REAL-TIME, INDEPENDENT CYBERATTACK MONITORING SYSTEM WITH AUTOMATIC RESPONSE

MX435337BActive Publication Date: 2026-06-12SIEMENS INDUSTRY INC

Patent Information

Authority / Receiving Office
MX · MX
Patent Type
Patents
Current Assignee / Owner
SIEMENS INDUSTRY INC
Filing Date
2022-07-21
Publication Date
2026-06-12

AI Technical Summary

Technical Problem

Existing cyberattack response systems in manufacturing plants and operational technology facilities are inadequate, as they are network-dependent, vulnerable to repeated attacks, and require manual intervention, leading to significant downtime and costs.

Method used

A standalone surveillance system using programmable logic controllers to automatically isolate operational technology networks upon cyberattack detection, employing firewall rules and emergency equipment activation to prevent propagation and facilitate rapid remediation.

Benefits of technology

Provides rapid, automated network segmentation and emergency response to contain cyberattacks, minimizing downtime and costs by isolating infected segments and allowing unaffected areas to continue operations.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure MX435337B0
    Figure MX435337B0
Patent Text Reader

Abstract

A cybersecurity system that provides independent, real-time cyberattack monitoring and an automated response to cyberattacks. The cybersecurity system comprises cyber monitoring logic to generate a cyberattack signal in response to a cyberattack event. The cybersecurity system further comprises an automatic segmentation controller to generate a plurality of segmentation voltage signals or a plurality of segmentation messages in response to the cyberattack signal.The cybersecurity system further comprises a plurality of firewalls configured to invoke firewall rule sets based on an input voltage signal level from the plurality of segmentation voltage signals or the plurality of segmentation messages to segment a site network into a plurality of site network segments and to control one or more physical devices in response to the cyberattack event.
Need to check novelty before this filing date? Find Prior Art

