(19)
(11)EP 3 304 307 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
29.04.2020 Bulletin 2020/18

(21)Application number: 16804456.8

(22)Date of filing:  02.06.2016
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)
G06N 99/00(2019.01)
G06N 20/00(2019.01)
G06Q 10/06(2012.01)
G06F 21/57(2013.01)
G06Q 50/06(2012.01)
(86)International application number:
PCT/US2016/035556
(87)International publication number:
WO 2016/196820 (08.12.2016 Gazette  2016/49)

(54)

SYSTEMS AND METHODS FOR PROVIDING CYBERSECURITY ANALYSIS BASED ON OPERATIONAL TECHNOLOGIES AND INFORMATION TECHNOLOGIES

SYSTEME UND VERFAHREN ZUR BEREITSTELLUNG EINER CYBERSICHERHEITSANALYSE BASIEREND AUF BETRIEBSTECHNOLOGIEN UND INFORMATIONSTECHNOLOGIEN

SYSTÈMES ET PROCÉDÉS PERMETTANT DE FOURNIR UNE ANALYSE DE CYBERSÉCURITÉ SUR LA BASE DE TECHNIQUES D'EXPLOITATION ET DE TECHNOLOGIES DE L'INFORMATION


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 02.06.2015 US 201514728932

(43)Date of publication of application:
11.04.2018 Bulletin 2018/15

(73)Proprietor: C3.ai, Inc.
Redwood City, CA 94063 (US)

(72)Inventors:
  • CHIU, Kuenley
    Redwood City, CA 94063 (US)
  • KOLTER, Jeremy
    Redwood City, CA 94063 (US)
  • KRISHNAN, Nikhil
    Redwood City, CA 94063 (US)
  • OHLSSON, Henrik
    Redwood City, CA 94063 (US)

(74)Representative: HGF Limited 
8th Floor 140 London Wall
London EC2Y 5DN
London EC2Y 5DN (GB)


(56)References cited: : 
WO-A1-2015/070466
US-A1- 2013 191 919
US-A1- 2014 137 257
US-A1- 2013 086 635
US-A1- 2013 282 314
US-B1- 7 747 494
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD OF THE INVENTION



    [0001] The present technology relates to the field of energy management. More particularly, the present technology discloses techniques for providing cybersecurity analysis based at least in part on operational technologies and information technologies.

    BACKGROUND



    [0002] Resource consumption touches every aspect of life. Resources are consumed for a wide variety of purposes every day. In some cases, energy is consumed in order to provide power to various components or to enable various devices or systems to function. In one example, energy in the form of electricity is consumed to enable the operations of computing devices or computing systems, appliances, air-conditioners, and many other components, entities, devices, systems, or services. In another example, energy in the form of natural gas is consumed to enable gas space heaters, gas water heaters, gas stoves, and other components, entities, devices, systems, or services to function.

    [0003] Due to significant amounts of energy being consumed every day, it can be beneficial to provide tools or services for evaluating energy usage and ensuring that energy is being provided appropriately and continuously without interruption. In some instances, one or more components of an energy delivery network can be vulnerable or open to attack by various cyber threats, such as virus, malware, and hackers.
    Conventional approaches to evaluating and providing security for energy delivery can often times be insufficient, ineffective, or otherwise lacking. Moreover, in many cases, conventional approaches to energy observation, tracking, and protection do not provide adequate information or other resources to efficiently resolve various cyber issues. Accordingly, such concerns associated with conventional approaches can create challenges for and worsen the overall experience associated with energy delivery and consumption.

    [0004] US 7, 747, 494 B1 describes a computer implemented method of assessing risk associated with one or more assets for a business enterprise by comparing a non-determinative real risk score with a non-determinative simulated risk score.

    SUMMARY



    [0005] The present invention is defined in the independent claims. Preferred embodiments are defined in the dependent claims.

    [0006] Various embodiments of the present disclosure can include systems, methods, and non-transitory computer readable media that are configured to acquire a first set of data from a first group of data sources including a plurality of network components within an energy delivery network. A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric.

    [0007] In an embodiment, a plurality of third metrics including the third metric indicating the overall level of cybersecurity risk associated with the particular network component can be generated. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The plurality of network components can be ranked based on the plurality of third metrics to produce a ranked list of network components. At least a portion of the ranked list of network components can be provided to an energy provider that utilizes the energy delivery network.

    [0008] In an embodiment, a set of visualizations for a set of network components identified in the ranked list of network components can be generated. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. Each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component.

    [0009] In an embodiment, generating the third metric can further comprise applying a first weight value to the first metric to produce a first weighted metric. A second weight value can be applied to the second metric to produce a second weighted metric. The first weighted metric and the second weighted metric can be combined to produce the third metric.

    [0010] In an embodiment, the first set of data can be acquired using at least a portion of a network cybersecurity service. The second set of data can be acquired using at least a portion of an energy management platform.

    [0011] In an embodiment, the first set of data can be associated with detected network traffic within the energy delivery network. Generating the first metric can include analyzing the detected network traffic.

    [0012] In an embodiment, analyzing the detected network traffic can include utilizing at least one of a syntax indicator, a computed indicator, or an advanced behavioral indicator. The likelihood that the particular network component is affected by the one or more cyber vulnerabilities can be calculated based on the at least one of the syntax indicator, the computed indicator, or the advanced behavioral indicator.

    [0013] In an embodiment, the syntax indicator can be based on analysis of at least one of an Internet Protocol (IP) address associated with the detected network traffic or an email address associated with the detected network traffic.

    [0014] In an embodiment, the computed indicator can be based on analysis of at least one of a message-digest algorithm hash value associated with the detected network traffic or a regular expression associated with the detected network traffic.

    [0015] In an embodiment, the advanced behavioral indicator can be based on analysis of at least one of a multiple-step series of activities associated with the detected network traffic or a combination of multiple indicators associated with the detected network traffic.

    [0016] In an embodiment, the second set of data can be associated with at least one of customer data relating to the energy delivery network, operations data relating to the energy delivery network, or economic data relating to the energy delivery network. Generating the second metric can include analyzing the at least one of the customer data, the operations data, or the economic data.

    [0017] In an embodiment, the customer data can be associated with at least one of a customer count, an issue resolution time, a reliability index, or a customer criticality metric. The operations data can be associated with at least one of a labor cost, a materials cost, a physical damage likelihood metric, or a degree of redundancy. The economic data can be associated with at least one of an energy delivery cost, an equipment cost, or a regulatory penalty.

    [0018] In an embodiment, at least some network components in the plurality of network components can be associated with operational technology. At least some services in the collection of services can be associated with information technology.

    [0019] In an embodiment, the plurality of network components can include at least one of a router, a switch, a server, a firewall, a transformer, an energy distribution component, an energy transmission component, an energy generation component, or an energy delivery substation.

    [0020] In an embodiment, the first group of data sources can further include at least one of a supervisory control and data acquisition (SCADA) command and control service, an enterprise firewall service, a log service, an intrusion prevention service, a security information and event management service (SIEM), or an intrusion protection service.

    [0021] In an embodiment, the collection of services can include at least one of a phone service, a meter data management service, a customer information service, a geographic information service, a work management service, an enterprise asset management service, a smart meter head end service, an energy management service, a demand management service, an outage management service, a customer care and billing service, an enterprise communications service, or a threat and vulnerability detection library service.

    [0022] In an embodiment, the third metric can be generated based on utilizing one or more machine learning processes to determine how the first metric and the second metric are to be combined to produce the third metric.

    [0023] In an embodiment, the energy delivery network can include at least one of an electricity delivery network, an oil delivery network, or a gas delivery network.

    [0024] Many other features, applications, embodiments, and/or variations of the disclosed technology will be apparent from the accompanying drawings and from the following detailed description. Additional and/or alternative implementations of the structures, systems, non-transitory computer readable media, and methods described herein can be employed without departing from the principles of the disclosed technology.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0025] 

    FIGURE 1 illustrates an example scenario in which cybersecurity analysis can be provided for operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 2 illustrates an example system including an example cybersecurity analysis module configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 3A illustrates an example cyber vulnerability module configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 3B illustrates an example potential impact module configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 4 illustrates an example block diagram associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 5 illustrates an example screenshot associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 6 illustrates an example method associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 7A illustrates an example method associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 7B illustrates an example method associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure.

    FIGURE 8 illustrates an example environment for energy management, in accordance with an embodiment of the present disclosure.

    FIGURE 9 illustrates an example energy management platform, in accordance with an embodiment of the present disclosure.

    FIGURE 10 illustrates an example applications server of an energy management platform, in accordance with an embodiment of the present disclosure.

    FIGURE 11 illustrates an example machine within which a set of instructions for causing the machine to perform one or more of the embodiments described herein can be executed, in accordance with an embodiment of the present disclosure.



    [0026] The figures depict various embodiments of the present disclosure for purposes of illustration only, wherein the figures use like reference numerals to identify like elements. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated in the figures may be employed without departing from the principles of the disclosed technology described herein.

    DETAILED DESCRIPTION


    PROVIDING CYBERSECURITY ANALYSIS BASED ON OPERATIONAL


    TECHNOLOGIES AND INFORMATION TECHNOLOGIES



    [0027] Resources, such as energy, are consumed or used every day for a wide variety of purposes. In one example, consumers can use energy in the form of natural gas to power various appliances at home and businesses can use natural gas to operate various machinery. In another example, consumers and businesses can use energy in the form of electricity to power various electronic appliances and other electrical components, devices, or systems.

    [0028] Energy consumption is facilitated by energy providers who supply energy to meet demand. Energy providers, such as utility companies, can provide one or more forms of energy, such as natural gas, oil, gasoline, electricity, etc. In some cases, energy providers can utilize energy delivery networks or systems to provide energy to their intended customers (i.e., users). In exchange, the energy providers can bill their customers for the energy consumed. Customers have to pay their energy bills if they wish to continue using the provided energy.

    [0029] An energy delivery network (or system, service, etc.) can often times include an operational technology (OT) portion and an information technology (IT) portion. In general, operational technologies perform various tasks and activities to enable energy to be physically delivered to the customers. For example, the operational technology portion can correspond to an electric grid, including hardware and software components, configured to facilitate physical delivery and/or transmission of electricity to customers. Moreover, the information technology portion of the energy delivery network can sometimes be referred to as the enterprise portion of the energy delivery network. Information technologies can provide one or more services or systems enabling the energy provider to manage energy delivery, provide customer service, communicate with customers, and/or perform other tasks. For instance, information technologies can include a billing service or system that records which customers are to be billed and for how much money.

    [0030] In some cases, one or more services and/or systems of information technologies can communicate with one or more components and/or systems of operational technologies. Furthermore, information technologies can connect to public networks, such as the internet. As such, in some instances, information technologies and operational technologies can be vulnerable to viruses, malware, hackers, errors, inadvertent/mistaken operation, and/or other cyber threats. However, conventional approaches are generally lacking in providing evaluation and protection measures for information technologies and operational technologies. Moreover, under conventional approaches, energy providers often face difficulty in determining how to resolve cybersecurity issues. Due to these and other reasons, conventional approaches can be insufficient, problematic, and inefficient. Accordingly, an improved approach to providing cybersecurity measures for energy delivery networks can be advantageous.

