General Electric Company
NON-INTRUSIVE REPLAY ATTACK DETECTION SYSTEM

Abstract:

In some embodiments, identifying a replay attack in an industrial control system of an industrial asset includes receiving a first set of time series data associated with an ambient condition of one or more first monitoring nodes at a first location of the industrial control system. An actual system feature value for the industrial asset is determined based upon the first set of time series data. A second set of time series data indicative of the ambient condition at a second location is received, and a nominal system feature value is determined based upon the second set of time series data. A correlation between the actual feature value and the nominal system feature value is analyzed to determine a correlation result. A request received by the industrial control system is selectively categorized as a replay attack based upon the correlation result.