Intrusion detection in the ICS environmentPosted: June 6, 2016
There are many network traffic analysis tools out there but how many of them understand industrial protocols like Modbus, Profibus or DNP3? More importantly, how effective are these solutions in the industrial control systems environment?
In this post I would like to share a quick summary of security vendors in this domain.
Please note that this space moves quickly so the list may not be up-to-date by the time you are reading this. That being said, I hope it provides a high-level overview of vendors and capabilities in this space.
SecurityMatters – SilentDefense
SecurityMatters provides critical infrastructure and industrial automation companies with industrial cyber resilience technology that enables quick identification and recovery from threats to operational continuity. SecurityMatters has a global customer base, with partners and customers in all critical industries. These partners and customers include large multinational and defence companies, who provide a wide range of services from consultancy, systems integration and managed security services based on SecurityMatters’ products.
Advanced detection of threats:
- Industrial protocols violations
- Misconfigured or faulty network devices
- Operational mistakes
- System misuse by employees and 3rd parties
- Intrusion attempts
- Known and zero-day attacks
Darktrace – Industrial
Darktrace Industrial, also known as the Industrial Immune System, is a fundamental innovation that implements a real-time ‘immune system’ for operational technologies, such as SCADA, and enables a fundamental shift in the approach to cyber defence.
Darktrace Industrial retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioural understanding of the ‘self’ for each user and device within the network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behaviour.
- Adaptive – evolves with your organization
- Self-learning – constantly refines its understanding of normal
- Probabilistic – works out likelihood of serious threat
- Real-time – spots threats as they emerge
- Works from day one – delivers instant value
- Low false positives – correlation of weak indicators
- Data agnostic – ingests all data sources
- Highly accurate – models human, device and enterprise behavior
- Scalable – all sizes of network, including over a million devices
Forescout – CounterACT
ForeScout offers a heterogeneous security solution that can see devices, control them and orchestrate system-wide threat response across your wired and wireless campus, data centre, cloud and operational technology deployments without agents.
A scalable platform that provides agentless visibility and control of devices and other endpoints, from traditional PCs, laptops, tablets and smartphones to the latest IoT devices, the instant they connect to the network. The solution continuously assesses, remediates and monitors devices and works with disparate security tools to help accelerate incident response, break down silos, automate workflows.
- Agentless: Identifies, classifies, authenticates and controls network access without an agent. Perform deep endpoint inspection without an agent as long as CounterACT has administrative credentials on the endpoint.
- Policy management: Helps in creation of the security policies that are right for your enterprise. Configuration and administration are fast and easy thanks to built-in policy templates, rules and reports.
- Endpoint compliance: Ensures that endpoints on your network are compliant with your antivirus policy, properly patched and free of illegitimate software. CounterACT automatically identifies policy violations, remediates endpoint security deficiencies and measures adherence to regulatory mandates
- Rogue device detection: Detect rogue infrastructure such as unauthorized switches and wireless access points. CounterACT can even detect devices without IP addresses, such as stealthy packet capture devices designed to steal sensitive information.
Claroty – Continuous Threat Detection
The Claroty Platform is an integrated set of cyber security products that provides visibility, cyber threat detection, secure remote access, and risk assessments for industrial control networks (ICS/OT).
It also offers a platform designed to secure and optimize industrial control networks, offering the benefits of networked control systems without compromising operational resiliency or the security of core assets. The Claroty platform provides visibility into ICS, SCADA, and other control system devices, protocols, and networks by using passive monitoring techniques to safely examine and analyse OT networks.
The system provides real-time monitoring and anomaly detection, employing high-fidelity models and advanced algorithms to alert customers about cybersecurity and process integrity issues.
- Deepest Visibility into OT networks
- Supports all major ICS equipment vendors’ open and proprietary protocols
- Continuous, real-time monitoring
- Full contextual information with each alert
- Fully passive, monitoring – no impact to OT systems
- Support for both Serial and Ethernet networks
- Centralized multi-site management
- Fast, simplified, agentless deployment
Indegy – Industrial Cyber Security Platform
The Indegy Industrial Cyber Security Platform enables operational engineers and cyber security personnel to gain control over industrial-networks, detect malicious activities, identify unauthorized changes, troubleshoot problems caused by control device misconfiguration or firmware updates, and address compliance and change management requirements.
- Helps gain visibility and control over ICS networks
- Helps identify malicious activities and receive alerts on unauthorized changes
- Helps in troubleshooting problems caused by configuration changes or firmware upgrades
- Address regulatory compliance and change management requirements
NexDefense – Integrity
NexDefense helps industrial control system operators with the real-time knowledge needed to maintain system and process integrity and combat cybersecurity threats. Through Integrity™, a patent-pending Industrial Network Anomaly Detection (INAD) system, engineers, security, and control system operators can covertly maintain direct insight and control over threats and increase compliance without sacrificing productivity, optimization or performance.
CyberX – XSense Tool
CyberX designs and develops security solutions to fully support emerging cyber security needs of the Industrial Internet. Introducing a new security strategy to into OT networks, CyberX solutions detect cyber threats, system tampering and operational incidents in real-time, minimizing disruption to operations and downtime.
- Real-Time Operational and Cyber Incident Alerts
- Active Machine Learning and Modelling
- Zero Impact Installation
- Historical forensics provides insight into operational and security events in the OT environment
Sentryo – ICS CyberVision
Sentryo enables organizations to ensure the availability, resilience and safety of their industrial systems while fighting against cyberattacks. To respond to cyber threats and the specific needs of industry, Sentryo has developed ICS CyberVision, a unique and innovative network monitoring solution that provides visibility, integrity and security for industrial control systems.
Sentryo ICS CyberVision is a two tier monitoring platform made up of sensors and central data visualization and analytics software. It enables organisations to perform OT monitoring: asset tracking, control system integrity and cybersecurity.
- Detect & mitigate advanced threats
- Behavioral detection
- Machine learning approach
Nozomi Networks – SCADAguardian
Nozomi Networks has been delivering innovative cybersecurity and operational visibility solutions for industrial control systems (ICS) since 2013. The company was founded by Andrea Carcano, an authority in industrial network security and Moreno Carullo an expert in artificial intelligence.
By applying network behavioural analytics to ICS environments, Nozomi Networks’ flagship product, SCADAguardian delivers real-time visibility into process network communications and configurations. Its ICS network mapping and automated process analysis detects cyber-attacks and operational missteps for immediate remediation.
- Best-in-class threat, risk and anomaly detection using a hybrid approach
- Automated vulnerability assessment
- Readily scales to thousands of industrial sites
- Centralized ICS cybersecurity management
- Easy integration with IT/OT environments
Bayshore Networks – Bayshore IT/OT Gateway
Bayshore enables access to industrial data while protecting from the risk and impact of cyber-attacks. Bayshore offers a solution spanning discovery, detection, alerting, transaction-level policy enforcement, and transformation of industrial data for use in business applications.
Bayshore’s cloud-based software, called the Bayshore IT/OT Gateway, provides IT departments with visibility into OT infrastructure, networks, applications, machines and operational processes. OT networks are undergoing transformation and require services traditionally available only for IT networks, such as secure remote access, malware protection and analytics. Bayshore delivers immediate value by preventing OT process disruptions and enhancing operational efficiency and business continuity.