    [0031] Various embodiments of the present disclosure can provide cybersecurity analysis based on (i.e., based at least in part on) operational technologies and information technologies. Systems, methods, and non-transitory computer readable media of the disclosed technology can be configured to acquire a first set of data from a first group of data sources including a plurality of network components within an energy delivery network. A first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected (i.e., is currently affected, has been affected, may be affected, and/or will be affected, etc.) by one or more cyber vulnerabilities can be generated based on the first set of data. A second set of data can be acquired from a second group of data sources including a collection of services associated with the energy delivery network. A second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component can be generated based on the second set of data. A third metric indicating an overall level of cybersecurity risk associated with the particular network component can be generated based on the first metric and the second metric. It is contemplated that there can be many variations and/or other possibilities. For instance, there can be many variations for generating the third metric based on one or more combinations or calculations utilizing the first metric and the second metric.

    [0032] FIGURE 1 illustrates an example scenario 100 in which cybersecurity analysis can be provided for operational technologies and information technologies, in accordance with an embodiment of the present disclosure. It should be understood that all examples herein are provided for illustrative purposes and that many variations are possible. In the example scenario 100, an example cybersecurity analysis module 102 can be configured to acquire data from operational technologies and information technologies in an energy delivery network or system. Based on the acquired data, the cybersecurity analysis module 102 can facilitate providing cybersecurity analysis based on operational technologies and information technologies in the energy delivery network.

    [0033] As shown in the example of FIGURE 1, the energy delivery network can include an information technology portion (IT) and an operational technology (OT) portion. In this example, the information technology portion can be represented as the left side of the dotted vertical line 103, while the operational technology portion can be represented as the right side of the dotted vertical line 103. As discussed previously, operational technologies of the energy delivery network can enable energy to be monitored, controlled, and/or physically delivered or provided to intended customers. Information technologies can provide various services and functions other than the physical delivery or transmission of the energy to the customers.

    [0034] In the example scenario 100, operational technologies of the energy delivery network can include one or more generators 104, transmission systems 106, and distribution systems 108. Further, there can be a plurality of energy delivery substations, such as Substation A 110 and Substation B 112. Each respective substation can deliver energy to a respective group of customers. For instance, the example scenario 100 shows that Substation A 110 can provide energy to various customers, such as Building A 114, Building B 116, and Building C 118. Furthermore, each substation can include a plurality of components (or systems). Such components can include, but are not limited to, one or more communications components 120, firewalls 122, routers 124, network switches 126, servers 128, and transformers 130, breakers 127, electrical switches 129, and reclosers 131. In some cases, components such as the firewalls 122, routers 124, network switches 126, servers 128, etc. can be associated with the information technology portion while components such as the transformers 130, breakers 127, electrical switches 129, reclosers 131, etc. can be associated with the operational technology portion. These components can be configured to facilitate delivering energy to the customers. For instance, the one or more routers 124 can direct information to facilitate energy delivery. Switches such as the one or more electrical switches 129 can toggle to cause energy to be transmitted to its intended destination. The one or more transformers 130 can facilitate energy transfer between circuits, such as via induction. The one or more communications components 120, one or more servers 128, and/or control components can instruct the routers 124, switches 126, and/or transformers 130 to operate appropriately. The one or more firewalls 122 can attempt to prevent undesirable or inappropriate traffic. It should be understood that many variations are possible.

    [0035] In addition, information technologies of the energy delivery network can include a collection of services or systems. Examples of the services (or systems) can include, but are not limited to, a phone system 132, a meter data management (MDM) system 134, a billing system 136, a customer service system 138, an outage management system 140, and a database(s) 142. Further, each of the information technology systems or services can be connected to a public network, such as the internet 144. Again, there can be many variations or other possibilities.

    [0036] In some instances, one or more information technology services (or systems) of the energy delivery network can connect with one or more operational technology components (or systems) of the energy delivery network. In the example scenario 100, the meter data management system 134 and the billing system 136 of the information technology portion can be connected to Substation A 110 of the operation technology portion. Although not shown in this example, other information technologies can be connected to various operational technologies as well. Accordingly, operation technologies can also connect to public networks, such as by connecting to the internet 144 via information technologies. As a result, in some cases, viruses, malware, hackers, errors (e.g., typos, invalid data, etc.), or other cyber threats can negatively affect the information technologies as well as the operation technologies. In some cases, one or more firewalls 146 can be set up between information technology systems and operational technology systems. However, due to the quantity, variety, and ever-changing nature of cyber threats, such firewalls 146 are often times insufficient or inadequate to protect against potential cyber threats to information technologies and operational technologies.

    [0037] As discussed above, the cybersecurity analysis module 102 can be configured to facilitate providing cybersecurity analysis based on (i.e., based at least in part on) operational technologies and information technologies in the energy delivery network. As shown in the example scenario 100, the cybersecurity analysis module 102 can request, fetch, retrieve, monitor, or otherwise acquire data from various components, services, and/or systems of the operational and information technology portions of the energy delivery network. In some implementations, the data can be acquired in (or near) real-time and/or can be acquired at various times (e.g., every day, every hour, every minute, every second, hundreds of times per second, thousands of times per second, etc.). In one example, the cybersecurity analysis module 102 can acquire or monitor firewall data which indicates whether the firewalls are experiencing unusual, abnormal, or unexpected network traffic. In another example, the cybersecurity analysis module 102 can acquire or monitor server data which indicates whether the servers are being used in an unusual, abnormal, or unexpected manner. In another example, the cybersecurity analysis module 102 can acquire or monitor transformer data which indicates whether the transformers are in an unusual, abnormal, or unexpected state. Many variations are possible.

    [0038] The cybersecurity analysis module 102 can process the acquired data and provide a detailed analysis of various cybersecurity issues for the operational technologies and the information technologies. In some embodiments, the cybersecurity analysis module 102 can provide or be utilized with a control panel or dashboard that presents cybersecurity information (e.g., the detailed analysis) to an entity, such as a cybersecurity analyst or manager (or administrator) who is responsible for determining how to proceed when a multitude of cybersecurity risks are detected within the energy delivery network. The cybersecurity information or analysis can, for example, specify where the cybersecurity risks are located (e.g., where they are currently located, where they may be located in the future, etc.), who the affected customers are, where the affected customers are, and/or a list of specific items to be examined in attempt to mitigate the cybersecurity risks, etc. More details regarding the cybersecurity analysis module 102 will be provided below with reference to FIGURE 2.

    [0039] FIGURE 2 illustrates an example system 200 including an example cybersecurity analysis module 202 configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. In some embodiments, the cybersecurity analysis module 102 of FIGURE 1 can be implemented as the example cybersecurity analysis module 202. As shown in FIGURE 2, the example cybersecurity analysis module 202 can include a cyber vulnerability module 204, a potential impact module 206, and a cybersecurity risk module 208. In some instances, the example system 200 can also include at least a first group of data sources 210 and a second group of data sources 212. The components (e.g., modules, elements, data sources, etc.) shown in this figure and all figures herein are exemplary only, and other implementations may include additional, fewer, integrated, or different components. Some components may not be shown so as not to obscure relevant details.

    [0040] In some embodiments, the cybersecurity analysis module 202 can be implemented, in part or in whole, using software, hardware, or any combination thereof. In general, a module can be associated with software, hardware, or any combination thereof. In some implementations, one or more functions, tasks, and/or operations of modules can be carried out or performed by software routines, software processes, hardware components, and/or any combination thereof. In some cases, the cybersecurity analysis module 202 can be implemented as software running on one or more computing devices or systems. In one example, at least a portion of the cybersecurity analysis module 202 can be implemented via one or more computing systems in a networked environment, such as via one or more remote or cloud servers. In another example, at least a portion of the cybersecurity analysis module 202 can be implemented within an application (e.g., app) on a computing device or system such as a smartphone, tablet, laptop, or desktop computer. In some embodiments, the cybersecurity analysis module 202 can be implemented by or with an energy management platform, such as the energy management platform 802 of FIGURE 8 or the energy management platform 902 of FIGURE 9. The energy management platform may provide the functionality(ies) of the cybersecurity analysis module 202 as a service or through software. The cybersecurity analysis module 202 can, in some instances, be implemented within a proprietary program used by an energy provider, such as a utility company. In some cases, the cybersecurity analysis module 202 can be implemented with a network resource, such as a website or webpage. It is contemplated that many variations are possible.

    [0041] As discussed, the cybersecurity analysis module 202 can be configured to acquire data from various components, services, systems, etc., of the operational technology portion and the information technology portion of the energy delivery network. In some embodiments, the cybersecurity analysis module 202 can utilize the cyber vulnerability module 204 to facilitate acquiring a first set of data from the first group of data sources 210. The first group of data sources 210 can include, but is not limited to, a plurality of network components (i.e., energy network components) within the energy delivery network, such as various operational technology components or systems. Examples of the network components can include, but are not limited to, at least one of a router, a switch, a server, a firewall, a transformer, an energy distribution component, an energy transmission component, an energy generation component, and/or an energy delivery substation, etc. Additionally, the cyber vulnerability module 204 can also be configured to facilitate generating, based on (i.e., based at least in part on) the first set of data, a first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected (e.g., has been affected, is currently affected, and/or may be affected in the future, etc.) by one or more cyber vulnerabilities. The cyber vulnerability module 204 will be discussed in more detail below with reference to FIGURE 3A.

    [0042] Moreover, the cybersecurity analysis module 202 can utilize the potential impact module 206 to facilitate acquiring a second set of data from the second group of data sources 212. The second group of data sources 212 can include, but is not limited to, a collection of services associated with the energy delivery network, such as various information technology services or systems. The potential impact module 206 can also be configured to facilitate generating, based on the second set of data, a second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component. More details regarding the potential impact module 206 will be provided below with reference to FIGURE 3B.

    [0043] In some embodiments, at least some network components in the plurality of network components can be associated with operational technology. In some embodiments, at least some services in the collection of services can be associated with information technology. However, it so also contemplated that at least some of the network components can be associated with information technology and that at least some of the collection of services can be associated with operational technology.

    [0044] Furthermore, the cybersecurity analysis module 202 can utilize the cybersecurity risk module 208 to facilitate generating, based on the first metric and the second metric, a third metric indicating an overall level of cybersecurity risk associated with the particular network component. The third metric can, for instance, represent a measure of cyber threat severity, for the particular network component, that takes into consideration the likelihood that the particular network component has one or more cyber vulnerabilities as well as the calculated potential impact to the energy delivery network (or at least a particular portion thereof) if and when the particular network component is affected by the one or more cyber vulnerabilities.

    [0045] In some implementations, the cybersecurity risk module 208 can generate the third metric from a defined combination of the first metric and the second metric. In one example, in order to generate the third metric, the cybersecurity risk module 208 can apply a first weight value to the first metric to produce a first weighted metric. The cybersecurity risk module 208 can further apply a second weight value to the second metric to produce a second weighted metric. The cybersecurity risk module 208 can then combine the first weighted metric and the second weighted metric to produce the third metric. In another example, the energy provider (e.g., the utility company) can define how the first and second metrics are to be combined to produce the third metric. In a further example, the third metric can be generated based on utilizing one or more machine learning processes to determine how the first metric and the second metric are to be combined to produce the third metric. The one or more machine learning processes can ensure that the cybersecurity analysis module 202 is dynamically updated and is configured to detect emerging cybersecurity threats and vulnerabilities. In some cases, the machine learning processes can incorporate utility user feedback regarding the authenticity of detected threats and vulnerabilities as well as end customer impacts due to such threats and vulnerabilities. The machine learning processes can take into consideration data and user input regarding the authenticity and/or impact of detected threats and vulnerabilities by updating approaches to cybersecurity risk determination, traffic detection/monitoring, and/or impact calculation. It is contemplated that there can be numerous variations and/or other possibilities.