Description

REAL-TIME, INDEPENDENT CYBERATTACK MONITORING SYSTEM WITH AUTOMATIC RESPONSE BACKGROUND 1. Field of the invention The aspects of the present invention relate in general to a system for monitoring cyberattacks and for automatically responding to them in real time and independently. 2. Description of related art Cyberattacks on production plants and operational technology facilities cost customers and economies billions of dollars in losses each year, and the number of attacks and resulting costs are increasing annually. Cybercrime-related damages are projected to reach $6 trillion annually by 2021, as concerns about cybersecurity risks continue to grow. Cyberattacks are constantly increasing, putting missions and lives at risk. Now more than ever, it is crucial to be proactive and protect government facilities and industrial sites. The WannaCry ransomware attack infected approximately 230,000 computers worldwide. The ransomware spread to computer systems in 150 countries. In one particular case, a facility with 25 automation controllers required over 2,000 hours of work to eradicate and remediate all of the facility's IT and OT computer systems.Typically, the response to cyberattacks has been a combination of antivirus, endpoint control, and monitoring tools, along with manual intervention. The problem with these solutions is that, individually, none fully resolves or provides an adequate response to the cyberattack. Furthermore, they are always connected to the network where the attacking malware resides, making them vulnerable to repeated attempts by the malware to defeat them. Some customers have used combinations of these products in an attempt to provide an adequate response. However, when it comes to the operational technology (manufacturing) area of ​​a facility, many components in this space are not compatible with antivirus or endpoint solutions, leaving these areas open to attack if they are networked with the entire facility or provide data to a cloud environment.Surveillance solutions require manual response efforts that are slow and usually too late, resulting in the infection of Operational Technology systems. Recovering from a serious attack can cost millions of dollars. Therefore, improved methods and systems for monitoring and handling cyberattacks are desired. cfrnAnn / zznz / E / YiAi SUMMARY Briefly described, the aspects of the present invention relate to a standalone monitoring, high-speed notification, and response solution for facilities affected by cyberattacks. At the first indication of a cyberattack, this solution automatically notifies the facility and takes action, either automatically or via manual command, to isolate the Operational Technology space of a facility, thereby preventing production disruption. This solution uses an industry-standard programmable logic controller to receive cyberattack notifications through standard cyber-monitoring protocols such as SYSLOG, or through digital control signals from commercially available antivirus solutions, endpoint management solutions, next-generation firewalls, and intrusion prevention / detection systems, etc.Once a notification is received, the system generates an on-site attack notification, automatically isolates predetermined sections of the facility's network to prevent the attack from spreading, and executes a rules-based automation sequence to control emergency equipment, such as a backup generator, to secure the facility or continue operations. After the facility's network is segmented, individual segments can be analyzed to determine if they have been affected and restored to service based on criticality. The solution's advantages include providing an automated response, isolating the operational area from the malware, and preventing its spread. The solution affects automation products, networking products, and next-generation firewall products used in production facilities worldwide. According to an illustrative embodiment of the present invention, a cybersecurity system comprises cyber surveillance logic for generating a cyberattack signal in response to a cyberattack event. The cybersecurity system further comprises an automatic segmentation controller for generating a plurality of segmentation voltage signals or a plurality of segmentation messages in response to the cyberattack signal. The cybersecurity system further comprises a plurality of firewalls configured to invoke firewall rule sets based on an input voltage signal level from the plurality of segmentation voltage signals or the plurality of segmentation messages to segment a site network into a plurality of site network segments and to control one or more physical devices in response to the cyberattack event. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 illustrates a block diagram of a real-time, independent cyberattack surveillance and automatic cyberattack response system according to an exemplary embodiment of the present invention. Figure 2 illustrates an automatic segmentation of the cybersecure network according to an exemplary embodiment of the present invention. Figure 3 illustrates a rapid automatic cybernetic response system for cfrnpnn / zznz / E / YiAi operational technology (OT) systems according to an exemplary embodiment of the present invention. Figure 4 illustrates Architectural Options according to an exemplary embodiment of the present invention. Figures 5-8 illustrate Architecture Options networks according to an exemplary embodiment of the present invention. Figure 9 illustrates the Operating Requirements according to an exemplary embodiment of the present invention. Figure 10 illustrates a user interface for displaying the detection of a cyberattack according to an exemplary embodiment