Over the past two years, we’ve noticed a clear uptick in interest in the topic of industrial cybersecurity among Automation World readers. Along with this increasing interest, there’s been a corresponding increase in the number of suppliers entering the marketplace to address industry’s need for greater security.
The most recent entrant into the space is Claroty, whose cybersecurity platform was designed to secure and optimize operations technology (OT), i.e., plant floor, networks. The company heavily promotes its OT origins and focus, saying: “We’re not just fluent in every protocol, we’re OT native speakers. We were born and raised in the world of Modbus, Profibus and DeviceNet. We think in S7 and dream in DNP3. We go beyond Ethernet/IP into the realms of the most arcane fieldbus and serial protocols. No corner of the ICS network is dark to us and no event remains misunderstood.”
Claroty’s software reportedly creates a detailed inventory of an end user’s industrial network assets, monitors traffic between those assets, and analyzes communications at their deepest level on the network. Detected anomalies are reported to plant and security personnel with actionable insights to help enable efficient investigation, response and recovery.
“The Claroty platform can detect a bad actor’s activities at any stage, whether they’re trying to gain a foothold on a network, conduct reconnaissance or inflict damage,” said Amir Zilberstein, co-founder and CEO, Claroty. “It also can detect human errors and other process integrity issues, which are often more common than threats from bad actors. For example, the software monitors for critical asset changes that, if done incorrectly, could result in unexpected downtime. The system also identifies network configuration issues that could expose a system to outside threats.”
Following a lengthy competitive review process, Rockwell Automation selected Claroty for network anomaly detection in large part due to it being purpose-built for industrial network security. The companies are now working together to combine their security products and services into packaged security offerings for future release. Claroty has also joined the Rockwell Automation Partner Network Encompass program.
At the ARC Forum 2017 event, I met with Patrick McBride, chief marketing officer of Claroty, and Umair Masud, manager of consulting services portfolio at Rockwell Automation, to discuss the partnership between the two companies.
Rockwell Automation has been “working on cybersecurity mitigation with hardware products and features within software for the past five to 10 years,” said Masud. “We have a defense-in-depth approach because we know you can't rely on just one security control.” He added that Rockwell chose to work with Claroty because it wanted a more active defense “to increase visibility into the operations environment—something that can see the makeup of your system and how it interacts to identify what actions are normal and what actions aren’t.”
Masud also noted that Rockwell Automation wanted software that would work passively on the network. The difference between passive and active network monitoring comes down to this: Active monitoring places test traffic on a network to monitor the traffic; passive monitoring simply monitors the traffic on the network without adding to the traffic. Passive monitoring is the preferred approach for OT networks so as not to disrupt critical communications between the controllers, actuators and other devices on the network.
“We also wanted the solution to be agnostic in nature, regardless of the supplier source. That’s why we chose Claroty,” Masud said.
“Our design principle number one is to do no harm,” said McBride, in reference to Claroty’s passive monitoring capability. “The length and breadth of coverage we provide over TCP/IP, serial and protocols allows us to deliver a fine-grained model to detect network anomalies,” he added.
Claroty’s alerting method was also highlighted by McBride. “Most cybersecurity software provides an events stream; our alerts are specific to what happened and are delivered in plain language to increase the situational awareness of the operator,” he said.
The starting point of a Claroty alert is a description of what’s happening, said McBride. For example, it will tell you if someone at a workstation tried to change a specific PLC at that workstation. “We’re focused on reducing mean time to resolution; we want to find anomalies faster and better and resolve the problem more quickly. The additional, situational context Claroty provides helps direct a fast remediation process.”