    [0046] Furthermore, in some implementations, the cybersecurity risk module 208 can be configured to generate a plurality of third metrics, including the third metric indicating the overall level of cybersecurity risk associated with the particular network component, as discussed previously. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. The cybersecurity risk module 208 can further rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. Additionally, the cybersecurity risk module 208 can provide at least a portion of the ranked list of network components (e.g., at least a specified number of highest ranked network components) to the energy provider that utilizes the energy delivery network. Accordingly, the ranked list (and/or the plurality of third metrics) can help the energy provider determine priorities for examining the network components, repairing the network components, recording actions taken on the network components, recording the state of cybersecurity policy compliance of the network components, or otherwise addressing cybersecurity concerns at the network components. In some cases, the ranked list (and/or the plurality of third metrics) can be provided in association with a large amount of information, such as information that indicates which network components have been attacked, are currently being attacked, and/or will be attacked by cyber threats, which customers are affected, and so forth. Many variations are possible.

    [0047] FIGURE 3A illustrates an example cyber vulnerability module 302 configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. In some embodiments, the cyber vulnerability module 204 of FIGURE 2 can be implemented as the example cyber vulnerability module 302. As shown in FIGURE 3A, the cyber vulnerability module 302 can include a vulnerability data processing module 304 and a vulnerability metric module 306.

    [0048] As discussed above, the cyber vulnerability module 302 can facilitate acquiring a first set of data from a first group of data sources. In some embodiments, the cyber vulnerability module 302 can utilize the vulnerability data processing module 304 to acquire the first set of data from the first group of data sources. In some embodiments, the first group of data sources can include, but is not limited to, at least one of a supervisory control and data acquisition (SCADA) command and control service, an enterprise firewall service, a log service, an intrusion prevention service, a security information and event management service (SIEM), and/or an intrusion protection service, etc.

    [0049] Moreover, the first set of data can, for instance, be referred to as vulnerability data or cyber vulnerability data. Based on the cyber vulnerability data, the vulnerability data processing module 304 can determine one or more potential cyber vulnerabilities (if any) associated with network components in the energy delivery network, as well as various properties or metadata associated with the potential cyber vulnerabilities.

    [0050] In some instances, the first set of data can be acquired using at least a portion of a network cybersecurity service, such as an end point protection provider, a security information event monitoring (SIEM) provider, an intrusion prevention provider, a behavioral threat detection provider, and/or an operational technology security product provider, etc. In some cases, the network cybersecurity service can correspond to a third-party service.

    [0051] Furthermore, as discussed previously, the cyber vulnerability module 302 can be configured to generate, based on the first set of data, a first metric (i.e., a cyber vulnerability metric) indicating a likelihood that a particular network component is affected by one or more cyber vulnerabilities, such as viruses, malware, hackers, errors, etc. The cyber vulnerability module 302 can utilize the vulnerability metric module 306 to generate the first metric. In some cases, the first set of data can be associated with detected network traffic within the energy delivery network, such as network traffic detected at various network components within the energy delivery network. The vulnerability metric module 306 can generate the first metric based on analyzing the detected network traffic.

    [0052] In some embodiments, analyzing the detected network traffic can include utilizing at least one of a syntax (or rule-based) indicator, a computed (or analytical) indicator, and/or an advanced behavioral indicator, etc. Moreover, the likelihood that the particular network component is affected by the one or more cyber vulnerabilities can be calculated, by the vulnerability metric module 306, based on the at least one of the syntax indicator, the computed indicator, or the advanced behavioral indicator.

    [0053] In some cases, the cyber vulnerability module 302 can identify patterns and develop rules or syntax indicators for detecting illegitimate activities particular to the energy delivery network. For example, if the cyber vulnerability module 302 detects that an admin login fails to sufficiently correlate with the admin's deduced physical presence and/or that an unexpected pair of Internet Protocol (IP) addresses has appeared, then the first metric can be increased. In some instances, the cyber vulnerability module 302 can perform analytics and/or detect computed indicators. For example, if the cyber vulnerability module 302 detects protocol anomalies, unexpected device appearances, unexpected MAC addresses, unauthorized access attempts, and/or unexpected privilege escalations (e.g., a user unexpectedly attempting to perform an unpermitted task), etc., then the first metric can be increased. In some instances, the cyber vulnerability module 302 can detect advanced behavior indicators. For example, if the cyber vulnerability module 302 detects unexpected bandwidth spikes, unexpected CPU usage spikes, a command received at an unexpected time, and/or a trust boundary violation, then the first metric can be increased. It should be appreciated that there can be many variations or other possibilities.

    [0054] In one example, the syntax indicator can be based on analysis of at least one of an Internet Protocol (IP) address associated with the detected network traffic or an email address associated with the detected network traffic. In this example, if the IP address and/or the email address is determined to be linked to an illegitimate source, system, entity, account, etc., then the first metric can be increased. In another example, the computed indicator can be based on analysis of at least one of a message-digest algorithm (e.g., MD5) hash value associated with the detected network traffic or a regular expression (e.g., spam message keyword) associated with the detected network traffic. In this example, if the hash value is determined to be related to a virus, malware, Trojan, etc., and/or if the regular expression is determined to be related to a spam communication, a phishing message, a piece of junk mail, etc., then the first metric can be increased. In a further example, the advanced behavioral indicator can be based on analysis of at least one of a multiple-step series of activities associated with the detected network traffic or a combination of multiple indicators associated with the detected network traffic. In this example, if a particular sequence of multiple activities is unexpected/unusual and/or if a significant quantity of unexpected/unusual activity indicators are detected, then the first metric can be increased. Again, many variations are possible.

    [0055] FIGURE 3B illustrates an example potential impact module 352 configured to facilitate providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. In some embodiments, the potential impact module 206 of FIGURE 2 can be implemented as the example potential impact module 352. In some instances, the potential impact module 352 can recognize or have access to information about how the energy delivery network is configured (e.g., which customers are connected to which substations, how customers are connected to substations, how much energy is passing through each substation, how customers use delivered energy, etc.). Such information can assist the potential impact module 352 to facilitate providing cybersecurity analysis. As shown in FIGURE 3B, the potential impact module 352 can include an impact data processing module 354 and an impact metric module 356.

    [0056] The potential impact module 352 can utilize the impact data processing module 354 to facilitate acquiring a second set of data from a second group of data sources including a collection of services associated with the energy delivery network. The collection of services can, for instance, include information technology services or systems. Examples of the collection of services can include, but are not limited to, at least one of a phone service, a meter data management service, a customer information service, a geographic information service, a work management service, an enterprise asset management service, a smart meter head end service, an energy management service, a demand management service, an outage management service, a customer care and billing service, an enterprise communications service, and/or a threat and vulnerability detection library service, etc. In some instances, the impact data processing module 354 can acquire the second set of data using at least a portion of an energy management platform (e.g., the energy management platform 802 of FIGURE 8, the energy management platform 902 of FIGURE 9). For instance, at least the portion of the energy management platform can be implemented as the impact data processing module 354, can perform one or more functions of the impact data processing module 354, and/or can operate in conjunction with the impact data processing module 354 to acquire the second set of data from the second group of data sources.

    [0057] Moreover, the potential impact module 352 can utilize the impact metric module 356 to facilitate generating, based on the second set of data, a second metric (i.e., a potential impact metric) indicating a calculated impact to at least a portion of the energy delivery network when one or more cyber vulnerabilities affect the particular network component. In some cases, the second set of data can be associated with at least one of customer data relating to the energy delivery network, operations data relating to the energy delivery network, or economic data relating to the energy delivery network.

    [0058] In some embodiments, the impact metric module 356 can generate the second metric based on analyzing the at least one of the customer data, the operations data, or the economic data. In one example, the customer data can be associated with at least one of a customer count, an issue resolution time, a reliability index, and/or a customer criticality metric, etc. In this example, if the customer count associated with the particular network component is larger, if the amount of time to resolve the one or more cyber vulnerabilities is higher, if the particular network component has an impact reliability index or score that at least meets a specified impact reliability threshold, and/or if the criticality of the customers is higher (e.g., the customer is a hospital, police department, fire department, etc.), then the second metric can be increased. In another example, the operations data can be associated with at least one of a labor cost, a materials cost, a physical damage likelihood metric, and/or a degree of redundancy, etc. In this example, if the cost(s) and/or the damage likelihood metric is higher and/or if the degree of redundancy (e.g., back-up systems) is lower, then the second metric can be increased. In a further example, the economic data can be associated with at least one of an energy delivery cost, an equipment cost, and/or a regulatory penalty, etc. In this example, if the costs(s) and/or penalties are higher, then the second metric can be increased. Again, many variations are possible.

    [0059] FIGURE 4 illustrates an example block diagram 400 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The block diagram 400 shows an example of how cybersecurity analysis performed based on the disclosed technology can provide, calculate, determine, or otherwise generate a cybersecurity risk metric (or score) 404 for a particular component (or for a particular set of components) in an energy delivery network. The cybersecurity analysis can indicate whether particular components are experiencing unusual, abnormal, or unexpected activity. Based on the cybersecurity analysis, a priority or urgency level for repairing components affected by cyber threats can also be determined. Again, all examples provided herein are for illustrative purposes and it should be understood that numerous variations are possible.

    [0060] As shown in the example block diagram 400, the cybersecurity risk metric 402 (i.e., the third metric generated by the cybersecurity risk module 208 of FIGURE 2) can be based on (i.e., based at least in part on) combining the cyber vulnerability metric 404 and the potential impact metric 406. The cyber vulnerability metric 404 can be generated based on traffic detection 408. For example, generating the cyber vulnerability metric 404 can include analyzing detected network traffic, as discussed previously. Furthermore, the potential impact metric 406 can be generated based on customer impact 410, operations impact 412, and/or economic impact 414. For instance, as discussed above, generating the potential impact metric 406 can include analyzing at least one of customer data relating to the energy delivery network, operations data relating to the energy delivery network, or economic data relating to the energy delivery network. It should be appreciated that there can be many variations or other possibilities.

    [0061] FIGURE 5 illustrates an example screenshot 500 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. The example screenshot 500 shows an example interface for providing cybersecurity analysis based on operational technologies and information technologies.

    [0062] In some case, the example interface can provide an interface portion 502 that presents information about activity(ies) associated with detected network traffic. In some embodiments, the example interface can provide another interface portion 504 that presents information about customers, such as in the form of a ranked list of customers who are affected or at risk of being affected by cyber threats. Moreover, in some instances, the example interface can provide an additional interface portion 506 that presents information about network components, equipment, and/or assets. The interface portion 506 can, for example, present a ranked list of network components that are affected or at risk of being affected by cyber threats. In some cases, interface portion 506 can also present information about why or how network components are affected or at risk of being affected by cyber threats.

    [0063] In some implementations, a set of visualizations (e.g., graphical elements) for a set of network components identified in the ranked list of network components can be generated. The example interface can further provide an interface portion 508 that presents the generated set of visualizations for the set of network components identified in the ranked list of network components. Each visualization in the set of visualizations can represent a corresponding network component in the set of network components. In some instances, each visualization can be presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component. Again, the example screenshot 500 and other examples herein are provided for illustrative purposes and it is contemplated that many variations are possible.