of the present invention. DETAILED DESCRIPTION To facilitate understanding of the embodiments, principles, and features of the present invention, they are explained below with reference to their implementation in illustrative embodiments. In particular, they are described in the context of a real-time, independent, automated cyberattack surveillance and response system. However, the embodiments of the present invention are not limited to their use in the devices or methods described. The components and materials described below as components of the various embodiments are intended to be illustrative and not restrictive. Many suitable components and materials that would perform the same or a similar function to the materials described herein are intended to be included within the scope of the embodiments of the present invention. These and other embodiments of the independent, real-time cyberattack monitoring and automated cyberattack response system described herein are outlined below with reference to Figures 1-10. Similar reference numbers used in the drawings identify similar or identical elements in the various views. The drawings are not necessarily drawn to scale. A cyberattack is much like a disease. To control it, you must stop its spread as quickly as possible. In the cyber environment, the way to stop the spread of the disease is to divide the network into functional segments so that each segment can be remediated individually and those that are not infected can continue operating. Real-world data has shown that the faster the network can be segmented, the lower the impact on downtime and, therefore, the cost, providing a higher return on investment (ROI) for the cybersecurity solution. A fail-safe or fail-safe industrial system is a widely used concept that employs an independent system for monitoring and protection to ensure the safety of equipment and personnel. This high-speed automatic network segmentation solution closely resembles an industrial safety system. When triggered by a cyber event, such as the cnnRnn / zznz / B / YiAi malware detection, intrusion detection, or other application-dependent event, a cyber safety system will automatically segment the facility's network into functional segments (cyber-safe mode). The advantages are that it stops the spread of the cyberattack by containing the malware within the network segments, simplifying the scanning, mitigation, and remediation process. The cybersecurity system is a standalone system, isolated from the network it protects. This means it is less likely to be affected by a cyberattack and uses either wired digital voltage signals (preferably) or secure network messages to segment the network. A cybersecurity event that triggers segmentation can occur via a digital input (completely isolated from network traffic) if the cyberattack detection solution provides one, or a cybersecurity controller can receive a single secure network message (via a firewall integrated into the cybersecurity system), such as a syslog message, and invoke an automated segmentation process. According to an embodiment of the present invention, Figure 1 represents a block diagram of a cybersecurity system 105 that is a real-time, independent cyberattack monitoring and automatic response system, according to an exemplary embodiment of the present invention. The cybersecurity system 105 comprises cyber monitoring logic 107 for generating a cyberattack signal 110 in response to a cyberattack event 112. The cybersecurity system 105 further comprises an automatic segmentation controller 115 (e.g., a programmable logic controller (PLC)) for generating a plurality of segmentation voltage signals 117(1-n) or a plurality of segmentation messages in response to the cyberattack signal 110.The cybersecurity system 105 further comprises a plurality of firewalls 120(1-n) configured to invoke firewall rule sets 122 based on an input voltage signal level 125 from the plurality of segmentation voltage signals 117(1-n) or from the plurality of segmentation messages to segment a site network 127 into a plurality of site network segments 130(1-n) and to control one or more physical devices 132 in response to a cyberattack event 112. The cyberattack event 112 triggers segmentation through a digital input that is completely isolated from network traffic. The cybersecurity system 105 activates the firewall rule sets 122 on the network security devices via digital outputs. The cybersecurity system 105 provides a sub-second response to a cyberattack after notification. Cybersecurity system 105 is a separate and isolated system from the network of site 127 that it is protecting. Cybersecurity system 105 operates independently of the network of site 127. Cybersecurity system 105 uses wired digital voltage signals 135 as the plurality of segmentation voltage signals 117(1-n) to segment the network of site 127 in addition to network or segmentation messages 137. The automatic segmentation controller 115 receives a unique network message 137(1) via a firewall 120(1) that is integrated into cybersecurity system 105 to invoke an automatic segmentation process 140. Cybersecurity system 105 is isolated from an information technology (IT) network at site 142(1) to prevent attack. Cybersecurity system 105 isolates an operational technology (OT) network of 142(2) segments using digital outputs to firewalls or power relays. Cybersecurity system 105 isolates multiple network segments at site 130(1-n) to stop the spread of malicious software and prevent unauthorized access. Cybersecurity system 105 automatically activates an emergency backup team 145. Cybersecurity system 105 provides a manual activation capability for panic button 147. Cybersecurity system 105 allows