Have you heard the news? There’s a new Stuxnet-like malware floating around in cyberspace. It’s called Irongate, and it uses the Man-in-the-Middle (MiTM) technique to get between a programmable logic controller (PLC) and a software program, replacing a Dynamic Link Library (DLL) file with malicious code. The malicious code, discovered by FireEye Labs Advanced Reverse Engineering (FLARE) team, targets a simulated Siemens control system environment. The good news is, the industrial control system (ICS) malware seems to be a test of some sort, and therefore not a threat. But manufacturers shouldn’t shake this off too easily, as we know what malware like Stuxnet and BlackEnergy can do.
It’s news like this that has many cybersecurity suppliers rushing to come up with a way to keep ICS malware at bay. And this week, Bayshore Networks, a provider of technology designed to secure the industrial Internet, did just that. The company announced that its Bayshore IT/OT Gateway has the ability to protect industrial operations from the likes of Stuxnet, BlackEnergy, Irongate and more.
“We’ve always supported malware detection as part of deep content inspection on any type of network app,” said Francis Cianfrocca, Bayshore’s founder and chief scientist. “But the fact that various nefarious players have found ways to infiltrate control systems, HMIs in particular, using standard kinds of malware is frightening.” As a result the company extended its malware detection capability and applied it to protocols accessing HMIs through network links, he said.
Specifically, Bayshore IT/OT Gateway is designed with an advanced understanding of industrial communication protocols, such as Modbus TCP, DNP3 and EtherNet/IP, for example, and has the ability to detect infiltrations of malware that piggyback on these protocols. In addition, it uses an XML-based policy language that quickly adapts to any proprietary protocol in an IT or OT environment and has the ability to access applications such as advanced analytics.
Bayshore's policy-based approach distinguishes it from the white listing approach used by IT security solutions such as intrusion detection systems (IDS) and firewalls. To that end, Bayshore builds security policy from multiple sources, including internal research, customer-created rules, and external trusted sources including ICS-CERT, OWASP, Stix/Taxii, and leading defense threat intel vendors and service providers.
The Bayshore IT/OT Gateway is a cloud-based service, but is also available as a virtual machine or on-premise appliance. Even in the cloud, however, it provides granular content inspection of machine operation commands and can identify machines by the type of application traffic they are sending and receiving.
“We started with the perspective of knowing how [industrial] machines work and how they talk on networks, which makes us different from other security vendors that focus on computer networks and Windows vulnerabilities,” Cianfrocca said. “We have the ability to look at everything the machines are doing and detect malware in the protocol stream.”