    [0064] FIGURE 6 illustrates an example method 600 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. It should be understood that there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.

    [0065] At block 602, the example method 600 can acquire a first set of data from a first group of data sources including a plurality of network components within an energy delivery network. At block 604, the example method 600 can generate, based on the first set of data, a first metric indicating a likelihood that a particular network component, from the plurality of network components, is affected (e.g., has been affected, is currently affected, and/or may be affected in the future, etc.) by one or more cyber vulnerabilities. At block 606, the example method 600 can acquire a second set of data from a second group of data sources including a collection of services associated with the energy delivery network. At block 608, the example method 600 can generate, based on the second set of data, a second metric indicating a calculated impact to at least a portion of the energy delivery network when the one or more cyber vulnerabilities affect the particular network component. At block 610, the example method 600 can generate, based on the first metric and the second metric, a third metric indicating an overall level of cybersecurity risk associated with the particular network component.

    [0066] In some cases, the overall level of cybersecurity risk as indicated by the third metric can correspond to a proprietary composite measure of cybersecurity risk. The proprietary composite measure of cybersecurity risk can, in some embodiments, be produced or outputted based on (i.e., based at least in part on) information about cyber vulnerability(ies) and information about impact. In some instances, a cyber vulnerability can refer to an intrinsic susceptibility of a component to one or more cyber threats and can include information about provided or inputted cybersecurity risk (e.g., a third-party-provided/calculated likelihood of exploitation of a particular vulnerability by an entity at a particular time on a particular component/system). The provided or inputted cybersecurity risk can sometimes incorporate financial or service impact. Accordingly, the proprietary composite measure of cybersecurity risk can be produced or outputted based on information about cyber vulnerability(ies) (which can include inputted/provided cybersecurity risk data) and information about impact. It should be appreciated that many variations are possible.

    [0067] FIGURE 7A illustrates an example method 700 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. As discussed, it should be understood that there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.

    [0068] At block 702, the example method 700 can generate a plurality of third metrics including the third metric indicating the overall level of cybersecurity risk associated with the particular network component. Each third metric in the plurality of third metrics can indicate a respective overall level of cybersecurity risk associated with a respective network component in the plurality of network components. At block 704, the example method 700 can rank the plurality of network components based on the plurality of third metrics to produce a ranked list of network components. At block 706, the example method 700 can provide at least a portion of the ranked list of network components to an energy provider that utilizes the energy delivery network.

    [0069] FIGURE 7B illustrates an example method 750 associated with providing cybersecurity analysis based on operational technologies and information technologies, in accordance with an embodiment of the present disclosure. Again, it should be appreciated that there can be additional, fewer, or alternative steps performed in similar or alternative orders, or in parallel, within the scope of the various embodiments unless otherwise stated.

    [0070] At block 752, the example method 750 can apply a first weight value to the first metric to produce a first weighted metric. At block 754, the example method 750 can apply a second weight value to the second metric to produce a second weighted metric. At block 756, the example method 750 can combine the first weighted metric and the second weighted metric to produce the third metric.

    [0071] It is further contemplated that there can be many other uses, applications, and/or variations associated with the various embodiments of the present disclosure. For instance, in some cases, the example cybersecurity analysis module 102 of FIGURE 1 can be implemented, in part or in whole, as software, hardware, or any combination thereof, as discussed above. In some embodiments, the cybersecurity analysis module 102 can be implemented with an energy management platform, such as the energy management platform 802 of FIGURE 8 and/or the energy management platform 902 of FIGURE 9.

    EXAMPLE ENERGY MANAGEMENT PLATFORM



    [0072] FIGURE 8 illustrates an example environment 800 for energy management, in accordance with an embodiment of the present disclosure. The environment 800 includes an energy management platform 802, external data sources 8041-n, an enterprise 806, and a network 808. The energy management platform 802 can provide functionality to allow the enterprise 806 to track, analyze, and optimize energy usage of the enterprise 806. The energy management platform 802 may constitute an analytics platform. The analytics platform may handle data management, multi-layered analysis, and data visualization capabilities for all applications of the energy management platform 802. The analytics platform may be specifically designed to process and analyze significant volumes of frequently updated data while maintaining high performance levels.

    [0073] The energy management platform 802 may communicate with the enterprise 806 through user interfaces (Uls) presented by the energy management platform 802 for the enterprise 806. The Uls may provide information to the enterprise 806 and receive information from the enterprise 806. The energy management platform 802 may communicate with the external data sources 8041-n through APIs and other communication interfaces. Communications involving the energy management platform 802, the external data sources 8041-n, and the enterprise 806 are discussed in more detail herein.

    [0074] The energy management platform 802 may be implemented as a computer system, such as a server or series of servers and other hardware (e.g., applications servers, analytic computational servers, database servers, data integrator servers, network infrastructure (e.g., firewalls, routers, communication nodes)). The servers may be arranged as a server farm or cluster. Embodiments of the present disclosure may be implemented on the server side, on the client side, or a combination of both. For example, embodiments of the present disclosure may be implemented by one or more servers of the energy management platform 802. As another example, embodiments of the present disclosure may be implemented by a combination of servers of the energy management platform 802 and a computer system of the enterprise 806.

    [0075] The external data sources 8041-n may represent a multitude of possible sources of data relevant to energy management analysis. The external data sources 8041-n may include, for example, grid and utility operational systems, meter data management (MDM) systems, customer information systems (CIS), billing systems, utility customer systems, utility enterprise systems, utility energy conservation measures, and rebate databases. The external data sources 8041-n also may include, for example, building characteristic systems, weather data sources, third-party property management systems, and industry-standard benchmark databases.

    [0076] The enterprise 806 may represent a user (e.g., customer) of the energy management platform 802. The enterprise 806 may include any private or public concern, such as large companies, small and medium businesses, households, individuals, governing bodies, government agencies, non-governmental organizations, nonprofits, etc. The enterprise 806 may include energy providers and suppliers (e.g., utilities), energy service companies (ESCOs), and energy consumers. The enterprise 806 may be associated with one or many facilities distributed over many geographic locations. The enterprise 806 may be associated with any purpose, industry, or other type of profile.

    [0077] The network 808 may use standard communications technologies and protocols. Thus, the network 808 may include links using technologies such as Ethernet, 802.11, worldwide interoperability for microwave access (WiMAX), 3G, 4G, CDMA, GSM, LTE, digital subscriber line (DSL), etc. Similarly, the networking protocols used on the network 808 may include multiprotocol label switching (MPLS), transmission control protocol/Internet protocol (TCP/IP), User Datagram Protocol (UDP), hypertext transport protocol (HTTP), simple mail transfer protocol (SMTP), file transfer protocol (FTP), and the like. The data exchanged over the network 808 may be represented using technologies and/or formats including hypertext markup language (HTML) and extensible markup language (XML). In addition, all or some links may be encrypted using conventional encryption technologies such as secure sockets layer (SSL), transport layer security (TLS), and Internet Protocol security (IPsec).

    [0078] In an embodiment, each of the energy management platform 802, the external data sources 8041-n, and the enterprise 806 may be implemented as a computer system (or device). The computer system (or device) may include one or more machines, each of which may be implemented as machine 1100 of FIGURE 11, which is described in further detail herein.

    [0079] FIGURE 9 illustrates an example energy management platform 902, in accordance with an embodiment of the present disclosure. In some embodiments, the example energy management platform 902 can be implemented as the energy management platform 802 of FIGURE 8. In an embodiment, the energy management platform 902 may include a data management module 910, applications servers 912, relational databases 914, and key/value stores 916. In some embodiments, the energy management platform 902 can also include a cybersecurity analysis module (e.g., the cybersecurity analysis module 102 of FIGURE 1).

    [0080] The data management module 910 may support the capability to automatically and dynamically scale a network of computing resources for the energy management platform 902 according to demand on the energy management platform 902. The dynamic scaling supported by the data management module 910 may include the capability to provision additional computing resources (or nodes) to accommodate increasing computing demand. Likewise, the data management module 910 may include the capability to release computing resources to accommodate decreasing computing demand. The data management module 910 may include one or more action(s) 918, a queue 920, a dispatcher 922, a resource manager 924, and a cluster manager 926.

    [0081] The actions 918 may represent the tasks that are to be performed in response to requests that are provided to the energy management platform 902. Each of the actions 918 may represent a unit of work to be performed by the applications servers 912. The actions 918 may be associated with data types and bound to engines (or modules). The requests may relate to any task supported by the energy management platform 902. For example, the request may relate to, for example, analytic processing, loading energy-related data, retrieving an energy star reading, retrieving benchmark data, etc. The actions 918 are provided to the action queue 920.

    [0082] The action queue 920 may receive each of the actions 918. The action queue 920 may be a distributed task queue and represents work that is to be routed to an appropriate computing resource and then performed.

    [0083] The dispatcher 922 may associate and hand-off a queued action to an engine that will execute the action. The dispatcher 922 may control routing of each queued action to a particular one of the applications servers 912 based on load balancing and other optimization considerations. The dispatcher 922 may receive an instruction from the resource manager 924 to provision new nodes when the current computing resources are at or above a threshold capacity. The dispatcher 922 also may receive an instruction from the resource manager to release nodes when the current computing resources are at or below a threshold capacity. The dispatcher 922 accordingly may instruct the cluster manager 926 to dynamically provision new nodes or release existing nodes based on demand for computing resources. The nodes may be computing nodes or storage nodes in connection with the applications servers 912, the relational databases 914, and the key/value stores 916.

    [0084] The resource manager 924 may monitor the action queue 920. The resource manager 924 also may monitor the current load on the applications servers 912 to determine the availability of resources to execute the queued actions. Based on the monitoring, the resource manager may communicate, through the dispatcher 922, with the cluster manager 926 to request dynamic allocation and de-allocation of nodes.

    [0085] The cluster manager 926 may be a distributed entity that manages all of the nodes of the applications servers 912. The cluster manager 926 may dynamically provision new nodes or release existing nodes based on demand for computing resources. The cluster manager 926 may implement a group membership services protocol. The cluster manager 926 also may perform a task monitoring function. The task monitoring function may involve tracking resource usage, such as CPU utilization, the amount of data read/written, storage size, etc.

    [0086] The applications servers 912 may perform processes that manage or host analytic server execution, data requests, etc. The engines provided by the energy management platform 902, such as the engines that perform data services, batch processing, stream services, may be hosted within the applications servers 912. The engines are discussed in more detail herein.

    [0087] In an embodiment, the applications servers 912 may be part of a computer cluster of a plurality of loosely or tightly connected computers that are coordinated to work as a system in performing the services and applications of the energy management platform 902. The nodes (e.g., servers) of the cluster may be connected to each other through fast local area networks ("LAN"), with each node running its own instance of an operating system. The applications servers 912 may be implemented as a computer cluster to improve performance and availability over that of a single computer, while typically being more cost-effective than single computers of comparable speed or availability. The applications servers 912 may be software, hardware, or a combination of both.

    [0088] The relational databases 914 may maintain various data supporting the energy management platform 902. In an embodiment, non-time series data may be stored in the relational databases 914, as discussed in more detail herein.