unaffected work cells 150(1) and equipment groups 150(2) to continue operating. Cybersecurity system 105 simplifies a remediation process 152 by remediating smaller, isolated equipment groups in a priority order 155. Cybersecurity system 105 prevents recontamination during the remediation process 152. Cybersecurity system 105 enables triangulated remediation in which the most critical issues are addressed first. Cybersecurity System 105 provides rule-based processing 157 to determine response actions, including alarming or segmentation. Cybersecurity System 105 performs emergency response actions, such as activating backup power. Cybersecurity System 105 generates site alerts 160 and can interact with other sites in the event of coordinated attacks. Cybersecurity System 105 activates protection based on threat levels from threat detection devices. With reference to Figure 2, an automatic cybersecurity network segmentation is illustrated according to an exemplary embodiment of the present invention. An installation 205 may be connected to the Internet or to a network of installations 207 through a Next Generation Firewall 212 of a cyber surveillance system performing Cyber ​​Surveillance. When triggered by a cyber event, such as malware detection, intrusion detection, or another application-dependent event, a cyber surveillance system 212 sends a cyberattack signal or message 215 to an Automatic Cybersecurity Segmentation Controller 217. The Automatic Cybersecurity Segmentation Controller 217 provides a plurality of Segmentation Voltage Signals 220(1-3) to a plurality of Security Firewalls 222(1-3).Firewalls invoke firewall rule sets depending on the level of the incoming voltage signal to segment a site network 225 into site network segments 225(1-4). Voltage signals can also trigger control actions of facility equipment to facilitate a response to a cyberattack, such as starting backup power sources or physical protection devices. Additionally, if the facility's network segmentation firewalls do not support wired digital signals, the Cybersecure Automatic Segmentation Controller 217 can transmit segmentation messages through secure isolation to the segmentation devices. An isolation message 218 can segment the site network into segment #4 225(4). A notification message 219 can provide a site notification solution. A control voltage signal 226 can provide input to the site's emergency equipment. The cyber surveillance system 212 may include a human-machine interface (HMI) 210. When a cyber threat is received, the human-machine interface (HMI) 210 provides notification of the cyberattack. The 212 Cyber ​​Surveillance System provides a sub-second response to a cyberattack after notification. Its ability to securely interface with existing controllers and equipment across sites enables early warning of coordinated attacks while isolating network segments to halt the spread of malware and prevent unauthorized access. With the 212 Cyber ​​Surveillance System, work cells and equipment groups can remain operational and avoid recontamination during remediation. The 212 Cyber ​​Surveillance System simplifies the remediation process by prioritizing systems based on administrative requirements. The 212 cybersecurity system can place an Operational Technology (OT) space in a secure, isolated, or quarantined state upon credible notification of a cyberattack from advanced cyber threat detection technology provided by Next-Generation Firewalls, Endpoint Solutions, and other related technologies. These technologies utilize machine learning, artificial intelligence, intrusion detection, intrusion prevention, and malware detection to notify the 212 cybersecurity system of a credible cyberattack. The 212 cybersecurity system then initiates a rules-based equipment management sequence to protect the affected equipment. A rapid assessment and remediation of prioritized equipment groups can then be performed without risk of contamination.Cybersecurity system 212 will initiate emergency measures in response to the cyberattack so that facility 205 can prepare for the worst-case scenario. The 212 cybersecurity system's automation technology responds in milliseconds. The 212 cybersecurity system operates independently of the Site 225 network. Upon receiving a cyberattack notification, the 212 cybersecurity system executes a strategically predetermined sequence of automated actions. The 212 cybersecurity system notifies of a cyberattack via lights, sirens, emails, and text messages. The 212 cybersecurity system can be manually activated by a security officer. The 212 cybersecurity system automatically activates emergency backup equipment. The 212 cybersecurity system provides a panic button activation capability. The 212 cybersecurity system operates with modern technology (e.g., AI and machine learning). The 212 cybersecurity system operates with older technology (e.g., Ethernet hubs). Recovery can be performed segment by segment or as a full system restore. The 212 cybersecurity system is isolated from the site's computer network to prevent attack. The 212 cybersecurity system uses technology that OT personnel understand.The 212 cybersecurity system has all the advantages of an industrial solution (speed, reliability, determinism, availability, security, etc.). The 212 cybersecurity system uses rules-based processing to determine response actions based on the needs of each facility. Upon detecting a cyberattack, the 212 cybersecurity system uses operational technology to activate firewall rule sets on security devices via digital outputs or can manage legacy networks by controlling the power supply to network devices. The 212 cybersecurity system can then perform emergency response actions to prepare the