Note: on July 23rd 2019, SCADAguardian was renamed Guardian, and SCADAguardian Advanced was renamed Smart Polling.
This week the top minds in ICS cyber security are gathered at the S4 conference in Miami, Florida. This conference distinguishes itself by being highly technical, large (400+ attendees) and where bold initiatives to improve industrial cyber security are made.
This year’s key initiative is the ICS Detection Challenge, an event designed to test the capabilities of passive ICS monitoring and threat detection solutions. Since our products lead this category, and because we are committed to protecting critical infrastructure and the people who could be impacted by a compromise, we are eager to be part of it.
The Nozomi Networks solution achieved a high score for asset inventory identification. And, it was called out by the judges for being “more detailed and accurate” than the other solutions.
Read on to find out more about this competition and our results.
The S4 ICS Asset Identification Challenge
One of the purposes of this event is to increase awareness around the value of passive ICS monitoring solutions. This includes the automation of asset inventory. Up to recently, documenting all assets and network connections in a large heterogeneous industrial control network was a major effort. And this undertaking was only made harder by the fact that industrial networks change frequently, with devices being added, and changed, all the time.
In the S4 Challenge, our team attached a SCADAguardian appliance to a 100 Mbps SPAN port on a switch. Packet captures, or PCAPs, were then played on the switch and were copied to and analyzed by our appliance. The PCAPs represented network traffic from:
- A real pipeline SCADA system
- A DCS at a terminal
- Some HMI / PLC installations at middle to small terminals
Although a real scenario, the packet data was anonymized. Most of the captures took place during normal operations, but some were taken during a maintenance window. The communications consisted of ICS protocols and Level 0/1 devices commonly used in the U.S. oil and gas market.
The organizers described the Challenge as being “harder than the real world” because of the limited time duration of the sample, the lack of context, and the fact that only one sensor was used to gather and analyze network traffic.
Our team had four hours to complete an asset inventory spreadsheet for a PCAP that played for about 50 minutes. We used only our own product, SCADAguardian (now Guardian), and the open source tool Wireshark to analyze the packets. These tools represent what we bring onsite for the implementation of our solution.
Nozomi Networks Asset Identification: “More Detailed and More Accurate”
Although four hours were allowed for the competition, we submitted our results in two hours. The results included a spreadsheet of the assets identified on the system, and their attributes.
In submitting our responses, we only submitted information that we could verify was true. For example, when identifying devices, it is straight forward to identify their MAC vendors i.e. the original manufacturer of the device. But, we only named the vendor when we positively knew the product (PROD) vendors. To our point of view, it is important not just to know the endpoints, but the encompassing systems around them.
For example, if a system such as a Cisco switch (as indicated in it MAC address) is a being used as a Siemens Scalence Switch (the PROD vendor) we want to make sure our solution knows it. Knowing the context of the use of the device leads to SCADAguardian having lower false positives in anomaly detection.
Bonus Cyber Security Information
In addition to identifying assets, we submitted additional information about cyber risks.
- An IP address that received >300 connections in 30 seconds. This might be an attack in process. Operators would receive a high-level alert, allowing them to investigate and take action.
- A device using a cleartext username and password was identified.
- A listing of the vulnerabilities associated with the devices on the network.
Automated Asset Inventory that is Detailed and Accurate
For too long industrial operators and cyber security staff faced the impossible task of trying to manage and monitor a system that was not thoroughly documented or easy to visualize.
Time and time again, when our prospects and customers experience the smooth installation of our solution and its immediate visualization of their system, they are delighted. They instantly perceive aspects of their ICS that they were not aware of, and they can easily drill down and explore to find out more information.
Furthermore, they are quickly made aware of any existing situations which threaten cyber security or reliability, such as improper connections, default credentials, and vulnerabilities.
We are proud to be the vendor that was called out by the S4 Challenge judges as provide a “more detailed and accurate” asset inventory than our competitors.
If you are involved with reliability or cyber security of a critical infrastructure or manufacturing system, we encourage you to find out what our solution can do to make your job easier.
Contact us and we will be glad to set-up a demo.
Epilogue
Following the event Dale Peterson, the S4 organizer, published two articles about the Challenge. In these articles he described problems with scoring system and concluded:
“I view Claroty, Nozomi Networks and Security Matters finishing together in a clump.”
Dale also called out Nozomi Networks level of detail, accuracy and helpfulness in both phases of the competition:
“Nozomi clearly provided the most detail in their asset inventory and was the only competitor to identify the key SCADA system.”
“… [it] was most notable in that only Nozomi (congratulations) provided answers and context related to the Telvent OASyS DNA SCADA (the most critical ICS in this large environment).”
- Dale Peterson: ICS Detection Challenge Results – Part 2
(Note that while this article is titled “Part 2”, it covers Phase 1 – Asset Identification) - Dale Peterson: ICS Detection Challenge Results – Part 1
(Note that while this article is titled “Part 1”, it covers Phase 2 – Threat Detection)