end-to-end cyber physical system security resilient framework (CPSSRF) using a digital twin of an industrial process to assess risk, detect attacks and command errors, and mitigate attacks afterwards to protect a DCS (or any other distributed process control architecture) for an O&G process, for example. The resilient security framework CPSSRF disclosed herein uses a digital twin of an industrial process to defend the actual physical process against cyberattacks and/or human errors in real-time or nearly real time, thus providing an OT layer security perimeter.

[14] Therefore, the disclosure provides a defense of O&G assets and other distributed industrial infrastructure against digital intrusion attacks and/or erroneous control commands. The defense systems and techniques in accordance with this disclosure incorporate aspects of a process control domain, at the operation technology (OT) layer, into various defense mechanisms. As such, embodiments of this disclosure can provide numerous technical improvements and benefits over conventional technologies for protection of a process control system and/or industrial equipment against digital intrusion and human error. For example, by incorporating a model of a physical industrial process into the monitoring of digital intrusion and other types of operational anomalies, embodiments of the disclosure can detect attacks and failure on individual control devices (sensor devices, actuator devices, switch devices, etc.) and/or the process control system as a whole, from an overall process perspective.

[15] As another example, rather than only reactively monitoring digital intrusion at the IT layer level, embodiments of the disclosure can proactively simulate and evaluate crisis scenarios related to digital intrusion and/or human error. As such, by performing simulation and evaluation of an operator command, embodiments of the disclosure can assess the impact of the operator command and can effect remediation (e.g., notify an operator or issue another type of alert, and/or block the implementation of an erroneous command). Similarly, by generating a contingency plan using a digital replica under various operation conditions, embodiments of the disclosure can provide countermeasures in case of a cyberattack and/or human error occurs in the physical system. The countermeasures can be effected automatically in response to a digital intrusion of an operational crisis, or can be provided to a human operator. It is noted that by focusing on intrusion detection at the IT layer, conventional approaches typically fail to correlate network events with anomalies found in the OT layer.

[16] With reference to the drawings, FIG. 1A presents an example of an operational environment 100 for a process control system and industrial equipment resilient to digital intrusion and erroneous commands, in accordance with one or more embodiments of the disclosure. The illustrated operational environment 100 includes industrial equipment 110 having hardware 114 that permits or otherwise facilitates specific functionality. For example, the industrial equipment 110 can be embodied in or can include an industrial boiler. Thus, the hardware 114 can include a hermetically sealable vat, tubing for ingress of fluid into the vat and other tubing for the egress of the fluid; valves for control of fluid injection into the vat; valves that control fluid (liquid and/or gas) egress from the vat; heater devices, one or more pumps to supply fluid to the vat; and the like. In another example, the industrial machine 110 can be embodied in or can include a gas turbine. Thus, the hardware 114 can include blades, a rotor, a compressor, a combustor, and the like.

[17] The industrial equipment 110 can implement or perform a defined industrial process that can be automated. To that end, a group of sensor devices (e.g., sensor devices 118i-l 18D) can be integrated into or otherwise coupled to the hardware 114 to collect data indicative or otherwise representative of an operational state of the industrial equipment 110. In some embodiments, the group of sensor devices can be homogeneous, including several sensor devices of a same type (e.g., pressure meters or temperature meters). In other embodiments, the group of sensor devices can be heterogeneous, where a first subset of the group of sensor devices corresponds to sensor devices of a first type and a second subset of the group of sensor devices corresponds to sensor devices of a second type. For instance, such a group of sensor devices can include pressure meter(s) and temperature meter(s). As is illustrated in FIG. 1A, the group of sensor devices includes a sensor device 118i, a second device 1182, ... , a sensor device D-l

118D-I, and a sensor device D 118D. Here D is a natural number greater than unity. Open, block arrows linking respective sensors and the hardware 114 generically depict integration of a sensor device into the hardware 114 or coupling of the sensor device to the hardware 114.

[18] The industrial equipment 110 can have a defined complexity (architectural or otherwise) based at least in part on the type of industry in which that the industrial equipment 110 pertains. For an industry, the complexity of the industrial equipment 110 also can be based at least on the types of industrial processes that the industrial equipment 110 can implement. In some embodiments, the industrial equipment 110 can be specific to the O&G industry. This disclosure, however, is not limited in that respect and the principles and practical elements of the disclosure can be applied to any industrial equipment that implements an industrial process that can be automated.

[19] Further, to automate an industrial process that can be implemented by the industrial equipment 110, a process control system 120 can be functionally coupled (e.g., communicatively coupled, electrically coupled, electromagnetically coupled, and/or electromechanically coupled) to the industrial equipment 110. A communication architecture 124 can permit or otherwise facilitate the exchange of information (data, metadata, and/or signaling) between the process control system 120 and the industrial equipment 110. The communication architecture 124 can be embodied in or can include several types of network elements, including base stations; router devices; switch devices; server devices; aggregator devices; bus architectures; a combination of the foregoing; or the like. One or more of the bus architectures can include an industrial bus architecture, such as an Ethernet-based industrial bus, a controller area network (CAN) bus, a Modbus, other types of fieldbus architectures, or the like.

[20] The process control system 120 can implement control logic for the automation of an industrial process that can be performed by the industrial equipment 110. In some embodiments, the process control system 120 also can apply other types of rules that dictate physical access to the industrial equipment 110, implementation of a defined sequence of commands that operate the industrial equipment 110, a combination thereof, or the like.

[21] To that end, the process control system 120 can operate in real time, collecting or otherwise receiving observed data from the sensor devices H 8I-H 8D. The process control system 120 can implement the control logic and/or other control algorithms (or processes) using, in some instances, the observed data. Based at least on the implemented logic and/or algorithms, the process control system 120 can send execution commands and/or setpoints to actuator devices (not depicted) or other types of controller devices (not depicted) that constitute the process control system 120. The process control system 120 also can include one or more human-machine interfaces (HMIs; not depicted) that can present (visually or aurally) real-time status or nearly real-time status to operators. An HMI also can receive commands from operators. In some embodiments, the process control system 120 can be embodied in or can include a DCS and/or a supervisory control and data acquisition (SCAD A) system.

[22] The industrial equipment 110, the communication architecture 124, and the process control system 120 constitute a physical process domain in which an industrial process is implemented. As is illustrated in FIG. 1A, the operational environment 100 also includes a digital replica domain that includes a computer-implemented environment onto which an industrial process (e.g., an entire production cycle) in the physical process domain can be mapped. The digital replica domain includes and utilizes numerous modelling, computational, and artificial intelligence (AI) technologies that, individually or in combination, can permit implementing a digital replica of a physical industrial process. Such a digital replica embodies or constitutes a dynamic simulation model of the physical industrial process.

[23] High-performance computing can permit or otherwise facilitate executing a digital replica. To that end, the digital replica domain can include an analytic engine 130 that can receive a model of the industrial process that can be automated by the process control system 120 and implemented, at least partially, by the industrial equipment 110. To that end, the analytic engine 130 can receive information indicative of the model from a model generator engine 140. Such information can include data, metadata, and/or code instructions. Execution of the code instructions (which can constitute libraries and/or other types of software components) can permit simulating defined aspects of the industrial process in the physical process domain.