facility for defense, continued operation, and remediation. All responses are configurable using administrator privileges in the 210 human-machine interface of the 212 cybersecurity system.In the event of a coordinated attack, the 212 cybersecurity system has the ability to interact with other sites using appropriate communication technology to ensure broad-based security and protection. Returning to Figure 3, a rapid automated cyber response system for operational technology (OT) systems is illustrated according to an exemplary embodiment of the present invention. Figure 3 represents an advanced architecture that utilizes Next-Generation Firewalls from different vendors to increase the probability of threat detection. Threat detections from each firewall are sent to a threat processing engine via independent secure firewalls. Threat processing is performed by fault-tolerant CPUs (Programmable Logic Controllers). A fault-tolerant threat processing engine communicates via a redundant isolated ring with automation field devices that generate digital signals to isolate network segments against a credible threat.It's important to note that the ability to protect devices such as computer equipment (servers in this example) is provided in addition to isolating groups of operational equipment from the production cell. In one implementation, a group of emergency equipment can be automatically controlled in response to a cyber threat by threat detection processors. Site 307 is connected to Internet 310 such that Site 307 includes IT Area 312(1) and OT Area 312(2). IT Area 312(1) includes IT Network 115(1), and OT Area 312(2) includes OT Network 115(2). The IT Network 115(1) includes a first firewall protection appliance TI 117(1) and a second firewall protection appliance TI 117(2), each with a next-generation firewall. These various next-generation firewalls are configured for malware or intrusion detection. The second IT firewall protection appliance 117(2) is connected to a first automation appliance 120(1) that couples cyber threats to an isolated threat control ring network 122. The IT network 115(1) includes a first isolation appliance 125(1) and a second isolation appliance 125(2), each with its own independent firewall. An independent firewall on the first isolation appliance 125(1) receives credible cyber events and notifies the cyber response system 305 via secure encrypted messages. An independent firewall on the second isolation appliance 125(2) provides a redundant interface for cyber events to the redundant CPUs of the automated cyber response system 305 via a second set of secure encrypted messages. A third isolation appliance 125(3) is connected to the virtual server(s) to isolate them from a cyber threat. A second automation field device 120(2) enables the IT network 115(1) to be isolated by means of the isolated threat control ring network 122. One or more office PCs 130(1-3) may be connected to the IT network 115(1). A security log analyzer 132 may be provided on the IT network 115(1) and may be used to preprocess threat messages before they are transferred to the cyber response system 305. A fourth isolation device 125(4) and a third automation device 120(3) provide isolation of the OT area 312(2). In the OT 115(2) network, a fifth isolation device 125(5) and a fourth automation device 120(4) provide isolation for a first group of equipment 135(1) and a sixth isolation device 125(6) and a fifth automation device 120(5) provide isolation for a second group of equipment 135(x).In the OT 115(2) network, a sixth automation device 120(6) provides control of the isolated emergency equipment 140. In the isolated threat control ring network 122, the first and second redundant CPUs 145(1-2) provide a Fault-Tolerant Threat Processing Engine 147. The first redundant CPU 145(1) acts as the automatic segmentation controller 115 (e.g., a programmable logic controller (PLC)). With reference to Figure 1, the Fault-Tolerant Threat Processing Engine 147 generates the plurality of segmentation voltage signals 117(1-n) in response to the cyberattack signal 110. The firewall plurality 120(1-n) invokes firewall rule sets 122 depending on the input voltage signal level 125 of the segmentation voltage signals 117(1-n) to segment the site network 127 into the plurality of site network segments 130(1-n) and to control one or more physical devices 132 in response to the cyberattack event 112.Threat detection from each of these segments is delivered to the Fault-Tolerant Threat Processing Engine 147 via independent secure firewalls. Threat processing is performed by the fault-tolerant CPUs (Programmable Logic Controllers) 145(12). The Fault-Tolerant Threat Processing Engine 147 communicates via a redundant isolated ring with automation field devices that generate digital signals to isolate network segments against a credible threat. The Rapid Automated Cyber ​​Response System 305 can place an Operational Technology (OT) space in a secure state upon credible notification of a cyberattack. The Rapid Automated Cyber ​​Response System 305 utilizes advanced continuous cyber threat detection technology (machine learning, intrusion detection, intrusion prevention, etc., from advanced detection devices or software, such as next-generation firewalls or endpoint protection software) to detect credible threats to an OT environment and then initiates a rules-based OT equipment management sequence to protect the equipment within the OT space. Rapid assessment and remediation can then be performed on groups of individual equipment without risk of recontamination. The 305 Rapid Automatic Cyber ​​Response System uses automation technology to provide fast response times and operates independently of the site network