    [0089] The key/value stores 916 may maintain various data supporting the energy management platform 902. In an embodiment, time series data (e.g., meter readings, meter events, etc.) may be stored in the key/value store, as discussed in more detail herein. In an embodiment, the key/value stores 916 may be implemented with Apache Cassandra, an open source distributed database management system designed to handle large amounts of data across a multitude of commodity servers. In an embodiment, other database management systems for key/value stores may be used.

    [0090] In an embodiment, one or more of the applications servers 912, the relational databases 914, and the key/value stores 916 may be implemented by the entity that owns, maintains, or controls the energy management platform 902.

    [0091] In an embodiment, one or more of the applications servers 912, the relational databases 914, and the key/value stores 916 may be implemented by a third party that may provide a computing environment for lease to the entity that owns, maintains, or controls the energy management platform 902. In an embodiment, the applications servers 912, the relational databases 914, and the key/value stores 916 implemented by the third party may communicate with the energy management platform 902 through a network, such as the network 808 of FIGURE 8.

    [0092] The computing environment provided by the third party for the entity that owns, maintains, or controls the energy management platform 902 may be a cloud computing platform that allows the entity that owns, maintains, or controls the energy management platform 902 to rent virtual computers on which to run its own computer applications. Such applications may include, for example, the applications performed by the applications servers 912, as discussed in more detail herein. In an embodiment, the computing environment may allow a scalable deployment of applications by providing a web service through which the entity that owns, maintains, or controls the energy management platform 902 can boot a virtual appliance used to create a virtual machine containing any software desired. In an embodiment, the entity that owns, maintains, or controls the energy management platform 902 may create, launch, and terminate server instances as needed, paying based on time usage time, data usage, or any combination of these or other factors. The ability to provision and release computing resources in this manner supports the ability of the energy management platform 902 to dynamically scale according to the demand on the energy management platform 902.

    [0093] FIGURE 10 illustrates an example applications server 1000 of an energy management platform, in accordance with an embodiment of the present disclosure. In an embodiment, one or more of the applications servers 912 of FIGURE 9 may be implemented with applications server 1000 of FIGURE 10. The applications server 1000 includes a data integrator (data loading) module 1002, an integration services module 1004, a data services module 1006, a computational services module 1008, a stream analytic services module 1010, a batch parallel processing analytic services module 1012, a normalization module 1014, an analytics container 1016, a data model 1018, and a user interface (Ul) services module 1024. In some embodiments, the applications server 1000 can also include a cybersecurity analysis module 1030. In some cases, the cybersecurity analysis module 1030 can be implemented as the cybersecurity analysis module 102 of FIGURE 1.

    [0094] In some embodiments, the analytics platform supported by the applications server 1000 includes multiple services that each handles a specific data management or analysis capability. The services include the data integrator module 1002, the integration services module 1004, the data services module 1006, the computational services module 1008, the stream analytic services module 1010, batch parallel processing analytic services module 1012, and the UI services module 1024. All or some services within the analytics platform may be modular and accordingly architected specifically to execute their respective capabilities for large data volumes and at high speed. The services may be optimized in software for high performance distributed computing over a computer cluster including the applications servers 912.

    [0095] The modules and components of the applications server 1000 in FIGURE 10 and all the figures herein are merely exemplary, and may be variously combined into fewer modules and components, or separated into additional modules and components. The described functionality of the modules and components may be performed by other modules and components.

    EXAMPLE MACHINE



    [0096] FIGURE 11 illustrates an example machine 1100 within which a set of instructions for causing the machine to perform one or more of the embodiments described herein can be executed, in accordance with an embodiment of the present disclosure. The machine may be connected (e.g., networked) to other machines. In a networked deployment, the machine may operate in the capacity of a server or a client machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.

    [0097] The machine 1100 includes a processor 1102 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), or both), a main memory 1104, and a nonvolatile memory 1106 (e.g., volatile RAM and non-volatile RAM), which communicate with each other via a bus 1108. In some cases, the example machine 1100 can correspond to, include, or be included within a computing device or system. For example, in some embodiments, the machine 1100 can be a desktop computer, a laptop computer, personal digital assistant (PDA), an appliance, a wearable device, a camera, a tablet, or a mobile phone, etc. In one embodiment, the machine 1100 also includes a video display 1110, an alphanumeric input device 1112 (e.g., a keyboard), a cursor control device 1114 (e.g., a mouse), a drive unit 1116, a signal generation device 1118 (e.g., a speaker) and a network interface device 1120.

    [0098] In one embodiment, the video display 1110 includes a touch sensitive screen for user input. In one embodiment, the touch sensitive screen is used instead of a keyboard and mouse. The disk drive unit 1116 includes a machine-readable medium 1122 on which is stored one or more sets of instructions 1124 (e.g., software) embodying any one or more of the methodologies or functions described herein. The instructions 1124 can also reside, completely or at least partially, within the main memory 1104 and/or within the processor 1102 during execution thereof by the computer system 1100. The instructions 1124 can further be transmitted or received over a network 1140 via the network interface device 1120. In some embodiments, the machine-readable medium 1122 also includes a database 1125.

    [0099] Volatile RAM may be implemented as dynamic RAM (DRAM), which requires power continually in order to refresh or maintain the data in the memory. Non- volatile memory is typically a magnetic hard drive, a magnetic optical drive, an optical drive (e.g., a DVD RAM), or other type of memory system that maintains data even after power is removed from the system. The non-volatile memory may also be a random access memory. The non-volatile memory can be a local device coupled directly to the rest of the components in the data processing system. A non-volatile memory that is remote from the system, such as a network storage device coupled to any of the computer systems described herein through a network interface such as a modem or Ethernet interface, can also be used.

    [0100] While the machine-readable medium 1122 is shown in an exemplary embodiment to be a single medium, the term "machine-readable medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term "machine-readable medium" shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term "machine-readable medium" shall accordingly be taken to include, but not be limited to, solid-state memories, optical and magnetic media, and carrier wave signals. The term "storage module" as used herein may be implemented using a machine-readable medium.

    [0101] In general, the routines executed to implement the embodiments of the present disclosure can be implemented as part of an operating system or a specific application, component, program, object, module or sequence of instructions referred to as "programs" or "applications". For example, one or more programs or applications can be used to execute specific processes described herein. The programs or applications typically comprise one or more instructions set at various times in various memory and storage devices in the machine and that, when read and executed by one or more processors, cause the machine to perform operations to execute elements involving the various aspects of the embodiments described herein.

    [0102] The executable routines and data may be stored in various places, including, for example, ROM, volatile RAM, non-volatile memory, and/or cache. Portions of these routines and/or data may be stored in any one of these storage devices. Further, the routines and data can be obtained from centralized servers or peer-to-peer networks. Different portions of the routines and data can be obtained from different centralized servers and/or peer-to-peer networks at different times and in different communication sessions, or in a same communication session. The routines and data can be obtained in entirety prior to the execution of the applications. Alternatively, portions of the routines and data can be obtained dynamically, just in time, when needed for execution. Thus, it is not required that the routines and data be on a machine-readable medium in entirety at a particular instance of time.

    [0103] While embodiments have been described fully in the context of machines, those skilled in the art will appreciate that the various embodiments are capable of being distributed as a program product in a variety of forms, and that the embodiments described herein apply equally regardless of the particular type of machine- or computer-readable media used to actually effect the distribution. Examples of machine-readable media include, but are not limited to, recordable type media such as volatile and non-volatile memory devices, floppy and other removable disks, hard disk drives, optical disks (e.g., Compact Disk Read-Only Memory (CD ROMS), Digital Versatile Disks, (DVDs), etc.), among others, and transmission type media such as digital and analog communication links.

    [0104] Alternatively, or in combination, the embodiments described herein can be implemented using special purpose circuitry, with or without software instructions, such as using Application-Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA). Embodiments can be implemented using hardwired circuitry without software instructions, or in combination with software instructions. Thus, the techniques are limited neither to any specific combination of hardware circuitry and software, nor to any particular source for the instructions executed by the data processing system.

    [0105] For purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the description. It will be apparent, however, to one skilled in the art that embodiments of the disclosure can be practiced without these specific details. In some instances, modules, structures, processes, features, and devices are shown in block diagram form in order to avoid obscuring the description. In other instances, functional block diagrams and flow diagrams are shown to represent data and logic flows. The components of block diagrams and flow diagrams (e.g., modules, engines, blocks, structures, devices, features, etc.) may be variously combined, separated, removed, reordered, and replaced in a manner other than as expressly described and depicted herein.

    [0106] Reference in this specification to "one embodiment", "an embodiment", "other embodiments", "another embodiment", or the like means that a particular feature, design, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of, for example, the phrases "according to an embodiment", "in one embodiment", "in an embodiment", or "in another embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, whether or not there is express reference to an "embodiment" or the like, various features are described, which may be variously combined and included in some embodiments but also variously omitted in other embodiments. Similarly, various features are described which may be preferences or requirements for some embodiments but not other embodiments.

    [0107] Although embodiments have been described with reference to specific exemplary embodiments, it will be evident that the various modifications and changes can be made to these embodiments. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than in a restrictive sense. The foregoing specification provides a description with reference to specific exemplary embodiments. It will be evident that various modifications can be made thereto without departing from the broader scope as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

    [0108] Although some of the drawings illustrate a number of operations or method steps in a particular order, steps that are not order dependent may be reordered and other steps may be combined or omitted. While some reordering or other groupings are specifically mentioned, others will be apparent to those of ordinary skill in the art and so do not present an exhaustive list of alternatives. Moreover, it should be recognized that the stages could be implemented in hardware, firmware, software or any combination thereof.

    [0109] It should also be understood that a variety of changes may be made without departing from the essence of the present disclosure. Such changes are also implicitly included in the description. They still fall within the scope of the present disclosure. It should be understood that this disclosure is intended to yield a patent covering numerous aspects of the disclosed technology, both independently and as an overall system, and in both method and apparatus modes.

    [0110] Further, each of the various elements of the present disclosure and claims may also be achieved in a variety of manners. This disclosure should be understood to encompass each such variation, be it a variation of an embodiment of any apparatus embodiment, a method or process embodiment, or even merely a variation of any element of these.


    Claims

    1. A computer-implemented method comprising:

    acquiring a first set of data (602) from a first group of data sources (210) and a second set of data (606) from a second group of data sources (212), wherein the first group of data sources comprises a plurality of network components within an energy delivery network,

    wherein the first set of data is associated with detected network traffic (408) in one or more network components within the energy delivery network, wherein the second group of data sources comprises an information technology, IT, service or system associated with the energy delivery network, and wherein the second set of data is associated with at least one of customer data (410), operations data (412), or economic data (414) relating to the energy delivery network;

    generating a first metric (604) based on the first set of data and a second metric (608) based on the second set of data, wherein the first metric comprises a likelihood that a particular network component within the energy delivery network is affected by one or more cyber vulnerabilities (404), wherein generating the first metric includes utilizing a behavioral indicator that is based on analysis of at least one of a multiple-step series of activities associated with the detected network traffic across the plurality of network components, wherein the second metric comprises a calculated impact to the energy delivery network or a portion thereof due to the one or more cyber vulnerabilities affecting the particular network component (406), and wherein generating the second metric includes analyzing the at least one of the customer data, the operations data, or the economic data; and

    generating (610) a third metric comprising an overall cybersecurity risk level associated with the particular network component, by utilizing a machine learning process to apply a plurality of weight values to the first and second metrics to produce a first weighted metric and a second weighted metric that are then combined to generate the third metric.


