Securing industrial control systems (ICS) against potential cyber intrusions has been a major area of concern for several years now. During that time, much of the focus on ICS cybersecurity centered on helping industrial companies realize that reliance on air gaps is not an effective cybersecurity strategy and that classic IT cybersecurity approaches — including firewalls and DMZs — are essential first lines of defense.
What’s been changing lately is the level of granularity being offered by different companies to address specific ICS issues beyond general IT cybersecurity tactics. Examples of this movement were on display at this week’s ARC Forum in Orlando, Fla., and at ATX West in Anaheim, Calif.
At the ARC Forum, NextNine, a provider of operational technology (OT) cybersecurity management tools, announced that it has added the ability to auto-discover assets in industrial and critical infrastructure environments. According to NextNine, its system now automates the mapping of critical assets across multiple remote sites, centrally monitoring those assets to ensure compliance with corporate and regulatory security policy, and protecting the assets by rolling out patches, updates and policy changes. NextNine’s auto-discovery feature reportedly allows full visibility of SCADA devices down to the level of PLCs and RTUs.
“Complete and accurate [asset] inventory is a pre-requisite for reducing cyber security and operational risks, and is often a considerable operational challenge to overcome without a proper automated software tool,” said Shmulik Aran, NextNine’s CEO. Aran noted that NextNine developed its auto-discovery capability to address the “tedious and costly process” of having to manually discover and create an inventory of assets to monitor in industrial environments. He added that the new auto-discovery capability “passively identifies all devices by analyzing network packets, thereby eliminating any danger of disrupting the operation by active scanning.”
Also announced at the ARC Forum was the introduction of a new ICS-focused cybersecurity company called Indegy, which claims to offer “the first cyber security platform that provides comprehensive visibility into the critical control layer of OT networks.” The platform reportedly detects logic changes to controllers regardless of whether they are performed over the network, locally on the device, by malware, or by a human being. It automatically discovers all controllers on ICS networks and routinely validates their logic, firmware version and configuration to identify any unauthorized or unintended changes. Indegy also monitors and logs all network activity including instructions sent to controllers such as modifying the temperature, pressure, and rotation speed of operational equipment.
Indegy is focusing on this aspect of ICS cybersecurity because of the predominant use of proprietary protocols in control systems to modify controller settings. According to Indegy, the use of such protocols can prevent engineers and security personnel from detecting control-layer activity, as monitoring of process parameter changes can only be done through these protocols, such as Modbus or DNP3. Indegy claims that, with its new platform, it provides “previously unavailable real-time visibility into all ICS control layer activities.”
Policy-based real-time security alerts are sent from Indegy when changes are detected to help to staff pinpoint operational problems and respond. Reports from the platform also allow facilities operators to demonstrate compliance with various regulations.
Also targeting the ICS protocol layer is Icon Labs, which released its Floodgate Modbus protocol filtering product at ATX West this week. Meanwhile at ARC Forum, Mentor Graphics announced integration of Icon Lab’s Floodgate Modbus protocol filter with its Nucleus RTOS and Mentor Embedded Linux. This integration reportedly creates a “secure platform for industrial automation” and adds protection capabilities for Industrial Internet of Things (IIoT) and real-time operating system (RTOS)-based devices.
Icon Labs said its Floodgate Modbus protocol filter provides the missing layer of security for Modbus/TCP devices.“The Modbus/TCP protocol currently lacks any real security, making these devices sitting ducks for even moderately skilled hackers,” said Alan Grau, president of Icon Labs. “Modbus packet filtering addresses this problem by enforcing policies and inserting a layer of control without changing the underlying protocol.”
The Modbus Protocol filtering extension provides deep packet inspection of the Modbus packets based upon Modbus function code, originating IP address, or Modbus packet content. Integration with Icon Labs’ Floodgate Agent enables detection and reporting of malicious traffic.
“Achieving security while maintaining interoperability with legacy solutions is critical to the adoption of the IIoT,” said Warren Kurisu, director of product management at Runtime Solutions, Embedded Systems Division, Mentor Graphics. “Adding a layer of protection for Modbus/TCP devices closes a critical security loophole for industrial automation systems.”
Amid the new ICS cybersecurity products announced this week, many of the more familiar approaches still remain at the forefront. For example, Waterfall Securities was again among the exhibitors at ARC Forum (read my write-up on Waterfall’s unidirectional approach to cybersecurity following my meeting with them at ARC Forum 2015).
Another ICS cybersecurity provider highlighted at ARC Forum was GE’s Wurldtech, which showcased its OpShield product, a device that literally sits in front of your ICS. OpShield’s cybersecurity approach is based on the IT security tactic of whitelisting—where only pre-approved applications are allowed to run. Since OpShield sits in front of the ICS, no network re-engineering is required.
According to Wurldtech, OpShield initially applies its whitelisting tactics via machine learning to automatically detect connected devices and communications between devices, allowing an operator to “validate a blueprint of accepted devices and communication in the process control environment.” OpShield then inspects and controls traffic at the application command level to detect and block unauthorized activity.
Paul Rogers, president and CEO of Wurldtech, said, “There is often no history of what data is going back and forth within an ICS; this means that many attacks go unnoticed for months or years or are missed entirely. OpShield provides visibility into and history of malware existence on your ICS network.”
With the increasing number of cybersecurity options becoming available to industry, it will be interesting to see which tactics—or combination of tactics—gain the greatest foothold.