SIGA Anomaly Detection for Operational Technology Optimization and Cybersecurity

Home » Blog » Cyber security » SIGA Anomaly Detection for Operational Technology Optimization and Cybersecurity

Cyberattacks are an increasingly common threat- with industrial targets having doubled in the first half of 2019 compared to the second half of 2018. Of all cyberattacks, operational technology and manufacturing was the target 50% of the time. With the rising frequency of these IT and OT attacks, SIGA OT Solutions provides a game-changing solution to combat cyberattacks through anomaly detection- a cutting edge process optimization for operational technology while also using advanced analytics and predictive machine learning to enable cybersecurity at the electrical level. When an anomaly occurs SIGA alerts the user who can then intercede before damage can be done, whether from a cybersecurity or component breakdown.

This is how SIGA’s patented technology provides a holistic solution for data analysis from the source with full resolution and advanced analytics. But now lets look into what the system is and how it operates with more depth.

SIGA, connects uni-directionally to the I/O components in the electrical board and copies data from the electrical signals from the analog and
discrete contactors. This data is read and managed in a separate, out-of-band channel that is independent of the SCADA / ICS, providing a direct
connection to the data without any data tampering. Most of the PLCs and smart I/Os presently marketed filter the reading data based on averaging or other derivative algorithms. SIGA is constantly recording the data without any filtering as raw data and processing that data to provide many features and insights that are the core of SIGA’s offerings.

The data is then compressed and sent to the secured SigaPlatform™, with an independent ethernet connection that is not connected to the SCADA/ICS network. This method of data recording and reading; the SIGA “Data Reader and Forwarder” cannot change or issue any commands for system devices as its connected as “read-only” in the system.

The SigaPlatform™ Architecture
Out-of-Band: Totally Separated, Isolated Network

The SigaPlatform™ Architecture

Using the SigaPlatform the client can analyze their data with cutting-edge web-based technology on a full feature portal including:
• A client can view the current value of the I/O from the field, data points can be set as a group for easy navigation and understanding of the process.
Build multiple trends with single data point or with correlation to other data points for any time frame.
• A client can create active alarms on the system and acknowledge them as needed.
Configure alarms as rule-based; correlations, prediction and anomaly detection.
• And utilize advanced analytics and Machine Learning algorithms that can provide an in-depth look at the critical elements of the process and identify very small variances that cannot be identified even with a “trained eye”, these “overlooked” variances can develop into a system malfunction or cease production.

These strong capabilities also cover and provide alerts for all process deviations which were not anticipated in the design and therefore are not covered by previously set rule-based alarms. This is how SIGA can both optimize and system and detect cybersecurity threats. If there is a deviation in any process SIGA will flag it for the client.

The advanced analytics and Machine Learning model provide predictions and anomaly detection based on one or more data records enabling sophistication in the logic of the system; this can help shift the work process into a more prescriptive maintenance mode and provide a better, robust system as more resilience is added into the SCADA/ICS work process, enabling the owner to derive new insights into their processes.

At SIGA, we understand that every SCADA/ICS is different which is why the SIGA technology platform design is flexible to provide owner’s the freedom to select their own setup at reading speeds up to 5000 samples/second for each analog, with resolution starting from
24Bit, supporting any system on any scale.

SIGA’s SigaPlatform™ provides several different owner selected storage profiles in which the owner can choose; indefinitely or for a specific period of time to save the data records based on their specific requirements.

Owners can utilize the SigaPlatform™ to better visualize the data for training and 3rd party demonstrations. The SIGA Technology will provide for consistency of operation even if the PLC or the SCADA system is disabled enabling a backup system in case of major disruptive event on the system.