     
    2. The computer-implemented method of claim 1, further comprising:

    generating (702) a plurality of third metrics each comprising an overall cybersecurity risk level associated with a respective network component among a plurality of network components within the energy delivery network;

    ranking (704) the plurality of network components based on the plurality of third metrics to produce a ranked list of network components; and

    providing (706) at least a portion of the ranked list of network components to a resource provider that utilizes the delivery network.


     
    3. The computer-implemented method of claim 2, further comprising:
    generating a set of visualizations for a set of network components identified in the ranked list of network components, wherein each visualization in the set of visualizations represents a corresponding network component in the set of network components, and wherein each visualization is presented in association with a particular color determined based on at least one of a ranking for the corresponding network component or a corresponding overall level of cybersecurity risk associated with the corresponding network component.
     
    4. The computer-implemented method of claim 1, wherein the machine learning process is configured to incorporate user feedback regarding an authenticity of detected cyber vulnerabilities or threats, and an impact to end customers of the delivery network due to the cyber vulnerabilities or threats, in applying the plurality of weight values to the first and second metrics.
     
    5. The computer-implemented method of claim 1, wherein the first set of data is acquired using at least a portion of a network cybersecurity service, and wherein the second set of data is acquired using at least a portion of an energy management platform.
     
    6. The computer-implemented method of claim 1, wherein generating the first metric includes analyzing the detected network traffic.
     
    7. The computer-implemented method of claim 6, wherein analyzing the detected network traffic includes utilizing at least one of a syntax indicator, or a computed indicator, and wherein the likelihood that the particular network component is affected by the one or more cyber vulnerabilities is calculated based on the at least one of the syntax indicator, or the computed indicator.
     
    8. The computer-implemented method of claim 7, wherein the syntax indicator is based on analysis of at least one of an Internet Protocol, IP, address associated with the detected network traffic or an email address associated with the detected network traffic.
     
    9. The computer-implemented method of claim 7, wherein the computed indicator is based on analysis of at least one of a message-digest algorithm hash value associated with the detected network traffic or a regular expression associated with the detected network traffic.
     
    10. The computer-implemented method of claim 1, wherein the customer data is associated with at least one of a customer count, an issue resolution time, a reliability index, or a customer criticality metric, wherein the operations data is associated with at least one of a labor cost, a materials cost, a physical damage likelihood metric, or a degree of redundancy, and wherein the economic data is associated with at least one of an energy delivery cost, an equipment cost, or a regulatory penalty.
     
    11. The computer-implemented method of claim 1, wherein at least some network components in the plurality of network components are associated with operational technology.
     
    12. The computer-implemented method of claim 1, wherein the plurality of network components includes at least one of a router, a switch, a server, a firewall, a transformer, an energy distribution component, an energy transmission component, an energy generation component, or an energy delivery substation.
     
    13. The computer-implemented method of claim 1, wherein the first group of data sources further includes at least one of a supervisory control and data acquisition, SCADA, command and control service, an enterprise firewall service, a log service, an intrusion prevention service, a security information and event management service, SIEM, or an intrusion protection service.
     
    14. The computer-implemented method of claim 1, wherein the second group of data sources comprises a collection of services associated with the delivery network, wherein the collection of services includes at least one of a phone service, a meter data management service, a customer information service, a geographic information service, a work management service, an enterprise asset management service, a smart meter head end service, an energy management service, a demand management service, an outage management service, a customer care and billing service, an enterprise communications service, or a threat and vulnerability detection library service.
     
    15. The computer-implemented method of claim 1, wherein the second metric is configured to vary depending on changes in quantitative metrics to the customer data, operations data, or economic data.
     
    16. The computer-implemented method of claim 1, wherein the energy delivery network includes at least one of an electricity delivery network, an oil delivery network, or a gas delivery network.
     
    17. A system comprising:

    at least one processor (1102); and

    a memory (1104) storing instructions (1124) that, when executed by the at least one processor, cause the system to perform:

    acquiring a first set of data (602) from a first group of data sources (210) and a second set of data (606) from a second group of data sources (212), wherein the first group of data sources comprise a plurality of network components within an energy delivery network, wherein the first set of data is associated with detected network traffic (408) in one or more network components within the energy delivery network, wherein the second group of data sources comprises an information technology, IT, service or system associated with the energy delivery network, and wherein the second set of data is associated with at least one of customer data (410), operations data (412), or economic data (414) relating to the energy delivery network;

    generating a first metric (604) based on the first set of data and a second metric (608) based on the second set of data, wherein the first metric comprises a likelihood that a particular network component within the energy delivery network is affected by one or more cyber vulnerabilities (404), wherein generating the first metric includes utilizing a behavioral indicator that is based on analysis of at least one of a multiple-step series of activities associated with the detected network traffic across the plurality of network components, wherein the second metric comprises a calculated impact to the energy delivery network or a portion thereof due to the one or more cyber vulnerabilities affecting the particular network component (406), and wherein generating the second metric includes analyzing the at least one of the customer data, the operations data, or the economic data; and

    generating (610) a third metric comprising an overall cybersecurity risk level associated with the particular network component, by utilizing a machine learning process to apply a plurality of weight values to the first and second metrics to produce a first weighted metric and a second weighted metric that are then combined to generate the third metric.


     
    18. A non-transitory computer-readable storage medium including instructions (1124) that, when executed by at least one processor of a computing system, cause the computing system to perform a method comprising:

    acquiring a first set of data (602) from a first group of data sources (210) and a second set of data (606) from a second group of data sources (212), wherein the first group of data sources comprise a plurality of network components within an energy delivery network,

    wherein the first set of data is associated with detected network traffic (408) in one or more network components within the energy delivery network, wherein the second group of data sources comprises an information technology (IT) service or system associated with the energy delivery network, and wherein the second set of data is associated with at least one of customer data (410), operations data (412), or economic data (414) relating to the energy delivery network;

    generating a first metric (604) based on the first set of data and a second metric (608) based on the second set of data, wherein the first metric comprises a likelihood that a particular network component within the energy delivery network is affected by one or more cyber vulnerabilities (404), wherein generating the first metric includes utilizing a behavioral indicator that is based on analysis of at least one of a multiple-step series of activities associated with the detected network traffic across the plurality of network components, wherein the second metric comprises a calculated impact to the energy delivery network or a portion thereof due to the one or more cyber vulnerabilities affecting the particular network component (406), and wherein generating the second metric includes analyzing the at least one of the customer data, the operations data, or the economic data; and

    generating (610) a third metric comprising an overall cybersecurity risk level associated with the particular network component, by utilizing a machine learning process to apply a plurality of weight values to the first and second metrics to produce a first weighted metric and a second weighted metric that are then combined to generate the third metric.


     


    Ansprüche

    1. Computerimplementiertes Verfahren, das folgendes umfasst:

    Erfassen einer ersten Datenmenge (602) von einer ersten Gruppe von Datenquellen (210) und eine zweiten Datenmenge (606) von einer zweite Gruppe von Datenquellen (212), wobei die erste Gruppe von Datenquellen eine Mehrzahl von Netzwerkkomponenten in einem Energieversorgungsnetzwerk umfasst,

    wobei die erste Datenmenge erkanntem Netzwerkverkehr (408) in einer oder mehreren Netzwerkkomponenten in dem Energieversorgungsnetzwerk zugeordnet ist, wobei die zweite Gruppe von Datenquellen einen Informationstechnologie (IT)-Service oder ein IT-System umfasst, das dem Energieversorgungsnetzwerk zugeordnet ist, und wobei die zweite Datenmenge mindestens einem der folgenden zugeordnet ist:

    Kundendaten (410), operativen Daten (412) oder wirtschaftlichen Daten (414), die im Verhältnis zu dem Energieversorgungsnetzwerk stehen;

    Erzeugen einer ersten Metrik (604) auf der Basis der ersten Datenmenge und einer zweiten Metrik (608) auf der Basis der zweiten Datenmenge, wobei die erste Metrik eine Wahrscheinlichkeit umfasst, dass eine bestimmte Netzwerkkomponente in dem Energieversorgungsnetzwerk von einer oder mehreren Cyberverwundbarkeiten (404) betroffen ist, wobei das Erzeugen der ersten Metrik die Verwendung eines Verhaltensindikators aufweist, der auf einer Analyse mindestens einer Aktivität einer mehrschrittigen Reihe von Aktivitäten basiert, die dem erkannten Netzwerkverkehr über die Mehrzahl von Netzwerkkomponenten zugeordnet sind, wobei die zweite Metrik eine berechnete Auswirkung auf das Energieversorgungsnetzwerk oder einen Teil davon aufgrund der einen oder mehrerer Cyberverwundbarkeiten umfasst, welche die bestimmte Netzwerkkomponente (406) beeinflusst bzw. beeinflussen, und wobei das Erzeugen der zweiten Metrik das Analysieren mindestens eines der folgenden aufweist: der Kundendaten, der operativen Daten oder der wirtschaftlichen Daten; und

    Erzeugen (610) einer dritten Metrik, die einen Cybersicherheits-Risikogesamtwert umfasst, welcher der bestimmten Netzwerkkomponente zugeordnet ist, unter Verwendung eines maschinellen Lernprozesses, um eine Mehrzahl von Gewichtungswerten auf die ersten und zweiten Metriken anzuwenden, um eine erste gewichtete Metrik und eine zweite gewichtete Metrik zu erzeugen, die danach kombiniert werden, um die dritte Metrik zu erzeugen.


     
    2. Computerimplementiertes Verfahren nach Anspruch 1, wobei dieses ferner folgendes umfasst:

    Erzeugen (702) einer Mehrzahl dritter Metriken, die jeweils einen Cybersicherheits-Risikogesamtwert umfassen, der einer entsprechenden Netzwerkkomponente der Mehrzahl von Netzwerkkomponenten in dem Energieversorgungsnetzwerk zugeordnet ist;

    Klassifizieren (704) der Mehrzahl von Netzwerkkomponenten auf der Basis der dritten Metriken, um eine klassifizierte Liste von Netzwerkkomponenten zu erzeugen; und

    Bereitstellen (706) mindestens eines Teils der klassifizierten Liste von Netzwerkkomponenten an einen Ressourcenanbieter, der das Versorgungsnetzwerk verwendet.


     
    3. Computerimplementiertes Verfahren nach Anspruch 2, wobei dieses ferner folgendes umfasst:
    Erzeugen einer Gruppe von Visualisierungen für eine Gruppe von in der klassifizierten Liste von Netzwerkkomponenten identifizierten Netzwerkkomponenten, wobei jede Visualisierung in der Gruppe von Visualisierungen eine entsprechende Netzwerkkomponente in der Gruppe von Netzwerkkomponenten darstellt, und wobei jede Visualisierung in Verbindung mit einer bestimmten Farbe dargestellt wird, die bestimmt wird auf der Basis mindestens eines der folgenden: der Klassifizierung für die entsprechende Netzwerkkomponente oder einem Cybersicherheits-Gesamtwert, welcher der entsprechenden Netzwerkkomponente zugeordnet ist.
     
    4. Computerimplementiertes Verfahren nach Anspruch 1, wobei der maschinelle Lernprozess so gestaltet ist, dass er Benutzerrückmeldungen in Bezug auf eine Authentizität erkannter Cyberverwundbarkeiten oder -bedrohungen ebenso einschließt wie eine Auswirkung auf Endkunden des Versorgungsnetzwerks durch die Cyberverwundbarkeiten oder -bedrohungen in Bezug auf die Anwendung der Mehrzahl von Gewichtungswerten auf die ersten und zweiten Metriken.
     
