Dynamic normalization of monitoring node data for threat detection in industrial asset control system

The invention claimed is: 1. A system to protect an industrial asset control system, comprising: a high fidelity model to simulate operation of the industrial asset control system under various operating conditions to generate a set of operating results; a normalization platform coupled to the high fidelity model to calculate a normalization function for each of a plurality of operating conditions, wherein normalization is performed as follows: S normalized = S nominal - S original S _ ⁢ nominal where S nominal is a spatio-temporal average for normal operating conditions, S nominal represents a time series signal for nominal operating conditions, and S orignal represents time series data requiring normalization; an operating mode database to store the normalization function; a plurality of real-time monitoring node signal inputs to receive streams of monitoring node signal values over time that represent a current operation of the industrial asset control system, wherein at least one monitoring node is associated with at least one of: an auxiliary equipment input signal, a control intermediary parameter, and a control logic value; and a threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs and the operating mode database, including: a computer processor, and a computer memory, coupled to the computer processor, storing instructions that, when executed by the processor cause the threat detection computer platform to: (i) receive the streams of monitoring node signal values, (ii) dynamically calculate normalized monitoring node signal values based at least in part on a normalization function in the operating mode database, (iii) for each stream of normalized monitoring node signal values, generate a current monitoring node feature vector, (iv) compare each generated current monitoring node feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node, and (v) automatically transmit a threat alert signal based on results of said comparisons. 2. The system of claim 1 , wherein current monitoring node feature vectors are associated with dynamic temporal normalization. 3. The system of claim 1 , wherein current monitoring node feature vectors are associated with dynamic spatial normalization. 4. The system of claim 1 , wherein the industrial asset control system is associated with a gas turbine and the operating conditions are associated with at least one of: (i) gas turbine loads, and (ii) gas turbine temperatures. 5. The system of claim 4 , wherein the operating conditions are further associated with at least one of: (i) an operating mode, (ii) an external condition, (iii) a system degradation factor, (iv) fuel input, (v) a turbine inlet temperature, (vi) a turbine inlet pressure, (vii) a turbine power, (viii) a turbine speed, (ix) compressor discharge pressure, (x) compressor discharge temperature, (xi) fuel flow, and (xii) turbine exhaust temperature. 6. The system of claim 1 , wherein the industrial asset control system is associated with a computer network and the operating conditions are associated with information packet transmission characteristics. 7. The system of claim 1 , wherein the normalized output S normalized is expressed as a weighted linear combination of basis functions as follows: S = S 0 + ∑ j = 1 N ⁢ w j ⁢ Ψ j where S 0 is an average sensor output with threats, w j is the j th weight, and Ψ j is the j th basis vector. 8. The system of claim 1 , wherein at least one monitoring node is associated with a plurality of decision boundaries and said comparison is performed in connection with each of those boundaries. 9. The system of claim 1 , wherein the threat alert signal transmission is performed using at least one of: (i) a cloud-based system, (ii) an edge-based system, (iii) a wireless system, (iv) a wired system, (v) a secured network, and (vi) a communication system. 10. The system of claim 1 , wherein the threat is associated with at least one of: an actuator attack, a controller attack, a monitoring node attack, a plant state attack, spoofing, financial damage, unit availability, a unit trip, a loss of unit life, and asset damage requiring at least one new part. 11. A computerized method to protect an industrial asset control system, comprising: simulating, by a high fidelity model, operation of the industrial asset control system under various operating conditions to generate a set of operating results; calculating, by a normalization platform, a normalization function for each of a plurality of operating conditions, wherein normalization is performed as follows: S normalized = S nominal - S original S _ ⁢ nominal where S nominal is a spatio-temporal average for normal operating conditions, S nominal represents a time series signal for nominal operating conditions, and S original represents time series data requiring normalization; receiving, via a plurality of real-time monitoring node signal inputs, streams of monitoring node signal values over time that represent a current operation of the industrial asset control system, wherein at least one monitoring node is associated with at least one of: an auxiliary equipment input signal, a control intermediary parameter, and a control logic value; dynamically calculating, by a threat detection computer platform, normalized monitoring node signal values based at least in part on a normalization function; for each stream of normalized monitoring node signal values, generating, by the threat detection computer platform, a current monitoring node feature vector associated with at least one of: (i) dynamic temporal normalization, and (ii)