Collaborative infrastructure supporting cyber-security analytics in industrial networks

What is claimed is: 1. A method comprising: identifying an operational anomaly in a network system by accessing an anomaly flag that indicates a potential cyber-security threat based on detection of the operational anomaly by a cyber-security analytics engine, the network system comprising a plurality of assets, the operational anomaly involving an operation pattern that is inconsistent with a normal operation pattern observed in the network system; in response to identifying the operational anomaly, accessing asset domain data of an asset from the plurality of assets, the asset domain data including state information related to the asset and a specific configuration of asset parameters associated with the state information; identifying, using the asset domain data, a state change of the asset resulting from a reconfiguration event involving the asset; determining, using one or more processors, that the operational anomaly is correlated with the state change resulting from the reconfiguration event involving the asset; determining that the operational anomaly is a false positive with respect to the potential cyber-security threat based on the operational anomaly being correlated with the state change of the asset resulting from the reconfiguration event involving the asset; causing the anomaly flag to be cleared in response to determining that the anomaly is a false positive based on determining the operational anomaly is correlated with the state change of the asset; and storing a record comprising the operational anomaly, the state change, and an indication of the operational anomaly being a false positive. 2. The method of claim 1 , wherein the anomaly flag is updated by the cyber-security analytics engine in response to detecting the operational anomaly. 3. The method of claim 2 , wherein the causing of the anomaly flag to be cleared comprises transmitting a request to the cyber-security analytics engine to clear the anomaly flag. 4. The method of claim 2 , wherein the detecting of the operational anomaly comprises: monitoring operation of the network system; determining the normal operation pattern of the network system; and detecting the operation pattern that is inconsistent with the normal operation pattern of the network system. 5. The method of claim 1 , wherein causing the anomaly flag to be cleared comprising transmitting a signal to the cyber security engine to clear the anomaly flag. 6. The method of claim 1 , wherein the asset domain data is accessed from an asset analytics engine configured to monitor a status and parameter configuration of the asset. 7. The method of claim 1 , wherein the determining that the state change of the asset and the operational anomaly are correlated includes determining that the state change of the asset and the operational anomaly are time-correlated. 8. The method of claim 6 , wherein the determining that the state change of the asset and the operational anomaly are time-correlated is based on the state change of the asset and the operational anomaly occurring within a certain time period. 9. The method of claim 1 , wherein the reconfiguration event includes a reconfiguration of the asset parameters. 10. The method of claim 1 , wherein the reconfiguration event includes at least one of adding the asset to the network system, removing the asset from the network system, replacing a component of the asset, or adding an additional asset to the network system. 11. The method of claim 1 , wherein the asset domain data includes a malfunction of the asset. 12. A system comprising: a listener module configured to identify an operational anomaly in a network system by accessing an anomaly flag that indicates a potential cyber-security threat based on detection of the operational anomaly by a cyber-security analytics engine, the network system comprising a plurality of assets, the operational anomaly involving an operation pattern that is inconsistent with a normal operation pattern observed in the network system; a query module configured to access, from an asset analytics engine, domain data of an asset from among the plurality of assets, the asset domain data including state information about the asset and a specific configuration of asset parameters related to the state information; an analysis module, including a processor of a machine, configured to identify a state change in the asset based on a reconfiguration event involving the asset included in the asset domain data, the analysis module further configured to determine that the operational anomaly is correlated with the state change, the analysis module further configured to determine that the operational anomaly is a false positive with respect to the potential cyber-security threat based on the operational anomaly being correlated with the state change; and a clearing module configured to cause the anomaly flag to be cleared in response to determining that the anomaly is a false positive based on determining the operational anomaly is correlated with the state change of the asset, the clearing module further configured to store a record comprising the operational anomaly, the state change, and an indication of the operational anomaly being a false positive. 13. The system of claim 12 , further comprising the cyber-security analytics engine, the cyber-security analytics engine configured to perform operations comprising: monitoring operation of the network system; determining the normal operation pattern of the network system; detecting the operational anomaly; and updating the anomaly flag in response to detecting the operational anomaly. 14. The system of claim 13 , wherein the clear module is configured to signal the cyber-security engine to clear the anomaly flag. 15. The system of claim 13 , wherein the network system is an industrial network system comprising physical assets with embedded sensors. 16. The system of claim 12 , wherein the analysis module determines the operational anomaly is correlated with the state change by comparing respective timings of the state change and the operational anomaly. 17. The system of claim 12 , wherein the asset is coupled to a plurality of sensors, and wherein the asset analytics engine monitors the plurality of sensors to obtain the asset domain data. 18. The system of claim 12 , wherein the reconfiguration event includes a reconfiguration of asset parameters. 19. The system of claim 18 , wherein the state change of the asset is related to a malfunction of the asset. 20. A non-transitory machine-readable storage medium embodying instructions that, when executed by at least one processor of a machine, cause the machine to perform operations comprising: identifying an operational anomaly in a network system by accessing an anomaly flag that signals a potential cyber-security threat based on detection of the operational anomaly by a cyber-security analytics engine, the network system comprising a plurality of assets, the operational anomaly involving an operation pattern that is inconsistent with a normal operation pattern observed in the network system; identifying an asset from the plurality of assets involved in the operational anomaly; accessing asset domain data including state information related to the asset, the state information including a specific configuration of asset parameters; identifying, using the asset domain data, a state change in the asset resulting from a reconfiguration event involving the asset; determining that the state change of t