One of the
clients of Tom Alrich LLC is a company called Indegy. I already
mentioned them in a previous post
and said I thought you should look at what they have to offer. Now I’m going to
provide more information about them, since I honestly believe they have a
unique technology that will make your generating stations and substations not
only more secure but safer. Full disclosure: I developed this post while being
retained by Indegy.
A little
background on Indegy. They’re an Israeli startup (with their US headquarters in
New York) that received major funding from several US VCs, as well as one of
the founders of CheckPoint and an early investor in Palo-Alto Networks. Indegy
was founded by three veterans of the elite cyber security units of the Israeli
Defense Forces. Their mission is “to bring visibility and control to critical
infrastructure and ICS networks.”
They accomplish
this by doing two things that no other ICS cyber security vendor does:
1.
Look deeply into the “control plane” of
controllers (such as PLCs) to track and notify on changes to their
configuration, firmware and control logic. This “meta-language”, over which the
engineering maintenance lifecycle of controllers is done, is proprietary to
each manufacturer. It varies not just per control vendor, but often per model /
product series. Thanks to Indegy’s ability to granularly parse the engineering
station commands, they top the usual anomaly detection techniques that other players
in this space offer by using a deterministic, policy-based detection approach.
2.
Safely communicate with the control devices
using the vendors’ native communication protocols. This allows Indegy to get much
more data about the control devices, in order to increase the user’s visibility
into their asset inventory. Furthermore, Indegy uses this data to periodically
verify the integrity of the devices, by making sure their configurations and
code version don’t change from day to day.
Altogether, Indegy
can do a lot to secure industrial networks that frankly nobody else can. For
example:
·
Indegy fully logs all ICS activities, including
controller engineering activities like logic updates, configuration changes, firmware
uploads/downloads, and of course anomalous changes made to set points.
·
While PLCs, RTUs and DCS don’t have inherent
access control capability, Indegy allows the user to set policies on who has
access, when they can have access and what they’re allowed to do. If an
unauthorized person tries to access a controller, you will receive an alert.
·
Indegy regularly – the interval is
user-configurable – queries each controller and downloads its configuration and
code. It compares this with the previous day’s file, notes any changes, and
alerts you with information on those changes; this allows you to catch suspicious
changes and investigate or reverse them. Conventional anomaly detection
solutions can’t do this.
·
Indegy identifies and alerts on malicious code
activities on the control network, including malware propagation, abnormal
communications, network attacks on controllers and direct attacks via connected
compromised laptops.
·
Indegy identifies and logs any remote access to
ICS assets. Furthermore, Indegy alerts in real time if the access is new,
unauthorized or both – and provides detailed information on the connection.
This functionality enables security staff to detect perimeter breaches and
ensure system safety. Note this applies to both interactive and
“machine-to-machine” remote access.
·
If someone makes a change to a PLC directly,
using a serial cable or USB device, Indegy will identify the changes and raise
an alert.
·
Indegy maintains a continuously-updated list of
the version numbers of all software and firmware installed on your PLCs and
compares this regularly against a list of known vulnerabilities (NVD / ICS-CERT
data). Indegy notifies you whenever a new vulnerability appears that applies to
a software or firmware version installed on one of your devices.
·
Indegy alerts on changes spotted in the asset
inventory – new devices that are being connected, as well as devices that
disappear from the network.
·
Indegy alerts on anomalous write commands made
to SCADA tags, including any that are outside of an acceptable range.
I know some of
you have been thinking about how Indegy can help you comply with NERC CIP, and
the answer is “a lot”. Indegy has a good Security Guide that discusses benefits both
for power industry cyber security in general and for CIP compliance in particular. You can
download the document by going here.
No comments:
Post a Comment