[24] The model generator engine 140 can configure a model of the industrial process in numerous ways. For example, the model generator engine 140 can generate the model using a modelling approach. In such an approach, physical model(s) of the industrial process; chemical model(s) of the industrial process; physicochemical model(s) of the industrial process; logic of control process(es) to automate the implementation of the industrial process; and/or rules can be utilized or otherwise leverage to create a computer simulation model. Each one of a physical model, a chemical model, or a physicochemical model can be a first principles model or an empirical model.

[25] As another example, the model of the industrial process can be generated using a data-driven approach. In such an approach, historical input data, historical output data, state information (e.g., data, metadata, and/or signaling) of the industrial process, a combination thereof, or the like can be utilized or otherwise leveraged to create a computer simulation model. In some embodiments, a data-driven model can be learned from the data to reflect the relations of input data, output data, and a state of the process. For example, the data-driven model can be embodied in or can include a machine learning model based on a deep neural network, a generative adversarial network, or the like. Regardless the specific approach utilized to generate a model of a physical industrial process, the model can represent and can predict phenomena (e.g., physics, chemistry, physical chemistry), logics, and rules of the industrial process. The model generator engine 140 can send information representative of the model to the analytic engine 130.

[26] Upon or after the analytic engine 130 receives a model, the analytic engine 130 can configure a digital replica (which, as mentioned, also can be referred to as a digital twin) based at least on the model. Specifically, the analytic engine 130 can build one or more software components the permit executing the digital replica. In addition, or in some embodiments, the analytic engine 130 can configure an execution job (e.g., request a defined number of processors, compute time, and other computing resources) to execute the digital replica.

[27] Upon or after a model of the industrial process has been created and the digital replica has been configured, a real-time or nearly real-time synchronization 128 between the physical industrial process and the digital replica can occur to synchronize a state of the model with the implementation of the industrial process in the physical process domain. Such a synchronization can include a transmission of state information from the process control system 120 to the data analytic engine 130. The state information can be utilized for model validation and verification, for example.

[28] The analytic engine 130 can perform (or can continue performing, after

synchronization 128) a computer-implemented simulation of the digital replica. In some embodiments, the analytic engine 130 can perform a simulation of the digital twin in three different modes: (1) A first mode, referred to as“real-time mode,” in which the analytic engine 130 performs a simulation of a time interval of the industrial process that corresponds to a same time interval elapsed in the physical domain, while implementation of the industrial process. More plainly stated, the computer-implemented simulation is performed in a parallel, corresponding timeline with the physical process. Therefore, results from the computer- implemented simulation can permit or otherwise facilitate cross checking sensor data and/or related physical states to detect corrupted data and/or anomalies.

[29] (2) A second mode, referred to as“predictive mode,” in which the analytic engine 130 performs a simulation of a time interval that is greater than the time interval that elapses in the physical domain, while implementing the industrial process. Stated in other terms, a timeline of the computer-implemented simulation is faster than in real-time mode. A computer- implemented simulation of the industrial process in predictive mode can permit or otherwise facilitate evaluating a future state of the industrial process under defined conditions and/or control commands.

[30] (3) A third mode, referred to as“contingency mode,” in which the analytic engine 130 performs the simulation to generate countermeasures, individually or within a remediation plan, and/or evaluate individual countermeasures and/or remediation plan against potential cyberattacks and/or human errors. [31] Results of performing (or continuing to perform after the synchronization 128) the simulation of the digital replica can be utilized to evaluate a discrepancy between the digital replica and physical industrial process to permit or otherwise facilitate anomaly detection. In addition, or in some embodiments, such results can permit or otherwise facilitate evaluating an impact of a command on the implementation of the industrial process, thus permitting the detection of an erroneous command or an erroneous sequence of commands. Further, or in yet other embodiments, the results can permit or otherwise facilitate generating contingency plans that include lists of counter measures or mitigation schemes against digital intrusion and/or erroneous commands.

[32] Therefore, as is illustrated in FIG. 1 A, the operational environment 100 includes an anomaly detector module 150 that can determine a difference between an outcome from the performance of the digital replica and a counterpart outcome in the physical process

implemented by industrial equipment and controlled by the resilient control process system. The anomaly detector module 150 can apply a rule to the difference to determine an anomaly state of the physical process. The anomaly state can be indicative of one of presence of an abnormal condition or absence of an abnormal condition. In one aspect, absence of an abnormal condition can indicate that the control process system and the industrial equipment operate under normal conditions. An operational condition of the control process system can be characterized by a digital intrusion condition and a control integrity condition. As such, in another aspect, presence of an abnormal condition can be indicative of an exception in the digital intrusion condition and/or an exception of the control integrity condition. In one example, an exception in the digital intrusion condition can be embodied in or can include a defined risk of intrusion that is greater than a threshold level. In another example, such an exception can be embodied in or can include a digital breach (or an occurrence of a digital intrusion). An exception in a control integrity condition can be embodied in or can include, for example, one of an operator command that causes malfunction of any part of the hardware 114; an operator command that violates control logic; an operator command that fails to satisfy a group of dependencies of the control logic; or the like.

[33] Such an exception, individually or in combination with one or more exceptions, can be referred to as an exception condition of the control process system. Therefore, the anomaly state can indicate an area that is potentially under attack and/or erroneous commands that need investigation and/or change.

[34] More specifically, the anomaly detector module 150 can determine one or more differences in respective dimensions of operation of the industrial equipment that performs the industrial process that is simulated by means of the digital replica. The difference(s) can be determined as a function of time. In some embodiments, the anomaly detector module 150 can determine difference(s) at defined instants, e.g., according to a schedule or periodically. In addition, or in other embodiments, the anomaly detector module 150 can determine such difference(s) in nearly real time, e.g., at consecutive instants, each determined by the time elapsed during the implementation of one or more computations that result in a determination of one such difference. Therefore, the anomaly detector module 150 can monitor an anomaly state of the industrial process.

[35] In a scenario in which the anomaly detector module 150 determines that an abnormal condition is present and corresponds to the occurrence of a digital intrusion, the anomaly detector module 150 can send one or more directive to the process control system to execute a group of computer-implemented operations to remediate the abnormal condition. Such directive(s) can be sent within an instruction message 154. In addition, or in some embodiments, in another scenario in which the anomaly detector module 150 determines that an abnormal condition is present and corresponds to the issuance of an erroneous control command, the anomaly detector module 150 can send a group of control commands to a control device (not depicted) to remediate the abnormal condition, the control device coupled to the process control system. The group of control commands can be sent within another instruction message 154.

