Digital Ghost: Real-Time, Active Cyber Defense
Digital Ghost is a new paradigm for securing industrial assets and critical infrastructure from both malicious cyber-attacks and naturally occurring faults. It provides a new line of defense at the physical domain layer in addition to current IT/OT layer solutions. The team has developed advanced high-performance algorithms for detection, localization and neutralization of abnormalities (attack and fault), as well as algorithms for abnormality forecasting, providing predictive situation awareness and early warning capabilities.
Many critical infrastructure assets within the US, such as power plants, transmission and distribution networks, transportation systems and water processing plants, are efficiently and safely operated using control systems. Such control systems act as the "brains" of the plant or asset reading information from sensors and sending command signals to actuators. Control systems are also critical subsystems in mobile assets such as aircraft, automobiles and even locomotives. However, these same critical control systems are now the focus of sophisticated cyber-attacks. To help provide a new layer of cyber-defense, GE has developed an advanced technology called “Digital Ghost” using our deep domain knowledge, artificial intelligence and the latest in controls theory. Digital Ghost acts above and in addition to common information technology (IT) and operational technology (OT) cybersecurity methods.
The critical assets in today’s power plants, such as gas turbines, are all governed by physics, which we deeply understand and leverage to create Digital Twins of these machines. Digital Ghost uses these Digital Twins, knowledge of the associated control systems, and very advanced artificial intelligence algorithms to continuously monitor the asset’s behavior. Digital Ghost can determine if the machine is behaving abnormally due to a cyber attack even when the operator’s user interface says everything is OK.
Digital Ghost Functions
Detection: Determines if an abnormality has occurred by using Digital Twins to understand the physics and controller-dependent asset behavior.
Localization: Determines what is under attack or has faulted, in terms of monitored nodes (i.e., sensor, actuator or control nodes).
Forecasting: Provides critical real-time insight into system operations so that operators can monitor malicious activities, tampering of control system parameters, or the potential onset of a fault.
Neutralization: Maintains operability and availability of the system with minimal degradation to the performance and reduces the possibility for a forced emergency shutdown. [potentially if have room: While the system is operating with the neutralization function, agile response teams and other intrusion/fault response capabilities can be deployed to manually triage the event.]
How well does the technology work?
Through high fidelity power plant simulations, GE has performed extensive validation studies showing Detection and Localization accuracies over 98% for various stealthy cyber-attacks. Neutralization has been shown to be effective when nearly 50% of the asset’s sensors have been compromised by a cyber-attack.
Applications of Digital Ghost
GE is looking to move Digital Ghost out of the lab. We believe that this is a horizontal cybersecurity technology that can help protect critical infrastructure assets in a variety of application areas including:
- Thermal Power,
- Oil and Gas, and
- Transmission and Distribution systems
In addition to continuing the core algorithm work, GE Research is seeking opportunities to apply Digital Ghost to real-world demonstrations. If you are interested in learning more or have an interest in partnering with us, please contact us.
Digital Ghost Three Main Functionality Modules
Determines if abnormal operation is occurring which can be caused by a fault or cyber-attack. The detection algorithm combines our Digital Twin models with real-time data from the sensors on the asset and uses unique AI algorithms to accurately differentiate normal operation from abnormal.
Identifies what is under attack or has faulted, in terms of monitoring nodes (i.e., sensor, actuator or control nodes). It also provides forecasting (an early warning capability) and critical real-time insights into system operations so that operators can monitor malicious activities, tampering of control system parameters, or the potential onset of a fault.
Maintains a level of system availability without performance degradation by calculating real-time optimal estimations of the attacked sensors. While the system is operating with the neutralization function, agile response teams and other intrusion/fault response capabilities can be deployed to manually triage the event.
Digital Ghost: Real-Time, Active Cyber Defense Lab Facilities