    5. Computerimplementiertes Verfahren nach Anspruch 1, wobei die erste Datenmenge erfasst wird unter Verwendung mindestens eines Teils eines Netzwerk-Cybersicherheitsdienstes, und wobei die zweite Datenmenge erfasst wird unter Verwendung wenigstens eines Teils einer Energiemanagementplattform.
     
    6. Computerimplementiertes Verfahren nach Anspruch 1, wobei das Erzeugen der ersten Metrik das Analysieren des erkannten Netzwerkverkehrs umfasst.
     
    7. Computerimplementiertes Verfahren nach Anspruch 6, wobei das Analysieren des erkannten Netzwerkverkehrs die Verwendung mindestens eines Syntaxindikators und/oder eines berechneten Indikators umfasst, und wobei die Wahrscheinlichkeit, dass die bestimmte Netzwerkkomponente von einer oder mehreren Cyberverwundbarkeiten betroffen ist, berechnet wird auf der Basis des mindestens einen aus einem Syntaxindikator und/oder dem berechneten Indikator.
     
    8. Computerimplementiertes Verfahren nach Anspruch 7, wobei der Syntaxindikator auf einer Analyse mindestens eines der folgenden basiert: einer Internet Protocol (IP)-Adresse, die dem erkannten Netzwerkverkehr zugeordnet ist, und/oder einer E-Mail-Adresse, die dem erkannten Netzwerkverkehr zugeordnet ist.
     
    9. Computerimplementiertes Verfahren nach Anspruch 7, wobei der berechnete Indikator auf einer Analyse mindestens eines Message-Digest-Algorithmus-Hashwertes basiert, der dem erkannten Netzwerkverkehr zugeordnet ist, oder einem regulären Ausdruck, der dem erkannten Netzwerkverkehr zugeordnet ist.
     
    10. Computerimplementiertes Verfahren nach Anspruch 1, wobei die Kundendaten mindestens einem der folgenden zugeordnet sind: einem Kundenzählwert, einer Problemlösungszeit, einem Zuverlässigkeitsindex oder einer Kundengefährlichkeitsmetrik, wobei die operativen Daten mindestens einem der folgenden zugeordnet sind: Arbeitskosten, Materialkosten, einer Wahrscheinlichkeitsmetrik für einen physischen Schaden oder einem Redundanzgrad, und wobei die wirtschaftlichen Daten mindestens einem der folgenden zugeordnet sind: Energieversorgungskosten, Ausrüstungskosten oder einer behördlichen Strafe.
     
    11. Computerimplementiertes Verfahren nach Anspruch 1, wobei mindestens einige der Netzwerkkomponenten der Mehrzahl von Netzwerkkomponenten operativer Technologie zugeordnet sind.
     
    12. Computerimplementiertes Verfahren nach Anspruch 1, wobei die Mehrzahl von Netzwerkkomponenten wenigstens eines der folgenden umfasst: einen Router, einen Switch, einen Server, eine Firewall, einen Transformator, eine Energieverteilungskomponente, eine Energieübertragungskomponente, eine Energieerzeugungskomponente und/oder eine Energieversorgungskomponente.
     
    13. Computerimplementiertes Verfahren nach Anspruch 1, wobei die erste Gruppe von Datenquellen ferner mindestens eines der folgenden umfasst: Supervisory Control and Data Acquisition (SCADA), einen Command-and-Control-Dienst, einen Enterprise-Firewall-Dienst, einen Protokollierungsdienst, einen Intrusion-Prevention-Dienst, einen Sicherheitsinformations- und Ereignismanagement-Dienst (SIEM) oder einen Intrusion-Protection-Dienst.
     
    14. Computerimplementiertes Verfahren nach Anspruch 1, wobei die zweite Gruppe von Datenquellen eine Ansammlung von Diensten umfasst, die dem Versorgungsnetzwerk zugeordnet sind, wobei die Ansammlung von Diensten mindestens eines der folgenden umfasst: einen Telefondienst, einen Zählerdatenmanagementdienst, einen Kundeninformationsdienst, einen geografischen Informationsdienst, einen Arbeitsverwaltungsdienst, einen Enterprise-Asset-Management-Dienst, einen Smart-Meter-Head-End-Dienst, einen Energiemanagementdienst, einen Nachfragemanagementdienst, einen Ausfallmanagementdienst, einen Kundendienst- und Abrechnungsdienst, einen Enterprise-Kommunikationsdienst oder einen Bedrohungs- und Verwundbarkeitserkennungs-Bibliotheksdienst.
     
    15. Computerimplementiertes Verfahren nach Anspruch 1, wobei die zweite Metrik so gestaltet ist, dass sie abhängig von Veränderungen der quantitativen Metriken auf Kundendaten, operative Daten oder wirtschaftliche Daten ist.
     
    16. Computerimplementiertes Verfahren nach Anspruch 1, wobei das Energieversorgungsnetzwerk mindestens ein Stromversorgungsnetzwerk, ein Ölversorgungsnetzwerk oder ein Gasversorgungsnetzwerk umfasst.
     
    17. System, das folgendes umfasst:

    mindestens einen Prozessor (1102); und

    einen Speicher (1104), der Anweisungen (1124) speichert, die, wenn sie durch den mindestens einen Prozessor ausgeführt werden, bewirken, dass das System folgendes ausführt:

    Erfassen einer ersten Datenmenge (602) von einer ersten Gruppe von Datenquellen (210) und eine zweiten Datenmenge (606) von einer zweite Gruppe von Datenquellen (212), wobei die erste Gruppe von Datenquellen eine Mehrzahl von Netzwerkkomponenten in einem Energieversorgungsnetzwerk umfasst, wobei die erste Datenmenge erkanntem Netzwerkverkehr (408) in einer oder mehreren Netzwerkkomponenten in dem Energieversorgungsnetzwerk zugeordnet ist, wobei die zweite Gruppe von Datenquellen einen Informationstechnologie (IT)-Service oder ein IT-System umfasst, das dem Energieversorgungsnetzwerk zugeordnet ist, und wobei die zweite Datenmenge mindestens einem der folgenden zugeordnet ist: Kundendaten (410), operativen Daten (412) oder wirtschaftlichen Daten (414), die im Verhältnis zu dem Energieversorgungsnetzwerk stehen;

    Erzeugen einer ersten Metrik (604) auf der Basis der ersten Datenmenge und einer zweiten Metrik (608) auf der Basis der zweiten Datenmenge, wobei die erste Metrik eine Wahrscheinlichkeit umfasst, dass eine bestimmte Netzwerkkomponente in dem Energieversorgungsnetzwerk von einer oder mehreren Cyberverwundbarkeiten (404) betroffen ist, wobei das Erzeugen der ersten Metrik die Verwendung eines Verhaltensindikators aufweist, der auf einer Analyse mindestens einer Aktivität einer mehrschrittigen Reihe von Aktivitäten basiert, die dem erkannten Netzwerkverkehr über die Mehrzahl von Netzwerkkomponenten zugeordnet sind, wobei die zweite Metrik eine berechnete Auswirkung auf das Energieversorgungsnetzwerk oder einen Teil davon aufgrund der einen oder mehrerer Cyberverwundbarkeiten umfasst, welche die bestimmte Netzwerkkomponente (406) beeinflusst bzw. beeinflussen, und wobei das Erzeugen der zweiten Metrik das Analysieren mindestens eines der folgenden aufweist: der Kundendaten, der operativen Daten oder der wirtschaftlichen Daten; und

    Erzeugen (610) einer dritten Metrik, die einen Cybersicherheits-Risikogesamtwert umfasst, welcher der bestimmten Netzwerkkomponente zugeordnet ist, unter Verwendung eines maschinellen Lernprozesses, um eine Mehrzahl von Gewichtungswerten auf die ersten und zweiten Metriken anzuwenden, um eine erste gewichtete Metrik und eine zweite gewichtete Metrik zu erzeugen, die danach kombiniert werden, um die dritte Metrik zu erzeugen.


     
    18. Nichtflüchtiges computerlesbares Speichermedium, das Anweisungen (1124) aufweist, die, wenn sie durch mindestens einen Prozessor eines Rechensystems ausgeführt werden, bewirken, dass das Rechensystem ein Verfahren ausführt, das folgendes umfasst:

    Erfassen einer ersten Datenmenge (602) von einer ersten Gruppe von Datenquellen (210) und eine zweiten Datenmenge (606) von einer zweite Gruppe von Datenquellen (212), wobei die erste Gruppe von Datenquellen eine Mehrzahl von Netzwerkkomponenten in einem Energieversorgungsnetzwerk umfasst, wobei die erste Datenmenge erkanntem Netzwerkverkehr (408) in einer oder mehreren Netzwerkkomponenten in dem Energieversorgungsnetzwerk zugeordnet ist, wobei die zweite Gruppe von Datenquellen einen Informationstechnologie (IT)-Service oder ein IT-System umfasst, das dem Energieversorgungsnetzwerk zugeordnet ist, und wobei die zweite Datenmenge mindestens einem der folgenden zugeordnet ist: Kundendaten (410), operativen Daten (412) oder wirtschaftlichen Daten (414), die im Verhältnis zu dem Energieversorgungsnetzwerk stehen;

    Erzeugen einer ersten Metrik (604) auf der Basis der ersten Datenmenge und einer zweiten Metrik (608) auf der Basis der zweiten Datenmenge, wobei die erste Metrik eine Wahrscheinlichkeit umfasst, dass eine bestimmte Netzwerkkomponente in dem Energieversorgungsnetzwerk von einer oder mehreren Cyberverwundbarkeiten (404) betroffen ist, wobei das Erzeugen der ersten Metrik die Verwendung eines Verhaltensindikators aufweist, der auf einer Analyse mindestens einer Aktivität einer mehrschrittigen Reihe von Aktivitäten basiert, die dem erkannten Netzwerkverkehr über die Mehrzahl von Netzwerkkomponenten zugeordnet sind, wobei die zweite Metrik eine berechnete Auswirkung auf das Energieversorgungsnetzwerk oder einen Teil davon aufgrund der einen oder mehrerer Cyberverwundbarkeiten umfasst, welche die bestimmte Netzwerkkomponente (406) beeinflusst bzw. beeinflussen, und wobei das Erzeugen der zweiten Metrik das Analysieren mindestens eines der folgenden aufweist: der Kundendaten, der operativen Daten oder der wirtschaftlichen Daten; und

    Erzeugen (610) einer dritten Metrik, die einen Cybersicherheits-Risikogesamtwert umfasst, welcher der bestimmten Netzwerkkomponente zugeordnet ist, unter Verwendung eines maschinellen Lernprozesses, um eine Mehrzahl von Gewichtungswerten auf die ersten und zweiten Metriken anzuwenden, um eine erste gewichtete Metrik und eine zweite gewichtete Metrik zu erzeugen, die danach kombiniert werden, um die dritte Metrik zu erzeugen.


