iSID – Industrial Threat Detection

Threat and vulnerability detection with system-wide visibility for ICS/SCADA OT networks

Overview

Radiflow’s iSID Detection & Analysis Platform provides proactive cybersecurity for critical infrastructures through non-intrusive monitoring of distributed production networks for changes in topology and behavior.

iSID’s multiple security engines offer capabilities pertaining to specific type of network activity: modeling and visibility of OT and IT devices, protocols and sessions; detection of threats and attacks; policy monitoring and validation of operational parameters; rules-based maintenance management; and networked device management.

iSID employs Radiflow’s iSAP Smart Collectors, installed at distributed networks’ remote sites, to collect, compress (to prevent network overload) and send over GRE all LAN traffic from the local switch, using port mirroring to a centrally installed iSID over VPN tunnels.

iSID allows for different modes of deployment, allowing organizations to optimize their cyber-security expenditure: on-site at the industrial (ICS/SCADA-based) facility; at the operator’s central monitoring location; or at an MSSP’s SOC (Security Operations center) using the iCEN management platform for multiple instances of iSID.

Features

Auto-learning

Generation of baseline topology and behavior model, including all devices, ports and connection

Non-Intrusive Analysis

 DPI protocol-based analysis of a mirrored network traffic stream, with no disruption of operations

Central or Local

Central-location deployment (using iSAP Smart Collectors) or local deployment at remote sites

PLC monitoring

Continuous supervision of configuration changes in PLCs and other networked devices

Attack Vector Analysis

Detection of down-vector vulnerabilities caused by networked device interoperability 

MSSP-ready

Central management of multiple iSID instances at MSSP’s SOC using Radiflow iCEN

Sample reports generated by Radiflow iSID

Sample reports generated by Radiflow iSID

Multiple Security Packages for Comprehensive OT Threat Detection

iSID enables non-disruptive monitoring of distributed SCADA networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity:

Network Visibility

Using passive scanning of all OT network traffic, iSID creates a visual network model for all devices, protocols and sessions, with alerts upon detected topology changes (e.g. new devices or sessions.)

Cyber Attack

The Cyber Attack package handles known threats to SCADA network, including PLCs, RTUs and industrial protocols, based on data gathered from across the cyber security research community.

Policy Monitoring

Define/modify policies for each network link, for validating specific commands (e.g. “write to controller”) and operational ranges (e.g. “do not set turbine to above 800 rpm.”)

Maintenance Management

Limit network exposure during scheduled maintenance by creating work orders for specific devices during set time-windows. A log report of all maintenance activities is issued upon session completion.

Anomaly Detection

The Anomaly Detection package creates a behavioral network model using multiple parameters, including device sequence sampling time, frequency of operational values and more, toward detecting behavioral anomalies.

Operational Behavior

Monitor and audit the management of devices (PLC, RTU & IED) at remote sites, with alerts for firmware changes or configuration modifications (e.g. software updates or turning edge devices on or off) and activity logging.

Sample reports generated by Radiflow iSID

Sample reports generated by Radiflow iSID

Central or Distributed Deployment

iSID can be deployed at a central location, to provide threat detection for multiple remote sites, or locally at each remote site (or a combination of both).

Central IDS deployments typically create a network overload problem, due to the large volumes of data sent from each local site to the central IDS. Radiflow’s iSAP Smart Collectors solve this problem: installed at each site, they receive all LAN traffic from the local switch, using port mirroring, and filter the data, leaving intact the SCADA traffic (e.g. ModBus data).

To further prevent network overload, the filtered data is compressed and sent to the central iSID over VPN tunnels.

Monitoring/management of multiple iSID deployments at remote sites (typically larger remote sites) is performed using Radiflow’s iCEN Central Monitoring System for iSID. iCEN provides a view of each iSID’s operational state, ongoing detection summary data (e.g. network risk state, detected events) and system health information, and is used for remotely updating cyber-security threats and detection rules.

The iSAP Smart Collector

The iSAP Smart Collector

The iSAP Smart Collector is a cost effective solution for non-intrusively sending all OT network data traffic to the iSID Industrial Threat Detection system for analysis.

Sending large volumes off data from remote networks to a central IDS typically creates network overload problems. iSAP solves this problem. Installed at each remote site, it receives all LAN traffic from the local switch (using port mirroring), filters out irrelevant traffic data (leaving intact the SCADA traffic, e.g. ModBus data) and compresses the data stream. 

 iSAP can be deployed in any site (only one iSAP is required per remote site), large and small, for completely passive network coverage with no modification to existing infrastructure.

The iSAP Smart Collector

Use Cases

  • Technician on-site: iSID will automatically monitor maintenance activities during the predefined time window. Operations outside of the maintenance boundaries will trigger alerts.
  • Unauthorized PLC configuration changes: iSID will detect known protocol commands which affect PLC configuration.
  • SCADA server attack: iSID will detect and alert upon changes in the industrial model, including command sequence and timing anomalies in the command sequence and timing.
  • Spyware: iSID will generate alerts upon malware attempts to ex-filtrate sensitive data from operational networks. Spyware activity indicators include anomalous network behavior, usage of unknown protocols and establishing of external connections.
  • Man-in-the-Middle: iSID will detect and alert upon rogue devices in the network impersonating a valid server, workstation or SCADA controller, by means of Mac or IP address theft.
  • Industrial-tailored malware: iSID will identify and alert upon all known tailor-made ICS malware, based on data gathered from across the cyber-security research community. Detection of unknown malware is done based on indications of unauthorized SCADA commands as well as specific anomalies in the industrial process.

Implementation

Click on image for full size