[36] Further, as is also illustrated in FIG. 1A, the operational environment 100 includes a contingency generator module 160 that can generate cybersecurity measures proactively, in advance of a detection of an abnormal condition in the control process system. The cybersecurity measures can include issuing error command; rejecting a requested operation deemed illegitimately issued; enforcing defined access control to computing resources (software assets and/or physical assets); disabling devices with abnormal data readings; activating a backup generation unit (not depicted in FIG. 1A); increasing reserved generation capacity; a combination of the foregoing, or the like. The cybersecurity measures can serve as preconfigured responses to the abnormal condition and can be implemented (e.g., executed) or otherwise triggered based at least on an outcome of a vulnerability analysis performed by the analytic engine 130, to mitigate the impact of current change. The vulnerability analysis can identify which device/equipment is under attack or received error command. As such, the cybersecurity measures can be supplied (e.g., sent or made available) to the control process system 120 and can be retained in one or more memory devices (generically referred to as a memory) that can be included in control process system 120 and/or the contingency generator module 160. A subgroup of the cybersecurity measures can be specific to the exception condition (such as an exception of a digital intrusion condition). Thus, at least one of the cybersecurity measures in the subgroup can be implemented in response to the detection of the exception condition.

[37] Cybersecurity measure(s) generated by the contingency generator module 160 can be supplied (e.g., sent or made available) to a physical asset and/or the process control system 120. In some instances, the cybersecurity measure(s) can be sent to the process control system in a contingency notification 164. The physical asset can be embodied in or can include an element of the hardware 114 or a control device (a sensor device, an actuator device, a switch device, or the like). The cybersecurity measure(s) can permit or otherwise facilitate the physical asset and/or the control process system to remediate an impact of a digital intrusion or another type of attack and/or a fault caused by an erroneous control command.

[38] The transmission of instruction messages 154 and/or contingency notifications 164 can complete a resilience loop between the physical process domain and the digital replica domain, providing protection schemes against a digital intrusion and/or operation fault. As is disclosed herein, the protection schemes can be provided reactively and proactively, thus rendering the process control system 120 and devices coupled thereto resilient to digital intrusion and erroneous control commands.

[39] FIG. IB presents an example of a computing system 170 for a process control system and devices resilient to digital intrusion and erroneous commands, in accordance with one or more embodiments of the disclosure. The illustrated computing system 170 includes one or more processor(s) 180 and one or more memory devices 190 (generically referred to as memory 190) that include machine-accessible instructions (e.g., computer-readable and/or computer- executable instructions) that can be accessed and executed by at least one of the processor(s)

180. In one example, the processor(s) 180 can be embodied in or can constitute a graphics processing unit (GPU), a plurality of GPUs, a central processing unit (CPU), a plurality of CPUs, an application-specific integrated circuit (ASIC), a microcontroller, a programmable logic controller (PLC), a field programmable gate array (FPGA), a combination thereof, or the like. In some embodiments, the processor(s) 180 can be arranged in a single computing apparatus (e.g., a blade server). In other embodiments, the processor(s) 180 can be distributed across two or more computing apparatus.

[40] The processor(s) 180 can be functionally coupled to the memory 190 by means of a communication architecture 185. The communication architecture 185 is suitable for the particular arrangement (localized or distributed) of the processor(s) 180. As such, the communication architecture 185 can include base station devices; router devices; switch devices; server devices; aggregator devices; bus architectures; a combination of the foregoing; or the like.

[41] In the computing system 170, the memory 190 includes the analytic engine 130. The analytic engine 130 includes machine-accessible instructions (e.g., computer-readable and/or computer-executable instructions) that embody or constitute the analytic engine 130. The instructions are encoded in the memory 190 and can be arranged in components that can be built (e.g., linked and compiled) and retained in computer-executable form in the memory 190 (as is shown) or in one or more other machine-accessible non-transitory storage media. As such, in some embodiments, the instructions can be arranged in modules (not depicted in FIG. IB).

[42] The memory 190 also includes the anomaly detector module 150 and the contingency generator module 160. Each of such modules includes respective groups of machine-accessible instructions (e.g., computer-readable and/or computer-executable instructions) that embody or constitute the anomaly detector module 150 and the contingency generator module 160. The respective groups of machine-accessible instructions are encoded in the memory 190 and can be arranged in components that can be built (e.g., linked and compiled) and retained in computer- executable form in the memory 190 (as is shown) or in one or more other machine-accessible non-transitory storage media.

[43] The memory 190 includes the model generator engine 140. The model generator engine 140 also includes machine-accessible instructions (e.g., computer-readable and/or computer-executable instructions) that embody or constitute the module generator engine 140. The instructions are encoded in the memory 190 and can be arranged in components that can be built (e.g., linked and compiled) and retained in computer-executable form in the memory 190 (as is shown) or in one or more other machine-accessible non-transitory storage media. As such, in some embodiments, the instructions can be arranged in modules (not depicted in FIG. IB).

[44] The machine-accessible instructions that form the analytic engine 130, the model generator engine 140, the anomaly detector module 150, and the contingency generator module 160 can be executed by at least one processor of the processor(s) 180. It is noted that while not illustrated, the computing system 170 also can include other types of computing resources (e.g., controller devices(s), power supplies, and the like) that can permit or otherwise facilitate the execution of the software components (e.g., engines and modules). Execution of the instructions can cause the at least one processor— and, thus, the computing system 170— to provide a process control system and devices resilient to digital intrusion and erroneous commands, in accordance with aspects of this disclosure.

[45] In view of various aspects described herein, examples of methods that can be implemented in accordance with this disclosure can be better appreciated with reference to

FIGS. 2-3. For purposes of simplicity of explanation, the exemplified methods (and other techniques disclosed herein) are presented and described as a series of operations. It is noted, however, that the exemplified methods and any other techniques of this disclosure are not limited by the order of operations. Some operations may occur in different order than that which is illustrated and described herein. In addition, or in the alternative, some operations can be performed essentially concurrently with other operations (illustrated or otherwise). Further, not all illustrated operations may be required to implement an exemplified method or technique in accordance with this disclosure. Furthermore, in some embodiments, two or more of the exemplified methods and/or other techniques disclosed herein can be implemented in combination with one another to accomplish one or more elements and/or technical

improvements disclosed herein.

[46] In some embodiments, one or several of the exemplified methods and/or other techniques disclosed herein can be represented as a series of interrelated states or events, such as in a state-machine diagram. Other representations also are possible. For example, interaction diagram(s) can represent an exemplified method and/or a technique in accordance with this disclosure in scenarios in which different entities perform different portions of the disclosed methodologies. [47] It should be further appreciated that the example methods disclosed in this specification can be retained or otherwise stored on an article of manufacture (such as a computer-program product) in order to permit or otherwise facilitate transporting and

transferring such example methods to computers for execution, and thus implementation, by processor(s) or for storage in a memory.

[48] Methods disclosed throughout the subject specification and annexed drawings are capable of being stored on an article of manufacture to facilitate transporting and transferring such methodologies to computers or other types of information processing machines or processing circuitry for execution, and thus, implementation by a processor or for storage in a memory device or another type of computer-readable storage device. In one example, one or more processors that perform a method or combination of methods disclosed herein can be utilized to execute programming code instructions retained in a memory device or any computer- readable or machine-readable storage device or non-transitory storage media, to implement one or several of the exemplified methods and/or other techniques disclosed herein. The

programming code instructions, when executed by the one or more processors can implement or carry out the various operations in the exemplified methods and/or other technique disclosed herein.

[49] The programming code instructions, therefore, provide a computer-executable or machine-executable framework to implement the exemplified methods and/or other techniques disclosed herein. More specifically, yet not exclusively, each block of the flowchart illustrations and/or combinations of blocks in the flowchart illustrations can be implemented by the programming code instructions.

