Network Visibility with New Platform

Wednesday, September 28, 2016 @ 07:09 AM gHale

By Gregory Hale
Visibility into a network has been one of the biggest issues facing companies over the past few years.

In an environment where communication is vital and understanding the health and well-being of devices remains crucial, it only makes sense to be able to see what is going in and out of the network.

Along those lines, Claroty released a network monitoring platform focused on critical industrial systems.

ICSJWG: Security in Perspective
ICSJWG: Different Approach to Security
Black Hat: IT-OT Learning Curve
Network Monitoring: Keeping an Eye on IIoT
Ransomware Masked as Rockwell Update

With the increased use of sensors and the oncoming rush of the Industrial Internet of Things (IIoT), the Claroty Platform provides visibility into industrial control system (ICS) networks.

Some of the industry challenges that fall into the ICS environment include being insecure by design, increasingly connected, lack of collaboration and insufficient visibility.

Insecure by design where ICS systems end up optimized to maintain safety and availability, not security. Some examples include:
• Flat network architecture
• Rare patching
• Weak/no authentication
• No encryption
• OT protocols

Increasingly connected where modern OT infrastructure is increasingly complex and connected. Potential access points include:
• The IT network
• Vendor remote access
• Supply chain (patches/updates)
• Internal threats
• Contractors and integrators

Lack of collaboration between IT security and plant operations and engineering teams. Issues include:
• Polarization – “Shop Floor” vs. IT Security
• No single operational view of the complete OT environment
• No simple way to proactively work across organizational boarders (OT, IT, 3rd Party Vendors)

Insufficient visibility where enterprise IT security solutions do not see or protect OT assets.
• Poor multivendor asset visibility across all OT layers
• Limited native OT security solutions
• Connected to IT network but not understood/ governed by CISO

With support for control system manufacturers and the inspection of protocols, the platform employs high-fidelity models and advanced algorithms to monitor ICS communications and provide security and process integrity alerts.

While this is a cybersecurity platform, this also goes beyond that to being able to monitor an OT network.

Hidden OT Issues
The visibility enables organizations to discover hidden problems in OT networks, protect critical systems against cyber threats and fix issues that impact process integrity and performance.

“We are looking for extreme visibility into those environments so you could spot issues that were cybersecurity issues; things that were wrong with the network so they can proactively fix them or monitor on an ongoing basis so you can find issues,” said Patrick McBride, Claroty CMO. “We also find issues that are just purely OT warnings. We do alerts and warnings that a cyber security guy would not care about but an OT guy would. Something like, ‘hey, somebody just changed the configuration of your PLC two minutes ago and you probably would like to take a look at it.’ Provide a collaboration tool that shows a common operating picture. Even if security guys really knew OT networks – and they don’t – they don’t know the protocols and what is going on. And if they had the tools in place that make them better understand and if they find something they couldn’t make a change anyway. They are getting on the phone and talking to somebody at the plant.”

From the Ukraine power grid attacks to a German steel mill, cases of critical infrastructure compromises are growing every day — in some cases being discovered or revealed years after the fact.

“The model we built is based on specific commands and specific values, sequences of values, frequency and context,” said Amir Zilberstein, Claroty co-founder and chief executive. “Our model falls in line with our knowledge of what networks should look like. And this covers external knowledge about how networks behave usually. We know an HMI is not supposed to program a PLC, so if that keeps happening frequently we know it is not a good thing.”

It is understood throughout the industry if an attacker wants to get in, they will, what this platform can do is save forensics data in case there is a successful attack.

“We can save the data for years. And typically that is what we do,” Zilberstein said. “It is configured to save the events from inception going forward and it is doable because the information on the network is condensed and repetitive. We do save all the events for life.”

ICS Platform
The Claroty Platform focuses on being able to monitor ICS, SCADA and other critical OT networks, uncover previously hidden issues and alert cybersecurity teams and system operators to malicious attacks and process integrity issues.

The Claroty Platform provides:
• Visibility — Unlike tools that only cover control system assets in Level 3 and 4 of the Purdue Enterprise Reference Architecture, the Claroty platform provides visibility into assets and communications across each level of the OT environment.
• Coverage — Inspects industrial control protocols, with support for protocols from vendors including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, Honeywell, and ABB.
• Real-Time Monitoring — Constantly monitors all communication within an industrial control network.
• Anomaly Detection — Employ advanced behavioral algorithms to detect potential attacks and noteworthy changes that can adversely impact operations — including a variety of security attacks and environmental changes that could harm system integrity or damage industrial processes.
• “Do No Harm” Passive Monitoring Approach – The platform employs “passive” deep packet inspection (DPI) that is safe for all devices within OT environments.
• Enterprise Scalability — Optimized for complex, real-world OT networks that often have constrained bandwidth or even unreliable network links. The system also features an enterprise console that consolidates information from multiple geographically distributed sites.

With the growth of IIoT and availability of sensors to measure and monitor almost everything, technology has now gotten to where manufacturers can learn and take advantage of those advances.

“I think part of the reason is manufacturers are hooking up to the IT networks because of the business uses, the ERP integration the Big Data analytics integration,” McBride said. “The other issue is the corporate level, executive level awareness. The reason why a drilling organization bought our platform is because mostly they are getting contracts from the big oil manufacturers and there was a fallout from the (Deepwater Horizon) spill case. People are understanding a cyberattack can make the same thing happen and so the big oil company put in contractual language that said you need to prove to us the technology you are using on your exploration vessel is locked down and safe. In order to win a big contract, you need to prove you are safe and secure.”