     


    Revendications

    1. Procédé mis en œuvre par ordinateur, comprenant les étapes consistant à :

    acquérir un premier ensemble de données (602) à partir d'un premier groupe de sources de données (210) et un second ensemble de données (606) à partir d'un second groupe de sources de données (212), le premier groupe de sources de données comprenant une pluralité de composants de réseau au sein d'un réseau de distribution d'énergie,

    le premier ensemble de données étant associé au trafic réseau détecté (408) dans au moins un composant de réseau de distribution d'énergie, le second groupe de sources de données comprenant un service ou système de technologie de l'information, IT, associé au réseau de distribution d'énergie, et le second ensemble de données étant associé à des données client (410), des données d'exploitation (412) et/ou des données économiques (414) relatives au réseau de distribution d'énergie ;

    générer une première mesure (604) basée sur le premier ensemble de données et une deuxième mesure (608) basée sur le second ensemble de données, la première mesure comprenant une probabilité qu'un composant de réseau particulier au sein du réseau de distribution d'énergie soit affecté par au moins une cyber-vulnérabilité (404), la génération de la première mesure comprenant l'étape consistant à utiliser d'un indicateur comportemental qui est basé sur l'analyse d'au moins une activité d'une série d'activités à étapes multiples associées au trafic de réseau détecté à travers la pluralité de composants de réseau, la deuxième mesure comprenant un impact calculé sur le réseau de distribution d'énergie ou une partie de celui-ci en raison d'au moins une cyber-vulnérabilité affectant le composant de réseau sélectionné particulier (406), et la génération de la deuxième mesure comprenant l'étape consistant à analyser les données client, les données d'exploitation et/ou les données économiques ; et

    générer (610) une troisième mesure comprenant un niveau de risque global de cybersécurité associé au composant de réseau sélectionné particulier, à l'aide d'un processus d'apprentissage machine pour appliquer une pluralité de valeurs de pondération aux première et deuxième mesures afin de produire une première mesure pondérée et une deuxième mesure pondérée qui sont ensuite combinées pour générer la troisième mesure.


     
    2. Procédé mis en œuvre par ordinateur selon la revendication 1, comprenant en outre les étapes consistant à :

    générer (702) une pluralité de troisièmes mesures comprenant chacune un niveau de risque global de cybersécurité associé à un composant de réseau respectif parmi une pluralité de composants de réseau au sein du réseau de distribution d'énergie ;

    classer (704) la pluralité des composants de réseau sur la base de la pluralité de troisièmes mesures pour produire une liste classée de composants de réseau ; et

    fournir (706) au moins une partie de la liste classée de composants de réseau à un fournisseur de ressources qui utilise le réseau de distribution.


     
    3. Procédé mis en œuvre par ordinateur selon la revendication 2, comprenant en outre l'étape consistant à :
    générer un ensemble de visualisations pour un ensemble de composants de réseau identifiés dans la liste classée de composants de réseau, chaque visualisation dans l'ensemble de visualisations représentant un composant de réseau correspondant dans l'ensemble de composants de réseau, et chaque visualisation étant présentée en association avec une couleur particulière déterminée sur la base d'un classement pour le composant de réseau correspondant et/ou d'un niveau global correspondant de risque de cybersécurité associé au composant de réseau correspondant.
     
    4. Procédé mis en œuvre par ordinateur selon la revendication 1, le processus d'apprentissage machine étant conçu pour incorporer le retour d'information utilisateur concernant l'authenticité des cyber-vulnérabilités ou menaces détectées, et un impact sur les clients finaux du réseau de distribution en raison des cyber-vulnérabilités ou menaces, en appliquant la pluralité de valeurs de pondération aux première et deuxième mesures.
     
    5. Procédé mis en œuvre par ordinateur selon la revendication 1, le premier ensemble de données étant acquis en utilisant au moins une partie d'un service de cybersécurité de réseau, et le second ensemble de données étant acquis en utilisant au moins une partie d'une plate-forme de gestion de l'énergie.
     
    6. Procédé mis en œuvre par ordinateur selon la revendication 1, la génération de la première mesure comprenant l'étape consistant à analyser le trafic réseau détecté.
     
    7. Procédé mis en œuvre par ordinateur selon la revendication 6, l'analyse du trafic réseau détecté comprenant l'étape consistant à utiliser un indicateur de syntaxe et/ou un indicateur calculé, et la probabilité que le composant de réseau particulier soit affecté par l'au moins une cyber-vulnérabilité étant calculée sur la base de l'indicateur de syntaxe et/ou de l'indicateur calculé.
     
    8. Procédé mis en œuvre par ordinateur selon la revendication 7, l'indicateur de syntaxe étant basé sur l'analyse d'une adresse de protocole Internet, IP, associée au trafic réseau détecté et/ou d'une adresse de courrier électronique associée au trafic réseau détecté.
     
    9. Procédé mis en œuvre par ordinateur selon la revendication 7, l'indicateur calculé étant basé sur l'analyse d'une valeur de hachage d'un algorithme de digestion de messages associée au trafic réseau détecté et/ou d'une expression régulière associée au trafic réseau détecté.
     
    10. Procédé mis en œuvre par ordinateur selon la revendication 1, les données client étant associées à un nombre de clients, un temps de résolution de problème, un indice de fiabilité et/ou une mesure de la criticité client, les données d'exploitation étant associées au coût de la main-d'œuvre, au coût des matériaux, à une mesure de la probabilité de dommages physiques et/ou à un degré de redondance, et les données économiques étant associées à un coût de distribution d'énergie, un coût d'équipement et/ou une pénalité réglementaire.
     
    11. Procédé mis en œuvre par ordinateur selon la revendication 1, au moins certains composants de réseau dans la pluralité de composants de réseau étant associés à une technologie opérationnelle.
     
    12. Procédé mis en œuvre par ordinateur selon la revendication 1, la pluralité de composants de réseau comprenant un routeur, un commutateur, un serveur, un pare-feu, un transformateur, un composant de distribution d'énergie, un composant de transmission d'énergie, un composant de production d'énergie, et/ou une sous-station de distribution d'énergie.
     
    13. Procédé mis en œuvre par ordinateur selon la revendication 1, le premier groupe de sources de données comprenant en outre un service de commande et contrôle de télésurveillance et acquisition de données, SCADA, un service de pare-feu d'entreprise, un service de journalisation, un service de prévention des intrusions, un service de gestion des informations et des événements de sécurité, SIEM, et/ou un service de protection contre les intrusions.
     
    14. Procédé mis en œuvre par ordinateur selon la revendication 1, le second groupe de sources de données comprenant une collection de services associés au réseau de distribution, la collection de services comprenant un service téléphonique, un service de gestion de données de compteur, un service d'information client, un service d'information géographique, un service de gestion du travail, un service de gestion des actifs d'entreprise, un service d'extrémité de tête de compteur intelligent, un service de gestion d'énergie, un service de gestion de la demande, un service de gestion des pannes, un service d'assistance client et de facturation, un service de communication d'entreprise, et/ou un service de bibliothèque de détection des menaces et des vulnérabilités.
     
    15. Procédé mis en œuvre par ordinateur selon la revendication 1, la deuxième mesure étant conçue pour varier en fonction des changements des mesures quantitatives des données client, des données d'exploitation ou des données économiques.
     
    16. Procédé mis en œuvre par ordinateur selon la revendication 1, le réseau de distribution d'énergie comprenant au moins un réseau de distribution d'électricité, un réseau de distribution de pétrole ou un réseau de distribution de gaz.
     
    17. Système, comprenant :

    au moins un processeur (1102) ; et

    une mémoire (1104) stockant des instructions (1124) qui, lorsqu'elles sont exécutées par l'au moins un processeur, amènent le système à effectuer :

    l'acquisition d'un premier ensemble de données (602) à partir d'un premier groupe de sources de données (210) et d'un second ensemble de données (606) à partir d'un second groupe de sources de données (212), le premier groupe de sources de données comprenant une pluralité de composants de réseau dans un réseau de distribution d'énergie, le premier ensemble de données étant associé à un trafic de réseau détecté (408) dans au moins un composant de réseau dans le réseau de distribution d'énergie, le second groupe de sources de données comprenant un service ou système de technologie de l'information, IT, associé au réseau de distribution d'énergie, et le second ensemble de données étant associé à des données client (410), des données d'exploitation (412) et/ou des données économiques (414) relatives au réseau de distribution d'énergie ;

    la génération d'une première mesure (604) basée sur le premier ensemble de données et d'une deuxième mesure (608) basée sur le second ensemble de données, la première mesure comprenant une probabilité qu'un composant de réseau particulier au sein du réseau de distribution d'énergie soit affecté par au moins une cyber-vulnérabilité (404), la génération de la première mesure comprenant l'étape consistant à utiliser d'un indicateur comportemental qui est basé sur l'analyse d'au moins une activité d'une série d'activités à étapes multiples associées au trafic de réseau détecté à travers la pluralité de composants de réseau, la deuxième mesure comprenant un impact calculé sur le réseau de distribution d'énergie ou une partie de celui-ci en raison d'au moins une cyber-vulnérabilité affectant le composant de réseau particulier (406), et la génération de la deuxième mesure comprenant l'étape consistant à analyser les données client, les données d'exploitation et/ou les données économiques ; et

    la génération (610) d'une troisième mesure comprenant un niveau de risque global de cybersécurité associé au composant de réseau sélectionné particulier, à l'aide d'un processus d'apprentissage machine pour appliquer une pluralité de valeurs de pondération aux première et deuxième mesures afin de produire une première mesure pondérée et une deuxième mesure pondérée qui sont ensuite combinées pour générer la troisième mesure.


     
    18. Support de stockage lisible par ordinateur non transitoire comprenant des instructions (1124) qui, lorsqu'elles sont exécutées par au moins un processeur d'un système informatique, amènent le système informatique à exécuter un procédé comprenant les étapes consistant à :

    acquérir un premier ensemble de données (602) à partir d'un premier groupe de sources de données (210) et un second ensemble de données (606) à partir d'un second groupe de sources de données (212), le premier groupe de sources de données comprenant une pluralité de composants de réseau au sein d'un réseau de distribution d'énergie, le premier ensemble de données étant associé au trafic réseau détecté (408) dans au moins un composant de réseau de distribution d'énergie, le second groupe de sources de données comprenant un service ou système de technologie de l'information (TI) associé au réseau de distribution d'énergie, et le second ensemble de données étant associé à des données client (410), des données d'exploitation (412) et/ou des données économiques (414) relatives au réseau de distribution d'énergie ;

    générer une première mesure (604) basée sur le premier ensemble de données et une deuxième mesure (608) basée sur le second ensemble de données, la première mesure comprenant une probabilité qu'un composant de réseau particulier au sein du réseau de distribution d'énergie soit affecté par au moins une cyber-vulnérabilité (404), la génération de la première mesure comprenant l'étape consistant à utiliser d'un indicateur comportemental qui est basé sur l'analyse d'au moins une activité d'une série d'activités à étapes multiples associées au trafic de réseau détecté à travers la pluralité de composants de réseau, la deuxième mesure comprenant un impact calculé sur le réseau de distribution d'énergie ou une partie de celui-ci en raison d'au moins une cyber-vulnérabilité affectant le composant de réseau particulier (406), et la génération de la deuxième mesure comprenant l'étape consistant à analyser les données client, les données d'exploitation et/ou les données économiques ; et

    générer (610) une troisième mesure comprenant un niveau de risque global de cybersécurité associé au composant de réseau particulier, à l'aide d'un processus d'apprentissage machine pour appliquer une pluralité de valeurs de pondération aux première et deuxième mesures afin de produire une première mesure pondérée et une deuxième mesure pondérée qui sont ensuite combinées pour générer la troisième mesure.


     




    Drawing












































    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description