Radiflow now offers a 90-day trial of iSID to help OT operators protect their networks during the COVID19 outbreak. Contact us to learn more.
Radiflow’s iSID Detection & Analysis Platform provides proactive cybersecurity for critical infrastructures through non-intrusive monitoring of distributed production networks for changes in topology and behavior.
iSID’s multiple security engines offer capabilities pertaining to specific type of network activity: modeling and visibility of OT and IT devices, protocols and sessions; detection of threats and attacks; policy monitoring and validation of operational parameters; rules-based maintenance management; and networked device management.
iSID employs Radiflow’s iSAP Smart Collectors, installed at distributed networks’ remote sites, to collect, compress (to prevent network overload) and send over GRE all LAN traffic from the local switch, using port mirroring to a centrally installed iSID over VPN tunnels.
iSID allows for different modes of deployment, allowing organizations to optimize their cyber-security expenditure: on-site at the industrial (ICS/SCADA-based) facility; at the operator’s central monitoring location; or at an MSSP’s SOC (Security Operations center) using the iCEN management platform for multiple instances of iSID.
Generation of baseline topology and behavior model, including all devices, ports and connection
DPI protocol-based analysis of a mirrored network traffic stream, with no disruption of operations
Central or Local
Central-location deployment (using iSAP Smart Collectors) or local deployment at remote sites
Continuous supervision of configuration changes in PLCs and other networked devices
Attack Vector Analysis
Detection of down-vector vulnerabilities caused by networked device interoperability
Central management of multiple iSID instances at MSSP’s SOC using Radiflow iCEN
Sample query reports generated by Radiflow iSID: Assets by Vendor (top); Assets by Type (bottom)
Multiple Security Packages for Comprehensive OT Threat Detection
iSID enables non-disruptive monitoring of distributed SCADA networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity:
Using passive scanning of all OT network traffic, iSID creates a visual network model for all devices, protocols and sessions, with alerts upon detected topology changes (e.g. new devices or sessions.)
The Cyber Attack package handles known threats to SCADA network, including PLCs, RTUs and industrial protocols, based on data gathered from across the cyber security research community.
Define/modify policies for each network link, for validating specific commands (e.g. “write to controller”) and operational ranges (e.g. “do not set turbine to above 800 rpm.”)
Limit network exposure during scheduled maintenance by creating work orders for specific devices during set time-windows. A log report of all maintenance activities is issued upon session completion.
The Anomaly Detection package creates a behavioral network model using multiple parameters, including device sequence sampling time, frequency of operational values and more, toward detecting behavioral anomalies.
Monitor and audit the management of devices (PLC, RTU & IED) at remote sites, with alerts for firmware changes or configuration modifications (e.g. software updates or turning edge devices on or off) and activity logging.
Sample query reports generated by Radiflow iSID: Assets by Vendor (top); Assets by type (bottom)
iSID in Action
iSID’s Map View displays a graphical representation of all network devices in multiple display modes (Perdue, Flow, Analyst & Custom). Maps are zoomable and elements can be dragged to any location on the screen. In addition, the Attack Vector analyzer can detect vulnerabilities within the interplay between different business processes.
The Asset Management tab presents all system assets, categorized and filterable by type (e.g. PLC, Server, HMI, Engineering Station, Broadcast, etc.) or by any asset characteristic. Asset types are automatically detected by iSID; the user can change each asset’s designation or add a custom asset type.
The Alerts screen displays alerts by the security package that generated them, as listed across the top bar: Cyber Attack for suspicious network behavior; Policy Monitor for communication policy violations; System Alerts for anomalous behavior in iSID; Asset Management for new CVEs or device control alerts; and Network Visibility for networking alerts.
Central or Distributed Deployment
iSID can be deployed at a central location, to provide threat detection for multiple remote sites, or locally at each remote site (or a combination of both).
Central IDS deployments typically create a network overload problem, due to the large volumes of data sent from each local site to the central IDS. Radiflow’s iSAP Smart Collectors solve this problem: installed at each site, they receive all LAN traffic from the local switch, using port mirroring, and filter the data, leaving intact the SCADA traffic (e.g. ModBus data).
To further prevent network overload, the filtered data is compressed and sent to the central iSID over VPN tunnels.
Monitoring/management of multiple iSID deployments at remote sites (typically larger remote sites) is performed using Radiflow’s iCEN Central Monitoring System for iSID. iCEN provides a view of each iSID’s operational state, ongoing detection summary data (e.g. network risk state, detected events) and system health information, and is used for remotely updating cyber-security threats and detection rules.
The iSAP Smart Collector
The iSAP Smart Collector
The iSAP Smart Collector is a cost effective solution for non-intrusively sending all OT network data traffic to the iSID Industrial Threat Detection system for analysis.
Sending large volumes off data from remote networks to a central IDS typically creates network overload problems. iSAP solves this problem. Installed at each remote site, it receives all LAN traffic from the local switch (using port mirroring), filters out irrelevant traffic data (leaving intact the SCADA traffic, e.g. ModBus data) and compresses the data stream.
iSAP can be deployed in any site (only one iSAP is required per remote site), large and small, for completely passive network coverage with no modification to existing infrastructure.
The iSAP Smart Collector
- Technician on-site: iSID will automatically monitor maintenance activities during the predefined time window. Operations outside of the maintenance boundaries will trigger alerts.
- Unauthorized PLC configuration changes: iSID will detect known protocol commands which affect PLC configuration.
- SCADA server attack: iSID will detect and alert upon changes in the industrial model, including command sequence and timing anomalies in the command sequence and timing.
- Spyware: iSID will generate alerts upon malware attempts to ex-filtrate sensitive data from operational networks. Spyware activity indicators include anomalous network behavior, usage of unknown protocols and establishing of external connections.
- Man-in-the-Middle: iSID will detect and alert upon rogue devices in the network impersonating a valid server, workstation or SCADA controller, by means of Mac or IP address theft.
- Industrial-tailored malware: iSID will identify and alert upon all known tailor-made ICS malware, based on data gathered from across the cyber-security research community. Detection of unknown malware is done based on indications of unauthorized SCADA commands as well as specific anomalies in the industrial process.