[50] FIG. 2 presents a flowchart of an example method 200 for protecting industrial equipment against digital intrusion and/or human error, in accordance with one or more embodiments of the disclosure. The example method 200 can be implemented, entirely or in part, by a computing system having one or more processors, one or more memory devices, and/or other types of computing resources. In some embodiments, the computing system can embody or can include at least the analytic engine 130, the anomaly detector module 150, and the contingency generator module 160. For instance, the computing system can be embodied in or can include the computing system 170 shown in FIG. IB. [51] At block 210 the computing system can receive model information indicative of a simulation model of an industrial process. The industrial process can be implemented in industrial equipment (e.g., O&G industrial equipment). The implementation can be automated by a control process system and control devices, for example. As mentioned, the simulation model can result from, or can be based at least on, one of a modelling approach or a data-driven approach. Each one of such approaches includes information representative or otherwise indicative of a control process for the automation of the implementation of the industrial process.

[52] As mentioned, the model can be a physical model or a deep neural network model. In some embodiments, in addition or as an alternative to receiving model information, the computing system can update extant model information. The model information can be updated using a second physical model of the industrial process and/or logic of an automation process that implements the industrial process at least partially. In addition, or in some embodiments, updating the physical model can include updating a deep neural network model (e.g., a convolutional neural network) corresponding to a model that has been previously received. To that end, the computing system can update the model by receiving or otherwise accessing historical data indicative of an implementation of the industrial process; and training (or retraining the deep neural network model using at least the historical data.

[53] At block 220, the computing system can receive state information representative of a current state of the industrial process. At block 230, the computing system can perform a simulation of the industrial process using at least the model. In some instances, the received state information can serve as an initial or boundary condition for the simulation.

[54] At block 240, the computing system can determine an anomaly state of a control process system using at least an output of the performed simulation. The control process system can control the automation of the industrial process. As mentioned, the anomaly state can be indicative of one of presence of an abnormal condition or absence of an abnormal condition. In addition, presence of an abnormal condition can be indicative of an exception in the digital intrusion condition and/or an exception of the control integrity condition.

[55] At block 250, the computing system can determine if the anomaly state is indicative of an exception condition of the control process system. In response to a negative determination (“No” branch) the flow of the example method 200 can be directed to block 220, at which the computing system can receive further state information. In the alternative, in response to a positive determination (“Yes” branch), the flow of the example method 200 can continue to block 260. at which point, the computing system can implement a remediation plan for the abnormal condition— e.g., an exception in the digital intrusion condition and/or an exception of the control integrity condition. More specifically, in response to determining that the anomaly state is indicative of the presence of the abnormal condition corresponding to the occurrence of a digital intrusion, the computing system can send a directive to the process control system to execute a group of computer-implemented operations to remediate the abnormal condition. In addition, in response to determining that the anomaly state is indicative of the presence of an abnormal condition corresponding to the issuance of an erroneous control command, the computing system can send a group of control commands to a control device to remediate the abnormal condition, where the control device can be coupled to the process control system.

[56] FIG. 3 presents a flowchart of an example method 300 for generating a response to an abnormal operational condition (e.g., digital intrusion and/or a human error) of a process control system, in accordance with one or more embodiments of the disclosure. The example method 300 can be implemented, entirely or in part, by a computing system having one or more processors, one or more memory devices, and/or other types of computing resources. In some embodiments, the computing system can embody or can include at least the analytic engine 130, the anomaly detector module 150, and the contingency generator module 160. For instance, the computing system can be embodied in or can include the computing system 170 shown in

FIG. IB

[57] At block 310, the computing system can receive a model of an industrial process executed in an industrial equipment. Receiving the model can include receiving information (e.g., data, metadata, and/or code instructions) indicative or otherwise representative of a physical model, a chemical model, a physicochemical model, control logic, one or more rules, a combination thereof, or the like.

[58] At block 320, the computing system can configure a probe operational state of the industrial process. The probe operational state can be representative of an abnormal operational condition of a process control system that automates the industrial process. An abnormal condition can be embodied in or can include, for example, a digital intrusion anomaly and/or a control integrity anomaly. More specifically, the digital intrusion anomaly can include an occurrence of a digital intrusion into the process control system that automates the industrial process. In addition, the control integrity anomaly can include an erroneous operator command or an erroneous sequence of operator commands.

[59] At block 330, the computing system can perform a simulation of the industrial process using at least the model and subject to the probe operational state. At block 340, the computing system can generate a contingency plan to respond to the abnormal operational condition. As mentioned, the contingency plan can include a group of actions (or operations) to be performed by the process control system. In some embodiments, generating the contingency plan include configuring a data structure indicative of the group of operations to be performed by the process control system (e.g., process control system 120). The group of operations can include one or more of issuing an error command; rejecting a requested operation deemed illegitimately issued; enforcing of defined access control to computing resources (software assets and/or physical assets); disabling devices with abnormal data readings; activating a backup generation unit; increasing reserved generation capacity; or the like.

[60] At block 350, the computing system can supply (e.g., send or make available) the contingency plan. In some embodiments, supplying can include causing the process control system (e.g., process control system 120) to retain the data structure generated at block 340.

[61] FIG. 4 presents an example of an operational environment in which functionality associated with resilient process control can be implemented in accordance with one or more embodiments of the disclosure. The exemplified operational environment 400 is merely illustrative and is not intended to suggest or otherwise convey any limitation as to the scope of use or functionality of the operational environment's architecture. In addition, the exemplified operational environment 400 depicted in FIG. 4 should not be interpreted as having any dependency or requirement relating to any one or combination of modules or other types of components illustrated in other example operational environments of this disclosure.

[62] The example operational environment 400 or portions thereof can embody or can constitute other ones of the various operational environments and systems described

hereinbefore. As such, the computing device 410, individually or combination with at least one of the computing device(s) 470), can embody or can constitute the analytic engine 130, the anomaly detector module 150, and the contingency generator module 160.

[63] In one example, the computing device 410 can be embodied in a portable personal computer or a handheld computing device, such as a mobile tablet computer or the like. In another example, the computing device 410 can be embodied in a wearable computing device. The computing device 410 also can embody or can constitute other types of mobile computing devices.

[64] The computational environment 400 represents an example implementation of the various aspects or elements of the disclosure in which the processing or execution of operations described in connection with resilient process control in accordance with aspects disclosed herein can be performed in response to execution of one or more software components at the computing device 410. Such one or more software components render the computing device 410 (or any other computing device that contains the software component(s) a particular machine for resilient process control in accordance with aspects described herein, among other functional purposes.

[65] A software component can be embodied in or can include one or more computer- accessible instructions (e.g., computer-readable and/or computer-executable instructions). In some embodiments, as mentioned, at least a portion of the computer-accessible instructions can be executed to perform at least a part of one or more of the example methods (e.g., method 600 and method 700) and/or other techniques described herein.

[66] For instance, to embody one such method, at least the portion of the computer- accessible instructions can be retained in a computer-readable storage non-transitory medium and executed by one or more processors (e.g., at least one of processor(s) 414). The one or more computer-accessible instructions that embody or otherwise constitute a software component can be assembled into one or more program modules, for example. Such program module(s) can be compiled, linked, and/or executed (by one or more of the processor(s) 414) at the computing device 410 or other computing devices.