while remaining isolated from the attack. The 305 Rapid Automatic Cyber ​​Response System can have four configurations, including a high-availability configuration, as shown in Figure 3. The 305 Rapid Automatic Cyber ​​Response System receives notifications of cyberattacks from Next-Generation Firewalls, log monitoring and analysis tools, PLC digital inputs, isolated syslog messages or other sources (such as endpoint protection software), and manual input. The 305 Rapid Automatic Cyber ​​Response System takes either automatic or manual action. Figure 4 illustrates Architecture Options 405(1-4) according to an exemplary embodiment of the present invention. Architecture Options 405(1-4) include a Basic Architecture Option 405(1) in which an OT space is isolated from a credible threat within a response time of 50 ms (est.). Architecture Options 405(1-4) include a Standard Architecture Option 405(2) in which an OT space and equipment are isolated from a credible threat within a response time of 25 ms (est.). Architecture Options 405(1-4) include a High-Performance Architecture Option 405(3) in which an OT space and equipment are isolated from a credible threat within a response time of 5 ms (est.). The 405(1-4) architecture options include a high availability 405(4) architecture option in which an OT space and equipment are isolated from a credible threat in a response time of 35 ms (est.). As shown in Figures 5-8, the Architecture Options 505(1-4) networks are illustrated according to an exemplary embodiment of the present invention. Figure 5 is a basic solution for use in small, simple architectures with a limited number of networks, devices, or groups of computers. It uses a smaller threat detection processor, resulting in a slower response time. Figure 6 is a standard solution for use in applications with multiple networks, devices, and groups of computers. It uses a threat detection processor with medium processing power, resulting in a faster response time than the basic solution. Figure 7 is a higher-performance solution for use when maximum performance is required.A threat detection processor with extremely high processing power is used, resulting in a faster response time. Figure 8 shows a high-availability (redundant) solution that should be used when downtime of a threat detection system cannot be tolerated. Although the threat detection processors are high-performance, synchronizing the results of logical processing between redundant processors creates a slower response time. As shown in FIG. 9, the Operational Requirements are illustrated according to an exemplary embodiment of the present invention. The Operational Requirements include reliable attack detection mechanism(s), equipment grouping, and network topology. The reliable attack detection mechanisms include next-generation firewall technology, including deep inline packet inspection, machine learning capabilities, intrusion detection, and intrusion prevention. The reliable attack detection mechanisms further include endpoint protection with messaging and an optional messaging server. Equipment grouping includes individual machines, groups of dependent machines (machines requiring interactivity), and emergency equipment groupings.The network topology includes the separation of IT and OT network layers, defined interface network components (i.e., a next-generation firewall between IT and OT), a defined network interface component for each machine or group of machines, and defined connectivity for emergency equipment. Figure 10 illustrates a user interface 1005 for displaying the detection of a cyberattack according to an exemplary embodiment of the present invention. The user interface 1005 is a human-machine interface (HMI) of an automation system. It includes a button 1007 for manual activation. It also includes an audible alarm 1010. It displays a critical (high-priority) threat 1012 and a warning threat 1015 (lower-priority threat). Critical threats trigger immediate action by the cyber response system 305. Warning threats are for notification purposes, but site security personnel have the option to take manual action based on the warning information. Although an automation system is described herein, the present invention also encompasses one or more types of industrial systems or other forms of industrial systems. For example, other types of industrial systems based on one or more of the features presented above can be implemented without departing from the spirit of the present invention. The techniques described here can be particularly useful for a programmable logic controller (PLC). Although the specific implementations are described in terms of a particular PLC configuration, the techniques described herein are not limited to such a limited configuration but can also be used with other configurations and types of controllers. Although embodiments of the present invention have been disclosed in exemplary forms, it will be evident to those skilled in the art that many modifications, additions, and deletions may be made thereto without departing from the spirit and scope of the invention and its equivalents, as set forth in the following claims. The embodiments and their various advantageous features and details are more fully explained with reference to the non-limiting embodiments illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known starting materials, processing techniques, components, and equipment are omitted to avoid unnecessarily obscuring the detailed embodiments. It should be understood, however, that the detailed description and specific examples, while indicating preferred embodiments, are given for illustrative purposes only and not as a limitation. Various substitutions, modifications, additions, and / or rearrangements within the spirit and / or scope of the underlying inventive concept will become apparent to those skilled in the art from this disclosure. As used herein, the terms comprise, which comprises, include, have, which has, or any other variation thereof, are intended to encompass a non-exclusive inclusion. For example, a process, article, or apparatus comprising a list of elements is not necessarily limited to those elements but may include other elements not expressly listed or inherent in that process, article, or apparatus. Furthermore, the examples or illustrations given in this document should not be considered in any way as restrictions, limitations, or express definitions of any term or terms with which they are used. Instead, these examples or illustrations should be considered as describing a particular embodiment and as illustrative only. Those of ordinary skill in the art will appreciate that any term or terms with which these examples or illustrations are used will encompass other embodiments that may or may not be given with them or elsewhere in the specification, and all such embodiments are intended to be included within the scope of that term or those terms. In the preceding specification, the invention has been described with reference to specific embodiments. However, a person of ordinary skill in the art will appreciate that various modifications and changes can be made without departing from the scope of the invention. Therefore, the specification and figures should be considered in an illustrative and not restrictive sense, and all such modifications should be included within the scope of the invention. Although the invention has been described with respect to specific embodiments thereof, these embodiments are merely illustrative and not restrictive of the invention. The description of the illustrated embodiments of the invention is not intended to be exhaustive nor to limit the invention to the precise forms described herein (and, in particular, the inclusion of any particular embodiment, feature, or function is not intended to limit the scope of the invention to that particular embodiment, feature, or function). Rather, the description is intended to describe illustrative embodiments, features, and functions in order to provide a person of ordinary skill in the context of the art with an understanding of the invention without limiting the invention to any particular embodiment, feature, or function described.While the specific embodiments and examples of the invention are described here for illustrative purposes only, several equivalent modifications are possible within the spirit and scope of the invention, as those skilled in the art will recognize and appreciate. As indicated, these modifications may be made to the invention in light of the foregoing description of the illustrated embodiments of the invention and must be included within the spirit and scope of the invention. Thus, while the invention has been described here with reference to particular embodiments thereof, a degree of modification, various changes and substitutions in the foregoing disclosures are intended, and it will be appreciated that in some cases certain features of the embodiments of the invention may be employed without a corresponding use of other features without departing from the scope and spirit of the invention as set forth.Therefore, many modifications can be made to adapt a particular situation or material to the essential scope and spirit of the invention. The occurrences of the phrases "in an embodiment," "in an embodiment," or "in a specific embodiment," or similar terminology in various places in this specification, do not necessarily refer to the same embodiment. Furthermore, the features, structures, or characteristics of any particular embodiment may be combined in any suitable manner with one or more other embodiments. It is to be understood that other variations and modifications of the embodiments described and illustrated herein are possible in view of the instructions herein and are to be regarded as part of the spirit and scope of the invention. In the description of this document, numerous specific details are provided, such as examples of components and / or methods, to provide a complete understanding of the embodiments of the invention. A person skilled in the art will recognize, however, that an embodiment may be capable of being practiced without one or more of the specific details, or with other apparatus, systems, assemblies, methods, components, materials, parts, and / or the like. In other cases, well-known structures, components, systems, materials, or operations are not specifically shown or described in detail to avoid obscuring aspects of the embodiments of the invention. Although the invention may be illustrated using a particular embodiment, this is not, and does not, limit the invention to any particular embodiment, and a person of ordinary knowledge in the art will recognize that other embodiments are readily understandable and form part of this invention. It will also be appreciated that one or more of the elements represented in the drawings / figures ο^ηΑηη / ζζηζ / Β / γίΛΐ may also be implemented in a more separate or integrated manner, or even removed or made inoperable in certain cases, as is useful according to a particular application. The benefits, other advantages, and solutions to the problems have been described above with respect to the specific implementations. However, the benefits, advantages, solutions to the five problems, and any component that may cause or enhance any benefit, advantage, or solution should not be interpreted as a critical, necessary, or essential feature or component.