Unique Features:
Does not interfere with OT network- ICS Untouched, Completely Out-Of-Band
Device visibility via monitoring untampered, unsmoothed electrical signals from source (Raw Data, Level 0).
Independent verification and validation of PLC operation and function.
Machine Learning engine generates actionable insights, “hidden” anomalies & new rules.
ICS/OT- unhackable, cyber security anomaly detection solution; independent of data flow.
Equipment & protocol agnostic.
Legacy compatible.
Forensics, analysis & recovery through independent, out of band data archiving & secure data export.

How Siga’s Technology Works:
The SigaPlatform is completely out-of-band and works independently of the ICS/SCADA system, making it the most secure and reliable anomaly detection solution.

SIGA’s core solution is a “next-generation” anomaly detection platform utilizing a copy of the raw electrical signals, based on fully “out-of-band” hardware and multi-layered analysis aims at identifying process abnormalities to generate new and valuable operational insights.

The SIGA solution is comprised of a hardware layer installed in the critical infrastructure to acquire lowlevel electric signals, and a software layer applying advanced analytics with optional reliable encrypted data delivery to other systems.

The electrical signals are acquired directly from the control loop between the PLC and the sensors/actuators, using unidirectional isolators, into a separate network. This raw data is analyzed by the SigaPlatform smart AI engine providing verification and validation of the real-time status of the critical end-devices in the OT network with alert and notification options.


The Hardware Layer:
Isolated Transmitters: Utilization of this standard unidirectional automation control component provides non-invasive means to mirror selected electrical signals (current & voltage) utilized/emitted by the assets without affecting the ICS system or the signals themselves. The result is an identical copy of the signal that can be processed in the SigaPlatform, which can be benchmarked, analyzed, and compared across time periods and locations. The transmitter serves as a unidirectional gateway, preventing any possibility of a return signal reaching the I/O that is being monitored. The transmitter does not affect the signal or ICS in any way as its operation is completely “out-of-band” and in parallel to the input signal.

Multifunction Data Acquisition Unit (DAQ): This component acquires and converts the data received from transmitters to a digital representation and sends it to SIGA’s main processing server/ computer over a TCP/IP network.

Industrial Computer: A compact rigid computer that is the host of the Anomaly Detection Engine (see Software Layer Components section below). This computer has a powerful processor and is suitable for operating in industrial conditions including high temperatures, dirt and heavy equipment vibrations.

The Software Layer:
Source Visualization: Is the core offering of the SigaPlatform which allows users to continuously monitor their sensors and operational process’ health, with data that is normally unavailable in conventional, legacy systems. The information is displayed on a user-friendly and intuitive GUI dashboard named SigaSight. By
default, the dashboard presents the overall system’s state of health, as well as the state of every monitored I/O and a status assessment. Users can analyze trends and prepare reports of their equipment and process performance. In addition, the system logs all major events for future review.

Product Offering:

SigaPlatform Offering

SIGA Machine Learning Engine:
The main ML engine’s task is to detect anomalies and potential danger in the operational process which are not part of the expected fault cases and not included in pre-defined operational alarms or are unidentified for any reason (operational or cyber). This engine combines proprietary and advanced predictive analysis algorithms that employ machine learning to analyze all incoming signals and identify potential process related anomalies. Any possible threat is forwarded to the SigaSight™ dashboard where it is displayed to an operator or security professional who can investigate, shutdown the asset, flag the warning or determine as
“not relevant”.

Machine Learning Engine

When there is an anomaly in the I/O originating either from a compromised system or from an equipment problem it will create a visible notification with identification of the source of the anomaly.

Built-in ICS Cybersecurity Solution
The SigaPlatform safeguards industrial assets by directly monitoring raw electrical signals (Level 0 realtime monitoring) – as opposed to data packets which can be hacked. This makes the SigaPlatfrom™ a most reliable cyber-attack detection solution – detection which cannot be hacked remotely.

The detection engine is installed on a dedicated, off-the-shelf server (based on SIGA’s detailed specifications) and is installed in the client’s control room or any other secure location chosen by the client.

The SigaPlatform™ creates value to both operational needs, system optimization and cybersecurity needs both under the same platform.