[67] Further, such program module(s) can include computer code, routines, programs, objects, components, information structures (e.g., data structures and/or metadata structures), etc., that can perform particular tasks (e.g., one or more operations) in response to execution by one or more processors. At least one of such processor(s) can be integrated into the computing device 410. For instance, the one or more processor that can execute the program module(s) can be embodied in or can include a non-empty subset the processor(s) 414. In addition, at least another one of the processor(s) can be functionally coupled to the computing device 410.

[68] The various example embodiments of the disclosure can be operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that can be suitable for implementation of various aspects or elements of the disclosure in connection with resilient process control in accordance with aspects of this disclosure can include personal computers; server computers; laptop devices; handheld computing devices, such as mobile tablets or e-readers; wearable computing devices; and multiprocessor systems. Additional examples can include, programmable consumer electronics, network personal computers (PCs), minicomputers, mainframe computers, blade computers, programmable logic controllers, distributed computing environments that comprise any of the above systems or devices, and the like.

[69] As is illustrated in FIG. 4, the computing device 410 includes one or more processors 414, one or more input/output (I/O) interfaces 416; one or more memory devices 430

(collectively referred to as memory 430); and a bus architecture 432 (also termed bus 432). The bus architecture 432 functionally couples various functional elements of the computing device 410. The bus 432 can include at least one of a system bus, a memory bus, an address bus, or a message bus, and can permit or otherwise facilitate the exchange of information (data, metadata, and/or signaling) between the processor(s) 414, the I/O interface(s) 416, and/or the memory 430, or respective functional elements therein. In some scenarios, the bus 432 in conjunction with one or more internal programming interfaces 450 (collectively referred to as interface(s) 450) can permit or otherwise facilitate such exchange of information. In scenarios in which the processor(s) 414 include multiple processors, the computing device 410 can utilize parallel computing.

[70] In some embodiments, the computing device 410 can include, optionally, a radio unit 412. The radio unit 412 can include one or more antennas and a communication processing unit that can permit wireless communication between the computing device 410 and another device, such as one of the computing device(s) 470 or a sensor device of the sensor system(s) 496.

[71] The I/O interface(s) 416 can permit or otherwise facilitate communication of information between the computing device 410 and an external device, such as another computing device (e.g., a network element or an end-user device) or a sensor device. Such communication can include direct communication or indirect communication, such as the exchange of information between the computing device 410 and the external device via a network or elements thereof. In some embodiments, as is illustrated in FIG. 4, the I/O interface(s) 416 can include one or more of network adapter(s) 418, peripheral adapter(s) 422, and display unit(s) 426. Such adapter(s) can permit or otherwise facilitate connectivity between the external device and one or more of the processor(s) 414 or the memory 430. For example, the peripheral adapter(s) 422 can include a group of ports, which can include at least one of parallel ports, serial ports, Ethernet ports, V.35 ports, or X.21 ports. In certain embodiments, the parallel ports can comprise General Purpose Interface Bus (GPIB), IEEE- 1284, while the serial ports can include Recommended Standard (RS)-232, V. l l, Universal Serial Bus (USB), FireWire or IEEE- 1394.

[72] At least one of the network adapter(s) 418 can functionally couple the computing device 410 to one or more computing devices 470 via one or more communication links (wireless, wireline, or a combination thereof) and one or more networks 480 that, individually or in combination, can permit or otherwise facilitate the exchange of information (data, metadata, and/or signaling) between the computing device 410 and the one or more computing devices 470. Such network coupling provided at least in part by the at least one of the network adapter(s) 418 can be implemented in a wired environment, a wireless environment, or both. The network(s) 480 can include several types of network elements, including base stations; router devices; switch devices; server devices; aggregator devices; bus architectures; a combination of the foregoing; or the like. The network elements can be assembled to form a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), and/or other networks (wireless or wired) having different footprints.

[73] Information that is communicated by at least one of the network adapter(s) 418 can result from the implementation of one or more operations of a method (or technique) in accordance with aspects of this disclosure. Such output can be any form of visual representation, including textual, graphical, animation, audio, haptic, and the like. In some scenarios, each one of the computing device(s) 470 can have substantially the same architecture as the computing device 410. In addition or in the alternative, the display unit(s) 426 can include functional elements (e.g., lights, such as light-emitting diodes; a display, such as a liquid crystal display (LCD), a plasma monitor, a light-emitting diode (LED) monitor, or an electrochromic monitor; combinations thereof; or the like) that can permit or otherwise facilitate control of the operation of the computing device 410, or can permit conveying or revealing the operational conditions of the computing device 410. [74] In one aspect, the bus architecture 432 represents one or more of several possible types of bus structures, including a memory bus or a memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. As an illustration, such architectures can include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, an Accelerated Graphics Port (AGP) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express bus, a Personal Computer Memory Card International Association (PCMCIA) bus, a Universal Serial Bus (USB), and the like.

[75] The bus architecture 432, and all other bus architectures described herein can be implemented over a wired or wireless network connection and each of the subsystems, including the processor(s) 414, the memory 430 and memory elements therein, and the I/O interface(s) 416 can be contained within one or more remote computing devices 470 at physically separate locations, connected through buses of this form, in effect implementing a fully distributed system.

[76] In some embodiments, such a distributed system can implement the functionality described herein in a client-host or client-server configuration in which the resilient process control modules 436 or the resilient process control information 440, or both, can be distributed between the computing device 410 and at least one of the computing device(s) 470, and the computing device 410 and at least one of the computing device(s) 470 can execute such modules and/or leverage such information.

[77] The computing device 410 can include a variety of computer-readable media.

Computer-readable media can be any available media (transitory and non-transitory) that can be accessed by the computing device 410. In one aspect, computer-readable media can include computer non-transitory storage media (or computer-readable non-transitory storage media) and communications media. Example computer-readable non-transitory storage media can include, for example, both volatile media and non-volatile media, and removable and/or non-removable media. In one aspect, the memory 430 can include computer-readable media in the form of volatile memory, such as random access memory (RAM), and/or non-volatile memory, such as read-only memory (ROM).

[78] As is illustrated in FIG. 4, the memory 430 can include functionality instructions storage 434 and functionality information storage 438. The functionality instructions storage 434 can include computer-accessible instructions that, in response to execution (by at least one of the processor(s) 414, for example), can implement one or more of the resilient process control functionalities of the disclosure. The computer-accessible instructions can embody or can comprise one or more software components illustrated as resilient process control component(s) 436.

[79] In one scenario, execution of at least one component of the resilient process control component(s) 436 can implement one or more of the methods disclosed herein, such as the example methods 200 and 300. For instance, such execution can cause a processor (e.g., one of the processor(s) 414) that executes the at least one component to carry out a disclosed example method or another technique of this disclosure.

