One of the clients of Tom Alrich LLC is a company called Indegy. I already mentioned them in a previous post and said I thought you should look at what they have to offer. Now I’m going to provide more information about them, since I honestly believe they have a unique technology that will make your generating stations and substations not only more secure but safer. Full disclosure: I developed this post while being retained by Indegy.
A little background on Indegy. They’re an Israeli startup (with their US headquarters in New York) that received major funding from several US VCs, as well as one of the founders of CheckPoint and an early investor in Palo-Alto Networks. Indegy was founded by three veterans of the elite cyber security units of the Israeli Defense Forces. Their mission is “to bring visibility and control to critical infrastructure and ICS networks.”
They accomplish this by doing two things that no other ICS cyber security vendor does:
1. Look deeply into the “control plane” of controllers (such as PLCs) to track and notify on changes to their configuration, firmware and control logic. This “meta-language”, over which the engineering maintenance lifecycle of controllers is done, is proprietary to each manufacturer. It varies not just per control vendor, but often per model / product series. Thanks to Indegy’s ability to granularly parse the engineering station commands, they top the usual anomaly detection techniques that other players in this space offer by using a deterministic, policy-based detection approach.
2. Safely communicate with the control devices using the vendors’ native communication protocols. This allows Indegy to get much more data about the control devices, in order to increase the user’s visibility into their asset inventory. Furthermore, Indegy uses this data to periodically verify the integrity of the devices, by making sure their configurations and code version don’t change from day to day.
Altogether, Indegy can do a lot to secure industrial networks that frankly nobody else can. For example:
· Indegy fully logs all ICS activities, including controller engineering activities like logic updates, configuration changes, firmware uploads/downloads, and of course anomalous changes made to set points.
· While PLCs, RTUs and DCS don’t have inherent access control capability, Indegy allows the user to set policies on who has access, when they can have access and what they’re allowed to do. If an unauthorized person tries to access a controller, you will receive an alert.
· Indegy regularly – the interval is user-configurable – queries each controller and downloads its configuration and code. It compares this with the previous day’s file, notes any changes, and alerts you with information on those changes; this allows you to catch suspicious changes and investigate or reverse them. Conventional anomaly detection solutions can’t do this.
· Indegy identifies and alerts on malicious code activities on the control network, including malware propagation, abnormal communications, network attacks on controllers and direct attacks via connected compromised laptops.
· Indegy identifies and logs any remote access to ICS assets. Furthermore, Indegy alerts in real time if the access is new, unauthorized or both – and provides detailed information on the connection. This functionality enables security staff to detect perimeter breaches and ensure system safety. Note this applies to both interactive and “machine-to-machine” remote access.
· If someone makes a change to a PLC directly, using a serial cable or USB device, Indegy will identify the changes and raise an alert.
· Indegy maintains a continuously-updated list of the version numbers of all software and firmware installed on your PLCs and compares this regularly against a list of known vulnerabilities (NVD / ICS-CERT data). Indegy notifies you whenever a new vulnerability appears that applies to a software or firmware version installed on one of your devices.
· Indegy alerts on changes spotted in the asset inventory – new devices that are being connected, as well as devices that disappear from the network.
· Indegy alerts on anomalous write commands made to SCADA tags, including any that are outside of an acceptable range.
I know some of you have been thinking about how Indegy can help you comply with NERC CIP, and the answer is “a lot”. Indegy has a good Security Guide that discusses benefits both for power industry cyber security in general and for CIP compliance in particular. You can download the document by going here.