ARC Forum: 4 Key Criteria for ICS Cybersecurity Anomaly Detection

Date: Feb 23, 2017 By: Kim Legelis

At the recent ARC Forum in Orlando, the automation community- 800 strong- met to discuss pressing issues for the future. Cybersecurity was on top of the list of topics with a full track led by ARC’s lead industrial security analyst, Sid Snitkin.

At a panel session, a group of experts gathered to talk about one of the most important new tools in the fight to keep control systems secure. The new tool is real-time anomaly and breach detection for industrial control networks. Let’s look at the four critical capabilities ARC identified for these products, and how Nozomi Networks’ technology addresses them.

arc-2017-ics-cybersecurity-panel
Sid Snitkin and panelists at the “Anomaly and Breach Detection Solutions Overview’ session
at the 2017 ARC Forum. Nozomi Networks’ CEO, Edgard Capdevielle, is the third panelist from the right.

1. Key Capability: Ensure Cybersecurity and Operational Benefits

The ROI from deploying an anomaly and breach detection comes from both cybersecurity protection and operational benefits that, together, make automation systems more reliable.

To demonstrate how our SCADAguardian product, delivers value in both areas I obtained the following two examples from our systems engineering group.

First, regarding cybersecurity protection, let’s imagine that the laptop of a malicious maintenance worker is connected to a substation network and introduces a targeted malware to the process network. The intruder publishes false layer 2 GOOSE packets and devices. The receiving side mistakenly believes it is receiving valid (true) packets sent by a trusted or secured entity. In this scenario:

  • The connection of the laptop to the network is immediately detected by SCADAguardian.
  • The GOOSE packet injection is identified with stateful analysis of the counters coming from the IEDs.
  • A high-level incident alert is immediately sent to the appropriate operators and SOC staff.
  • Staff execute the incident response plan utilizing network diagrams, asset inventories and process information available from SCADAguardian.
  • Post incident, SCADAguardian ICS incident replay and archiving capabilities (“Time Machine” feature) accelerate forensic analysis.

Nomad laptops are one of the most significant risks to OT networks and this example shows how SCADAguardian would rapidly help contain the damage from an intentional cyberattack.

Second, regarding operational benefits, let’s imagine that there are irregularities in the interactions between a substation RTU and a control center SCADA. The inspection/troubleshooting tools available with the SCADA are cumbersome to setup and are not necessarily enabled. Important information like trace logs may not be available. Moreover, if the logs are available, they tend to differ between vendors, making them hard to interpret.

In this scenario, SCADAguardian evaluated IEC 60870-5-104 communications using a multidimensional approach that considered both network connections and the process state. By analyzing the amount of IEC 60870-5-104 ASDUs with Cause of Transmission = Spontaneous and grouping them by RTU, it discovered that 3 of them were from flapping alarm states related to the power status of the RTU. The customer chose to replace the power supply of the affected RTUs and the problem was solved.

This advanced notice of failing equipment contributed to operational continuity and allowed for less costly preventative maintenance. Going forward an organization could use the diagnostic query within SCADAguardian’s monitoring dashboard to prevent extraordinary maintenance and keep all RTUs in good operating condition.

2. Key Capability: No Impact on Control System Operation

Security visibility tools have been used for a long time in the IT world, but such tools are not suitable for the high availability requirements of industrial control networks. These IT tools typically involve scanning processes that can disrupt network communication and threaten smooth process operations, risking production and even safety.  Some IT security solutions require their deployment to be in-band or in-line, which requires downtime and may increase operational risk.

SCADAguardian is a completely passive solution that poses no risk to industrial systems. Available in a variety of hardware-based and virtual appliance models, it connects to network devices via SPAN or mirror ports. It installs non-intrusively with no network downtime or disruption.

Key slide from Sid Snitken’s presentation “Anomaly and Breach Detection Solutions.”
Key slide from Sid Snitken’s presentation “Anomaly and Breach Detection Solutions.”

3. Key Capability: Provide Context-Based Alerts with Minimal False Positives

A challenge with anomaly and breach detection tools is that they can generate false positives and overwhelm people with too many alerts. If too much information is provided, efficient assessment and appropriate, timely, action by operators is unlikely.

SCADAguardian addresses these concerns by creating an accurate internal representation of the physical process, identifying all its phases, and the correlation between network devices, process variables and phases.  Once this internal representation of the physical process is baselined, the product creates very detailed profiles of the expected behavior of every device at each stage in the process.  With such custom profiles, the number of false positives is minimal, and deviations from it are very unlikely to be a false positive.

Also, an important measure our engineers and SI partners practice with customers is verifying the Virtual Image and the baselines it establishes for a system with its operators and security experts. Pre-existing anomalies can be incorporated or cleaned up, and once this is done it further reduces false positives.

Finally, an important capability of SCADAguardian is that it analyzes alerts and consolidates them into context-aware incidents. Incidents can be also shown in customizable dashboards that are configured for key roles in the organization, and their visual presentation facilitates appropriate action.

4. Key Capability: Integration with Cybersecurity Management Solutions

Security solutions are not effective if they don’t integrate with an organization’s security infrastructure.

Nozomi Networks’ products are designed to provide ICS intrusive detection and passive OT monitoring, integrated with other technologies such as SIEMs, user authentication directories and active security systems. For example, SCADAguardian integrates with both Fortinet’s and Check Point’s security suites for granular,active enforcement of user-defined policies.

Practical Advice: Test Drive the Solution

There was a final piece of practical advice offered by the panel. To know which solution will work best for your plant or operation, test drive it in your environment. Nozomi Networks offers Proof of Concept pilots, just contact us to arrange a demo and set up your own test drive. We extend our thanks to Sid Snitkin and the other panelists for the interesting discussion at the ARC Forum and hope to continue the conversation next year!

Related Content to Download

enel-case-study-banner

Download the Case Study: Enel Energy Company

icons-quote

“Through this partnership, we have made a substantial improvement in our Remote Control System. Nozomi Networks’ SCADAguardian is now a fundamental element of our network infrastructure and an essential tool for our daily activities. Nozomi Networks proved to us that their non-intrusive in-depth technology was able to substantially improve the reliability, efficiency, and cybersecurity of our remote control system”.

FEDERICO BELLIO ENEL’S HEAD OF POWER GENERATION REMOTE CONTROL SYSTEM

   

DOWNLOAD NOW

Related Links

Tagged , , , , , , , ,