[80] It is noted that, in one aspect, a processor of the processor(s) 414 that executes at least one of the resilient process control modules 436 can retrieve information from or retain information in one or more memory elements 440 in the functionality information storage 438 in order to operate in accordance with the functionality programmed or otherwise configured by the resilient process control modules 436. The one or more memory elements 440 can be generically referred to as resilient process control information 440. Such information can include at least one of code instructions, information structures, or the like. For instance, at least a portion of such information structures can be indicative or otherwise representative of a defined contingency plan, historical operation data of the industrial equipment 110, and the like.

[81] In some embodiments, one or more of the resilient process control modules 436 can embody or can constitute, for example, the analytic engine 130, the anomaly detector module 150, the contingency generator module 160, or a combination thereof, in accordance with aspects of this disclosure.

[82] At least one of the one or more interfaces 450 (e.g., application programming interface(s)) can permit or otherwise facilitate communication of information between two or more modules within the functionality instructions storage 434. The information that is communicated by the at least one interface can result from implementation of one or more operations in a method of the disclosure. In some embodiments, one or more of the functionality instructions storage 434 and the functionality information storage 438 can be embodied in or can comprise removable/non-removable, and/or volatile/non-volatile computer storage media. [83] At least a portion of at least one of the resilient process control modules 436 or the resilient process control information 440 can program or otherwise configure one or more of the processors 414 to operate at least in accordance with the resilient process control functionality disclosed herein. One or more of the processor(s) 414 can execute at least one of the resilient process control modules 436 and leverage at least a portion of the information in the

functionality information storage 438 in order to provide management of calls from unknown callers in accordance with one or more aspects described herein.

[84] It is noted that, in some embodiments, the functionality instructions storage 434 can embody or can comprise a computer-readable non-transitory storage medium having computer- accessible instructions that, in response to execution, cause at least one processor (e.g., one or more of the processor(s) 414) to perform a group of operations comprising the operations or blocks described in connection with the example methods 200 and 300 and other techniques disclosed herein.

[85] The memory 430 also can include computer-accessible instructions and information (e.g., data, metadata, and/or programming code instructions) that permit or otherwise facilitate the operation and/or administration (e.g., upgrades, software installation, any other configuration, or the like) of the computing device 410. Accordingly, as is illustrated, the memory 430 includes a memory element 442 (labeled operating system (OS) instructions 442) that contains one or more program modules that embody or include one or more operating systems, such as Windows operating system, Unix, Linux, Symbian, Android, Chromium, and substantially any OS suitable for mobile computing devices or tethered computing devices. In one aspect, the operational and/or architectural complexity of the computing device 410 can dictate a suitable OS.

[86] The memory 430 further includes a system information storage 446 having data, metadata, and/or programming code (e.g., firmware) that can permit or otherwise can facilitate the operation and/or administration of the computing device 410. Elements of the OS instructions 442 and the system information storage 446 can be accessible or can be operated on by at least one of the processor(s) 414.

[87] While the functionality instructions storage 434 and other executable program components (such as the OS instructions 442) are illustrated herein as discrete blocks, such software components can reside at various times in different memory components of the computing device 410 and can be executed by at least one of the processor(s) 414. In certain scenarios, an implementation of the resilient process control modules 436 can be retained on or transmitted across some form of computer-readable media.

[88] The computing device 410 and/or one of the computing device(s) 470 can include a power supply (not shown in FIG. 4), which can power up components or functional elements within such devices. The power supply can be a rechargeable power supply, e.g., a rechargeable battery, and it can include one or more transformers to achieve a power level suitable for the operation of the computing device 410 and/or one of the computing device(s) 470, and components, functional elements, and related circuitry therein. In certain scenarios, the power supply can be attached to a conventional power grid to recharge and ensure that such devices can be operational. In one aspect, the power supply can include an I/O interface (e.g., one of the network adapter(s) 418) to connect operationally to the conventional power grid. In another aspect, the power supply can include an energy conversion component, such as a solar panel, to provide additional or alternative power resources or autonomy for the computing device 410 and/or one of the computing device(s) 470.

[89] As is illustrated in FIG. 4, in some instances, the computing device 410 can operate in a networked environment by utilizing connections to one or more remote computing devices 470. As an illustration, a remote computing device can be a personal computer, a portable computer, a server, a router, a network computer, a peer device or other common network node, and so on. As described herein, connections (physical and/or logical) between the computing device 410 and a computing device of the one or more remote computing devices 470 can be made via one or more networks 480, and various communication links (wireless or wireline).

The network(s) 480 can include several types of network elements, including base stations; router devices; switch devices; server devices; aggregator devices; bus architectures; a combination of the foregoing; or the like. The network elements can be assembled to form a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), and/or other networks (wireless or wired) having different footprints.

[90] In addition, as is illustrated the communication links can be assembled in a first group of communication links 474 and a second group of communication links 472. Each one of the communication links in both groups can include one of an upstream link (or uplink (UL)) or a downstream link (or downlink (DL)). Each one of the UL and the DL can be embodied in or can include wireless links (e.g., deep-space wireless links and/or terrestrial wireless links), wireline links (e.g., optic- fiber lines, coaxial cables, and/or twisted-pair lines), or a combination thereof.

[91] The first group of communication links 474 and the second group of communication links 472 can permit or otherwise facilitate the exchange of information (e.g., data, metadata, and/or signaling) between at least one of the computing device(s) 470 and the computing device 410. To that end, one or more links of the first group of communication links 474, one or more links of the second group of communication links 474, and at least one of the network(s) 480 can form a communication pathway between the communication device 410 and at least one of the computing device(s) 470.

[92] In one or more embodiments, one or more of the disclosed methods can be practiced in distributed computing environments, such as grid-based environments, where tasks can be performed by remote processing devices (computing device(s) 470) that are functionally coupled (e.g., communicatively linked or otherwise coupled) through at least one of network(s) 410. In a distributed computing environment, in one aspect, one or more software components (such as program modules) can be located within both a local computing device (e.g., computing device 410) and at least one remote computing device.

[93] In some embodiments, as is illustrated in FIG. 4, the operational environment 400 can include industrial equipment 490, such as a gas turbine. The industrial equipment 490 includes one or more machines 492 and one or more sensor systems 496 that can probe the machine. In one aspect, the machine(s) 492 can be embodied in or can include the industrial machine 110. In addition, at least one of the sensor system(s) 496 can be embodied in or can include sensor devices H 8I-H 8D. The computing device 410 and at least one of the computing device(s) 470, individually or in combination, can monitor a condition of the industrial equipment 490 in accordance with aspects of this disclosure. To that end, in some aspects, multiple sensor devices of the sensory system(s) 496 can be functionally coupled (e.g., communicatively coupled, electrically coupled, and/or electromechanically coupled) to the computing device 410 and/or at least one of the computing device(s) 470. Specifically, one or more of the sensor devices can communicate with the computing device 410 via a

communication pathway formed by communication links 476, at least one of network(s) 480, and communication links 472. Similarly, the sensor device(s) can communicate with at least one of the computing devices 470 via another communication pathway formed by the communication links 476, at least one of the network(s) 480, and the communication links 474.