Claims

1. A cybersecurity system, characterized in that it comprises: cyber surveillance logic for generating a cyberattack signal in response to a cyberattack event; and an automatic segmentation controller for generating a plurality of segmentation voltage signals or a plurality of segmentation messages in response to the cyberattack signal; and a plurality of firewalls configured to invoke firewall rule sets based on an input voltage signal level from the plurality of segmentation voltage signals or the plurality of segmentation messages to segment a site network into a plurality of site network segments and to control one or more physical devices in response to the cyberattack event.

2. The cybersecurity system of claim 1, characterized in that the cybersecurity system is an independent system isolated from the network of the site it is protecting.

3. The cybersecurity system of claim 1, characterized in that the cybersecurity system uses wired digital voltage signals or network messages to segment the site network.

4. The cybersecurity system of claim 1, characterized in that the cyberattack event triggers segmentation through a digital input that is isolated from network traffic or through messages that are isolated from Information Technology (IT) and Operational Technology (OT) network traffic.

5. The cybersecurity system of claim 1, characterized in that the automatic segmentation controller is configured to receive a network message through a firewall that is integrated into the cybersecurity system to invoke an automatic segmentation process.

6. The cybersecurity system of claim 1, characterized in that the cybersecurity system is isolated from a site information technology (IT) network to prevent being attacked.

7. The cybersecurity system of claim 1, characterized in that the cybersecurity system provides a sub-second response to a cyberattack after notification, as it uses a threat detection processor with extremely high processing power resulting in a faster response time.

8. The cybersecurity system of claim 1, characterized in that the cybersecurity system isolates the plurality of network segments of the site to stop the spread of malicious software and prevent intruder access.

9. The cybersecurity system of claim 1, characterized in that the cfrnRnn / zznz / E / viAi cybersecurity system automatically activates emergency equipment.

10. The cybersecurity system of claim 1, characterized in that the cybersecurity system provides a manual activation capability of the panic button.

11. The cybersecurity system of claim 1, characterized in that the cybersecurity system allows unaffected work cells and equipment groups to continue operating.

12. The cybersecurity system of claim 1, characterized in that the cybersecurity system simplifies a remediation process by remediating smaller groups of isolated equipment in a priority order.

13. The cybersecurity system of claim 1, characterized in that the cybersecurity system allows for remediation by priority order in which the most critical ones are dealt with first.

14. The cybersecurity system of claim 1, characterized in that the cybersecurity system prevents recontamination during the repair process.

15. The cybersecurity system of claim 1, characterized in that the cybersecurity system operates independently of the site network.

16. The cybersecurity system of claim 1, characterized in that the cybersecurity system provides rule-based processing based on threat criticality to determine response actions, including alarming or segmentation.

17. The cybersecurity system of claim 1, characterized in that the cybersecurity system activates firewall rule sets on network security devices using digital outputs or isolated network messages.

18. The cybersecurity system of claim 1, characterized in that the cybersecurity system isolates operational technology (OT) network segments using digital outputs to firewalls or power relays.

19. The cybersecurity system of claim 1, characterized in that the cybersecurity system performs emergency response actions, including the activation of backup power.

20. The cybersecurity system of claim 1, characterized in that the cybersecurity system generates site alerts and interacts with other sites in the event of coordinated attacks.

21. The cybersecurity system of claim 1, characterized in that the cybersecurity system activates protection based on the threat levels of the threat detection devices.