Another security supplier has announced an appliance it says will give operational and IT security teams greater visibility into changes made to supervisory control and data acquisition (SCADA) networks.
Israeli startup Indegy said its appliance protects crucial programmable logic controllers (PLCs) and remote terminal units (RTUs), which run industrial machines in factories and utilities on networks separate from data networks.
“Indegy gives 100 per cent visibility into what they industrial controllers are doing at any given moment, and provides alerts and information about changes in configuration,” CEO Barak Perelman said in an interview.
Operators of networks with industrial control systems have long been warned the security on those devices is less than ideal, leaving vital utilities and industries open to compromise. Numbers on Canadian attacks aren’t easy to come by, but in fiscal 2015 almost 300 incidents at critical U.S. infrastructure were reported to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). It believes many more went unreported or undetected
The problem with many industrial controllers is they were designed years ago in an era before cyber attacks were thought of. “Even authentication –the fact you need a user name an password to change how a turbine operates in a power plant — does not exist in 90 per cent of these facilities,” said Perelman. “Essentially a determined hacker or a employee within a critical company can easily inflict damage a destruction of industrial equipment if he wishes.”
The Indegy appliance plugs into the mirror port on a SCADA network to replicate traffic. After conducting an asset inventory of all devices on the network a deep packet inspection engine analyzes both the application layer open protocols and vendor proprietary configuration layer communications.
Administrators can create application-layer and identity-based policies to alert or block changes. Rules can be based on specific process control commands, asset types, user role, network location, or time of day.
One unique facet of industrial controllers is that they can be accessed directly for maintenance, giving an attacker the opportunity to do the same. Indegy can be set to regularly query and verify controllers’ settings.
Data captured from the appliance (or appliances installed at multiple sites) is viewed on a dashboard that can be seen by operational as well as IT security teams.
Through a RESTful API, data can also be forwarded to security information and event management suites such as Splunk, IBM’s QRadar and Hewlett-Packard Enterprises’ ArcSight.
While most SCADA networks in today are IP-based, Indegy also support older serial networks.
Indegy will compete against network security appliances from vendors such as Palo Alto Networks, Attvio Networks, Radiflow, Sophos’ Cyberoam and others. Perelman said Indegy’s solution is the only one that gives visibility to the ICS control layer.
Indegy is priced the same way as any other network appliance, he said, but gave no details. The appliance is sold direct from the company and through industrial integrators.
Christian Renaud, research director for the Internet of Things at 451 Research, noted in an interview that because ICS/SCADA networks haven’t completely picked up on best practices learned in IT security because data and operational networks have traditionally been separate. That is changing, and Indegy, he said, is helping bridge that divide by being able to watch for unapproved changes in the ICS control layer in a non-intrusive way. “It’s a logical first step for IoT security,”
“Currently any system with industrial controls systems and SCADA there are going to be unprotected gateways,” he added, so having defence in depth is vital.