[94] Communication links 476 and communication links 472 can permit or otherwise facilitate the exchange of information (e.g., data, metadata, and/or signaling) between the sensor devices of the sensor system(s) 496 and the computing device. Similarly, communication links 476 and communication links 474 can permit or otherwise facilitate the exchange of information (e.g., data, metadata, and/or signaling) between the sensor devices of the sensor system(s) 496 and one or more of the computing device(s) 470. Communication links 476 includes, for example, an upstream link (or uplink (UL)) and a downstream link (or downlink (DL)). Each one of the UL and the DL can be embodied in or can include wireless links (e.g., deep-space wireless links and/or terrestrial wireless links), wireline links (e.g., optic-fiber lines, coaxial cables, and/or twisted-pair lines), or a combination thereof.

[95] Various embodiments of the disclosure may take the form of an entirely or partially hardware embodiment, an entirely or partially software embodiment, or a combination of software and hardware (e.g., a firmware embodiment). Lurther, as described herein, various embodiments of the disclosure (e.g., systems and methods) may take the form of a computer program product including a computer-readable non-transitory storage medium having computer-accessible instructions (e.g., computer-readable and/or computer-executable instructions) such as computer software, encoded or otherwise embodied in such storage medium. Those instructions can be read or otherwise accessed and executed by one or more processors to perform or permit the performance of the operations described herein. The instructions can be provided in any suitable form, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, assembler code, combinations of the foregoing, and the like. Any suitable computer-readable non-transitory storage medium may be utilized to form the computer program product. Lor instance, the computer-readable medium may include any tangible non-transitory medium for storing information in a form readable or otherwise accessible by one or more computers or processor(s) functionally coupled thereto. Non-transitory storage media can be embodied in or can include ROM; RAM; magnetic disk storage media; optical storage media; flash memory, etc.

[96] At least some of the embodiments of the operational environments and techniques are described herein with reference to block diagrams and flowchart illustrations of methods, systems, apparatuses, and computer program products. It can be understood that each block of the block diagrams and flowchart illustrations, and combinations of blocks in the block diagrams and flowchart illustrations, respectively, can be implemented by computer-accessible

instructions. In certain implementations, the computer-accessible instructions may be loaded or otherwise incorporated into a general purpose computer, special purpose computer, or other programmable information processing apparatus to produce a particular machine, such that the operations or functions specified in the flowchart block or blocks can be implemented in response to execution at the computer or processing apparatus.

[97] Unless otherwise expressly stated, it is in no way intended that any protocol, procedure, process, or technique put forth herein be construed as requiring that its acts or steps be performed in a specific order. Accordingly, where a process or a method claim does not actually recite an order to be followed by its acts or steps or it is not otherwise specifically recited in the claims or descriptions of the subject disclosure that the steps are to be limited to a specific order, it is in no way intended that an order be inferred, in any respect. This holds for any possible non-express basis for interpretation, including: matters of logic with respect to the arrangement of steps or operational flow; plain meaning derived from grammatical organization or punctuation; the number or type of embodiments described in the specification or annexed drawings, or the like.

[98] As used in this application, the terms“environment,”“system,”“engine,”“module,” “component,”“architecture,”“interface,”“unit,” and the like refer to a computer-related entity or an entity related to an operational apparatus with one or more defined functionalities. The terms “environment,”“system,”“engine,”“module,”“component,”“architecture,”“interface,” and “unit” can be utilized interchangeably and can be generically referred to functional elements. Such entities may be either hardware, a combination of hardware and software, software, or software in execution. As an example, a module can be embodied in a process running on a processor, a processor, an object, an executable portion of software, a thread of execution, a program, and/or a computing device. As another example, both a software application executing on a computing device and the computing device can embody a module. As yet another example, one or more modules may reside within a process and/or thread of execution. A module may be localized on one computing device or distributed between two or more computing devices. As is disclosed herein, a module can execute from various computer-readable non-transitory storage media having various data structures stored thereon. Modules can communicate via local and/or remote processes in accordance, for example, with a signal (either analogic or digital) having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as a wide area network with other systems via the signal).

[99] As yet another example, a module can be embodied in or can include an apparatus with a defined functionality provided by mechanical parts operated by electric or electronic circuitry that is controlled by a software application or firmware application executed by a processor. Such a processor can be internal or external to the apparatus and can execute at least part of the software or firmware application. Still in another example, a module can be embodied in or can include an apparatus that provides defined functionality through electronic components without mechanical parts. The electronic components can include a processor to execute software or firmware that permits or otherwise facilitates, at least in part, the functionality of the electronic components.

[100] In some embodiments, modules can communicate via local and/or remote processes in accordance, for example, with a signal (either analog or digital) having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as a wide area network with other systems via the signal). In addition, or in other embodiments, modules can communicate or otherwise be coupled via thermal, mechanical, electrical, and/or electromechanical coupling mechanisms (such as conduits, connectors, combinations thereof, or the like). An interface can include input/output (I/O) components as well as associated processors, applications, and/or other programming components.

[101] As is utilized in this disclosure, the term“processor” can refer to any type of processing circuitry or device. A processor can be implemented as a combination of processing circuitry or computing processing units (such as CPUs, GPUs, or a combination of both).

Therefore, for the sake of illustration, a processor can refer to a single-core processor; a single processor with software multithread execution capability; a multi-core processor; a multi-core processor with software multithread execution capability; a multi-core processor with hardware multithread technology; a parallel processing (or computing) platform; and parallel computing platforms with distributed shared memory. [102] Additionally, or as another example, a processor can refer to an integrated circuit (IC), an application-specific integrated circuit (ASIC), a digital signal processor (DSP), a field programmable gate array (FPGA), a programmable logic controller (PLC), a complex programmable logic device (CPLD), a discrete gate or transistor logic, discrete hardware components, or any combination thereof designed or otherwise configured (e.g., manufactured) to perform the functions described herein.

[103] In some embodiments, processors can utilize nanoscale architectures in order to optimize space usage or enhance the performance of systems, devices, or other electronic equipment in accordance with this disclosure. For instance, a processor can include molecular transistors and/or quantum-dot based transistors, switches, and gates,

[104] Further, in the present specification and annexed drawings, terms such as“store,” “storage,”“data store,”“data storage,”“memory,”“repository,” and substantially any other information storage component relevant to the operation and functionality of a component of the disclosure, refer to memory components, entities embodied in one or several memory devices, or components forming a memory device. It is noted that the memory components or memory devices described herein embody or include non-transitory computer storage media that can be readable or otherwise accessible by a computing device. Such media can be implemented in any methods or technology for storage of information, such as machine-accessible instructions (e.g., computer-readable instructions), information structures, program modules, or other information objects.

[105] Memory components or memory devices disclosed herein can be embodied in either volatile memory or non-volatile memory or can include both volatile and non-volatile memory.

In addition, the memory components or memory devices can be removable or non-removable, and/or internal or external to a computing device or component. Examples of various types of non-transitory storage media can include hard-disc drives, zip drives, CD-ROMs, digital versatile disks (DVDs) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, flash memory cards or other types of memory cards, cartridges, or any other non-transitory medium suitable to retain the desired information and which can be accessed by a computing device.

[106] As an illustration, non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM). The disclosed memory devices or memories of the operational or computational environments described herein are intended to include one or more of these and/or any other suitable types of memory.

