S4: Network Monitoring Champion

Thursday, January 18, 2018 @ 03:01 PM gHale

By Gregory Hale
The network monitoring challenge is over and the champion is Claroty.

Network monitoring, which allows visibility into what is on and what is happening on the network, is a huge area the manufacturing automation sector is moving toward, so Dale Peterson, Digital Bond chief executive who also heads up the S4 conference wanted to see how the new players in the market shaped up and are the companies and technologies living up to the hype.

S4: Lean OT Security
S4: Open-Minded Security? Just Try
ICS Alert: USB Malware Attack
Safety System, DCS Attacked

Judges of the competition, which concluded Thursday at the S4x18 conference in Miami, were security experts, John Cusimano, Eric Byres and Ron Brash.

While there may be up to 25 or so companies focused on the network monitoring area, the four companies participating in the challenge were Claroty, SecurityMatters, Nozomi Networks and Gravwell.

“This was very much tougher than the real world,” Byres said. (With a tight timeframe to understand the attack), “they couldn’t do a long-term baseline. These poor guys were just stuck out there with a pcap (packet capture).”

There were two days in the competition. The first challenge on Tuesday was labeled asset identification.

The objective for the contestants was to identify as many assets and details as possible, submit a topology diagram, release a complete, correct and timely response and the judges were able to give extra credit for unique findings.

The challenge pcaps came from the Palm Desert Oil Co. and they then had the contestants review the pcaps and then report on them. They were able to capture packets from 15 locations in the oil and gas midstream company’s control room and multiple stations and terminals. Around 15 million packets were sent in an hour there were about 800 IP addresses in a consolidated stream. SCADA system, PLCs, protocol converters, VFDs and flow computers were used from multiple manufacturers.

In that category, Claroty was the winner with 23 points, followed by SecurityMatters and Nozomi Networks at 20 points apiece. Gravwell had 11 points.

The second day was all about detection. What occurred on the second day was a Pcap stream modified to introduce malicious/surprise traffic and to detect and identify unusual behavior.

The judges added in:
1. Delivery/penetration
2. Command and control
3. Internal recon
4. Lateral movement
5. Obfuscation/hiding
6. Denial of service
7. Process modification
8. Logic modification
9. Policy violation
10. Self-inflicted user error

“We added in malware from Havex and Stuxnet,” Brash said. They also added in port scans, policy violations, buffer overflow attacks against PLCs, logic changes and firmware installs, hidden process changes in Modbus and network behavioral changes.

“The technology exceeded our expectations. Every one of the products had their own sweet spots,” Byres said. “The tools are really good for looking into issues really forgotten about on the plant floor – configuration issues.”

One of the areas the judges thought the technologies can improve upon would be indicators were found, but link to the attack was not there.

“If you have a cough, do you have a cold? Do you have the flu? I don’t know,” Brash said. “Indicators were found, but the correlation of the attack was missing.”

The day two results showed Claroty with 24 points, SecurityMatters with 22, Nozomi with 22 and Gravwell with 17.

That left the overall winner as Claroty with 47 points, Nozomi and Security Matters with 42 points each and Gravwell with 28 points.

Leave a Reply

You must be logged in to post a comment.