Shop Floor to Top Floor Security

This week we welcome guest authors, Gary DiFazio from Tripwire and Katherine Brocklehurst from Claroty.

Blind Spots and Bottom Lines

Radar allows boats to navigate in extreme fog, night vision goggles give army rangers the ability to combat at night, and Claroty and Tripwire are teaming up to give industrial control operators who manage mission critical industrial automation the situational awareness and visibility into conditions that could detrimentally impact the safety and productivity of industrial control processes.

 Do you have the visibility you need to be able to know when a condition could negatively impact your process?

 Where are the Blind Spots?

We’ve all been there - something impacts production and the first question on the plant floor is – “what changed?” Simply put, despite our best efforts and good processes, there are blind spots that can impact operations and profits. One plant manager put it this way, “I’m not that concerned about hackers per se, but my own guys or one of our vendors change something without us knowing? I just don’t have the visibility - that is my biggest problem.”

These blind spots are becoming more pronounced as the rate of connectivity is growing exponentially within industrial environments. Unfortunately, more and more Industrial Control Systems and field I/O devices are getting connected to networks that also have many exploitable vulnerabilities as part of their architecture. Many organizations we talk to have admitted to these blind spots:

• Asset Inventory
  • What is our inventory of hardware, software, network communications, etc. and is it accurate?
  • Do we know the granular details we need such as vendor makes/models, firmware revision, legacy equipment, serial communications, PLC card and slot information including attached field I/O?
• Mapping of vulnerabilities to the asset inventory
  • How do we know if we have assets that map to ICS CERT or manufacturer security advisories?
  • Once we know, do we have compensating controls around these vulnerabilities?
• Device configuration management
  • Can we see changes, know who and why they were made, and if those changes were expected or approved?
  • Do we know if our device is configured correctly or securely? For example, have default passwords been changed, have USB ports on our HMI been enabled or has new service been started with an open port on the SCADA?
  • Have we configured logging on all of our devices as those logs may be telling us the device is about to fail or is experiencing suspicious behavior?
  • How do we know if our firewalls are permitting the right kind of traffic and denying everything else?
• Device Industrial protocol communication patterns
  • What is normal, down to the industrial protocol specifics – i.e. Modbus TCP coils/registers/functions/set points, EtherNet/IP, PROFINET, BACnet, DNP3, IEC101/104, etc.
  • Has the normal behavior pattern changed?
  • Can we see malware “command & control” (C2) traffic traversing our network?
• Controller mode changes
  • Do we know why controllers may be stopped or started?
  • Do we know who did this mode change and why?
• Network Topology
  • Do we have a network diagram?
  • Do we know when our topology changes and if expected, do we update our network diagram?

Cyber Security best practices are also good for Industrial Operations

Whether corporate IT or plant-side operational technology (OT), if we are able to remove or minimize blind spots as outlined above, we can increase the ability to keep our industrial processes running without sacrificing safety, quality or productivity. This is where cyber security best practices can help control operators. The more telemetry we gather about the cyber security state of our devices, the more we can predict, pinpoint and recover from events that may impact our process.

Claroty + Tripwire = Visibility from “Shop Floor-to-Top Floor”

Claroty and Tripwire are offering industrial cyber security integrated solutions to give ”shop-floor-to-top-floor” visibility into conditions and situational awareness that could detrimentally impact the safety and productivity of industrial control processes.

Working together, the two companies’ cyber security solutions can take raw data and turn it into meaningful and actionable information to preserve and protect both plant operations and corporate IT. Both companies elevate the concern of negatively impacting productivity from industrial control operators as their solutions harvest raw data in proven, non-impacting ways, whether it is by actively querying devices via native industrial protocols, passively dissecting network traffic of 42+ and growing flavors of industrial protocols or analyzing device raw-log information. Both companies make all of the above blind spots go away as each provides visibility into different areas of the industrial control environment from dissecting every network packet or analyzing how devices are configured.

Tripwire is now offering Tripwire Industrial Visibility, which integrates Claroty’s Continuous Threat Detection with Tripwire Log Center. If you’re an existing Tripwire customer this solution can be procured through an existing vendor relationship, which can speed deployment.

Below is a sample weekly trending report showing visibility into firmware downloads, controller mode changes and controller configuration changes.

Conclusion

No organization should have to operate without the visibility and protection of combined solutions from Claroty & Tripwire. Whether early detection of network traversal or insight into device operational state and configuration, this partnership provides complete visibility for industrial and critical infrastructure organizations for safe and predictable organizational operations “shop floor-to-top floor.”

Related Links