[107] Conditional language, such as, among others,“can,”“could,”“might,” or“may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain implementations could include, while other

implementations do not include, certain features, elements, and/or operations. Thus, such conditional language generally is not intended to imply that features, elements, and/or operations are in any way required for one or more implementations or that one or more implementations necessarily include logic for deciding, with or without user input or prompting, whether these features, elements, and/or operations are included or are to be performed in any particular implementation.

[108] The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of examples of systems, methods, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which includes one or more machine- or computer-executable instructions for implementing the specified operations. It is noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or operations or carry out combinations of special purpose hardware and computer instructions.

[109] Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network can include copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer- readable non-transitory storage medium within the respective computing/processing device.

[110] What has been described herein in the present specification and annexed drawings includes examples of systems, devices, techniques, and computer program products that, individually and in combination, permit protecting an industrial process control system and control devices against digital intrusion and human error. It is, of course, not possible to describe every conceivable combination of components and/or methods for purposes of describing the various elements of the disclosure, but it can be recognized that many further combinations and permutations of the disclosed elements are possible. Accordingly, it may be apparent that various modifications can be made to the disclosure without departing from the scope or spirit thereof. In addition, or as an alternative, other embodiments of the disclosure may be apparent from consideration of the specification and annexed drawings, and practice of the disclosure as presented herein. It is intended that the examples put forth in the specification and annexed drawings be considered, in all respects, as illustrative and not limiting. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

CLAIMS What is claimed is:

1. A computer- implemented method, comprising:

receiving, by a computing system including at least one processor, state information representative of a current state of an industrial process executed in industrial equipment;

performing, by the computing system, based at least on the state information a simulation of the industrial process using a model of the industrial process; and

determining, by the computing system, using at least an output of the simulation, an anomaly state of a process control system that automates the industrial process, the anomaly state being indicative of one of absence of an abnormal condition or presence of the abnormal condition, wherein the abnormal condition corresponds to one of an occurrence of a digital intrusion or issuance of an erroneous control command.

2. The computer- implemented method of claim 1, further comprising determining that the anomaly state is indicative of the presence of the abnormal condition corresponding to the occurrence of the digital intrusion; and

sending a directive to the process control system to execute a group of computer- implemented operations to remediate the digital intrusion.

3. The computer- implemented method of claim 1, further comprising determining that the anomaly state is indicative of the presence of the abnormal condition corresponding to the issuance of an erroneous control command; and

sending a group of control commands to a control device to remediate the issuance of the erroneous control command, the control device coupled to the process control system.

4. The computer-implemented method of claim 1, further comprising updating the model using at least a physical model of the industrial process and logic of an automation process that implements the industrial process at least partially.

5. The computer- implemented method of claim 1, wherein the model comprises a deep neural network model, the method further comprising updating the model by

receiving historical data indicative of an implementation of the industrial process; and training the deep neural network model using at least the historical data.

6. A computer-implemented method, comprising:

receiving, by a computing system having at least one processor, a model of an industrial process executed in an industrial equipment;

configuring, by the computing system, a probe operational state of the industrial process, the probe operational state is representative of an abnormal operational condition of a process control system that automates the industrial process;

performing, by the computing system, a simulation of the industrial process using at least the model and based at least on the probe operational state;

generating, by the computing system, using at least an outcome of the simulation, a

contingency plan to respond to the abnormal operational condition, the contingency plan including a group of operations to be performed by the process control system.

7. The computer-implemented method of claim 6, wherein the abnormal operational

condition corresponds to at least one of an occurrence of a digital intrusion or a group of erroneous commands for the process control system, and wherein the generating comprises configuring a data structure indicative of the group of operations to be performed by the process control system.

8. The computer-implemented method of claim 7, further comprising supplying the

contingency plan, wherein the supplying comprises causing the process control system to retain the data structure.

9. The computer-implemented method of claim 6, wherein the receiving comprises

receiving information indicative of at least one of a physical model of the industrial process, a chemical model of the industrial process, a physicochemical model of the industrial process, control logic corresponding to automation of the industrial process, or a rule.

10. A system, comprising:

at least one memory device having stored therein computer-executable instructions; and at least one processor configured to access the at least one memory device and further configured to execute the computer-executable instructions to:

receive state information representative of a current state of an industrial process executed in industrial equipment;

perform, based at least on the state information, a simulation of the industrial process using at least a model of the industrial process; and

determine, using at least an output of the simulation, an anomaly state of a process control system that automates the industrial process, the anomaly state being indicative of one of absence of an abnormal condition or presence of the abnormal condition, wherein the abnormal condition corresponds to one of an occurrence of a digital intrusion or issuance of an erroneous control command.

11. The system of claim 10, the at least one processor further configured to execute the

computer-executable instructions to determine that the anomaly state is indicative of the presence of the abnormal condition corresponding to the occurrence of the digital intrusion; and

to send a directive to the process control system to execute a group of computer- implemented operations to remediate the digital intrusion.

12. The system of claim 10, the at least one processor further configured to determine that the anomaly state is indicative of the presence of the abnormal condition corresponding to the issuance of an erroneous control command; and

to send a group of control commands to a control device to remediate the issuance of the erroneous command, wherein the control device is coupled to the process control system.

13. The system of claim 10, the at least one processor further configured to: configure a probe operational state of the industrial process, the probe operational state is representative of an abnormal operational condition of a process control system that automates the industrial process;

perform a second simulation of the industrial process using at least the model and based at least on the probe operational state;

generate, using at least an outcome of the simulation, a contingency plan to respond to the abnormal operational condition, the contingency plan including a group of operations to be performed by the process control system.

14. The system of claim 13, wherein the abnormal operational condition corresponds to at least one of an occurrence of a digital intrusion or a group of erroneous commands for the process control system, and wherein to generate the contingency plan, the at least one processor is further configured to configure a data structure indicative of the group of operations to be performed by the process control system.

15. The computer- implemented method of claim 14, the at least one processor further

configured to supply the contingency plan, wherein to supply the contingency plan, the at least one processor is further configured to cause the process control system to retain the data structure.

16. A computer program product comprising at least one non-transitory storage medium

readable by at least one processing circuit, the non-transitory storage medium having encoded thereon instructions executable by the at least one processing circuit to perform or facilitate operations comprising:

17. The computer program product of claim 16, the operations further comprising:

determining that the anomaly state is indicative of the presence of the abnormal

condition corresponding to the occurrence of the digital intrusion; and sending a directive to the process control system to execute a group of computer- implemented operations to remediate the digital intrusion.

18. The computer program product of claim 16, the operations further comprising:

condition corresponding to the issuance of an erroneous control command; and sending a group of control commands to a control device to remediate the issuance of the erroneous control command, the control device coupled to the process control system.

19. The computer program product of claim 16, the operations further comprising updating the model using at least a physical model of the industrial process and logic of an automation process that implements the industrial process at least partially.

20. The computer program product of claim 16, the operation further comprising:

receiving a second model of the industrial process;

configuring a probe operational state of the industrial process, the probe operational state is representative of an abnormal operational condition of the process control system that automates the industrial process;

performing a second simulation of the industrial process using at least the second model and based at least on the probe operational state;

generating using at least an outcome of the simulation, a contingency plan to respond to the abnormal operational condition, the contingency plan including a group of operations to be performed by the process control system.