OT-Cybersecurity & Management for BMS and Smart-City Deployments
Building Management Systems (BMS) involve integrated services by multiple vendors for electricity, water supply, HVAC, access control, fire alarms and more, which makes it extremely difficult to provide protection, real-time network visualization and cybersecurity insights.
The challenge is compounded by the growing reliance on Cyber-Physical Systems (CPS) for controlling industrial processes, as well as on internet-based automation & remote operations and IT/OT connectivity. In addition, the OT-cybersecurity system faces the challenge of securing building campuses’ energy centers and grid connections, an attack on which could disrupt of shut down operations altogether.
Radiflow’s cybersecurity solution suite, designed especially for Production (OT) networks, provides BMS operators the tools to protect, visualize and safely maintain their systems:
- Full hierarchical logical interdependency map of all disparate building systems, through iSID Detection & Analysis Platform, using Radiflow’s Smart Collectors
- CIA (Confidentiality, Integrity & Availability, as well as Safety) risk evaluation based on per-business process impact,
using the CIARA risk assessment & management platform
- MSSP/SOC ready with alert prioritization triage and multi-iSID system management solution
- Attack vector and attacker capability analysis provide proactive insights for alert prioritization and optimizing risk
- Protection of buildings’ data communication protocols
- Compliance enabler for IEC 62443 and other common standards and regulations
System-wide topology learning
Logical map of all building systems, with drill-down to each device’s attributes, known threats and protocols
Radiflow iSAP Smart Collectors
For sending a compressed, encrypted mirrored data stream from each subsystem’s switch to a central iSID
Secure Gateways’ Authentication Proxy Access (APA) for enforcing remote maintenance management rules
Attacker and Vector Analysis
Analysis of attacker capabilities per threat, as well as attack vector inderdependencies
Support for remote monitoring and management of multiple iSID instances at MSSP’s SOCs
- System-wide topology learning and visualization: Radiflow’s iSID non-intrusive, passive (optionally active) Threat Detection & Analysis Platform provides a full, hierarchical logical inter-dependency map of all disparate building systems, with drill-down to each device’s attributes, known threats and protocols. Radiflow’s solutions, designed for OT, support all relevant OT protocols (e.g. BACnet, Profibus) for accurate modeling and anomaly detection (new devices, topology changes, abnormal memory access and firmware changes) as well as Ethernet and Serial interfaces for modern and legacy devices.
- Radiflow Smart Collectors: Smart Collectors send an encrypted mirrored data stream from each subsystem’s switch to iSID. The data stream is compressed while maintaining data integrity, using Radiflow’s proprietary compression scheme, to prevent network overload.
- Alert Prioritization: iSID’s out-of-the-box CIA (Confidentiality, Integrity, Availability) Risk Evaluation triage model significantly improves alert handling. Following the initial modeling stage, CIA values are assigned to each subsystem’s devices based on function (e.g. safety systems are attributed high availability, low confidentiality, and high integrity). These values can be later configured by the operator.
- Maintenance Management: Radiflow’s iSEG Secure DPI Gateways allow enforcing remote maintenance management rules. Using an Authentication Proxy Access (APA) the network administrator is able to allocate a specific time window for restricted remote access to the specific IED that needs to be maintained. The APA provides the network administrator the flexibility to schedule remote maintenance tasks without the risk of forgetting to terminate the remote session. This prevents propagation of malware to devices and subsystems outside the scope of the technician’s work order.
- Attacker Capabilities and Attack Vector Analysis: By mapping the interdependencies and data flow between different devices, and the attacker capabilities assigned to each threat on each device, operators are able to better determine which devices need to be prioritized for strengthening and patching, for optimization of risk mitigation expenditure.
- SOC/MSSP-Ready: Radiflow’s solutions support remote monitoring and management at MSSP’s SOCs. Using end-to-end IPsec VPN tunnels, Radiflow’s Smart Collectors are able to efficiently send large volumes of data to a central instance of iSID at an MSSP’s SOC. Alerts are sent to the SOC are evaluated and triaged based on their CIA true risk values. Management of multiple instances of iSID (in MSSP-monitored multi-network BMS systems) for BMS and Smart City systems is made possible by Radiflow’s iCEN management utility, which greatly simplifies the management and maintenance of large-scale networks.