This week the top minds in ICS cyber security are gathered at the S4 conference in Miami, Florida. This conference distinguishes itself by being highly technical, large (400+ attendees) and where bold initiatives to improve industrial cyber security are made.
This year’s key initiative is the ICS Detection Challenge, an event designed to test the capabilities of passive ICS monitoring and threat detection solutions. Since our products lead this category, and because we are committed to protecting critical infrastructure and the people who could be impacted by a compromise, we are eager to be part of it.
The Nozomi Networks solution achieved a high score for asset inventory identification. And, it was called out by the judges for being “more detailed and accurate” than the other solutions.
Read on to find out more about this competition and our results.
The S4 ICS Asset Identification Challenge
One of the purposes of this event is to increase awareness around the value of passive ICS monitoring solutions. This includes the automation of asset inventory. Up to recently, documenting all assets and network connections in a large heterogeneous industrial control network was a major effort. And this undertaking was only made harder by the fact that industrial networks change frequently, with devices being added, and changed, all the time.
In the S4 Challenge, our team attached a SCADAguardian appliance to a 100 Mbps SPAN port on a switch. Packet captures, or PCAPs, were then played on the switch and were copied to and analyzed by our appliance. The PCAPs represented network traffic from:
- A real pipeline SCADA system
- A DCS at a terminal
- Some HMI / PLC installations at middle to small terminals
Although a real scenario, the packet data was anonymized. Most of the captures took place during normal operations, but some were taken during a maintenance window. The communications consisted of ICS protocols and Level 0/1 devices commonly used in the U.S. oil and gas market.
The organizers described the Challenge as being “harder than the real world” because of the limited time duration of the sample, the lack of context, and the fact that only one sensor was used to gather and analyze network traffic.
Our team had four hours to complete an asset inventory spreadsheet for a PCAP that played for about 50 minutes. We used only our own product, SCADAguardian (now Guardian), and the open source tool Wireshark to analyze the packets. These tools represent what we bring onsite for the implementation of our solution.
Case Study: Vermont Electric Coop, Regional Power Operator, Improves ICS Cyber Security
When Vermont Electric Coop wanted to improve their cyber security, one of their selection criteria was a solution that would:
“Automatically build an asset inventory, visualize their assets and model their interactions.”
They selected Nozomi Networks SCADAguardian, which creates an asset inventory and automatically updates it.
“Today I can visualize all of my network components and see how they interact together … the solution has reinforced our cyber security program to help us advance our reliability goals.”
Kris Smith, Manager of Operations Engineering
Nozomi Networks Asset Identification: “More Detailed and More Accurate”
Although four hours were allowed for the competition, we submitted our results in two hours. The results included a spreadsheet of the assets identified on the system, and their attributes.
In submitting our responses, we only submitted information that we could verify was true. For example, when identifying devices, it is straight forward to identify their MAC vendors i.e. the original manufacturer of the device. But, we only named the vendor when we positively knew the product (PROD) vendors. To our point of view, it is important not just to know the endpoints, but the encompassing systems around them.
For example, if a system such as a Cisco switch (as indicated in it MAC address) is a being used as a Siemens Scalence Switch (the PROD vendor) we want to make sure our solution knows it. Knowing the context of the use of the device leads to SCADAguardian having lower false positives in anomaly detection.
Bonus Cyber Security Information
In addition to identifying assets, we submitted additional information about cyber risks.
- An IP address that received >300 connections in 30 seconds. This might be an attack in process. Operators would receive a high-level alert, allowing them to investigate and take action.
- A device using a cleartext username and password was identified.
- A listing of the vulnerabilities associated with the devices on the network.
Automated Asset Inventory that is Detailed and Accurate
For too long industrial operators and cyber security staff faced the impossible task of trying to manage and monitor a system that was not thoroughly documented or easy to visualize.
Time and time again, when our prospects and customers experience the smooth installation of our solution and its immediate visualization of their system, they are delighted. They instantly perceive aspects of their ICS that they were not aware of, and they can easily drill down and explore to find out more information.
Furthermore, they are quickly made aware of any existing situations which threaten cyber security or reliability, such as improper connections, default credentials, and vulnerabilities.
We are proud to be the vendor that was called out by the S4 Challenge judges as provide a “more detailed and accurate” asset inventory than our competitors.
If you are involved with reliability or cyber security of a critical infrastructure or manufacturing system, we encourage you to find out what our solution can do to make your job easier.
Contact us and we will be glad to set-up a demo.
Following the event Dale Peterson, the S4 organizer, published two articles about the Challenge. In these articles he described problems with scoring system and concluded:
“I view Claroty, Nozomi Networks and Security Matters finishing together in a clump.”
Dale also called out Nozomi Networks level of detail, accuracy and helpfulness in both phases of the competition:
“Nozomi clearly provided the most detail in their asset inventory and was the only competitor to identify the key SCADA system.”
“… [it] was most notable in that only Nozomi (congratulations) provided answers and context related to the Telvent OASyS DNA SCADA (the most critical ICS in this large environment).”
- Dale Peterson: ICS Detection Challenge Results – Part 2
(Note that while this article is titled “Part 2”, it covers Phase 1 – Asset Identification)
- Dale Peterson: ICS Detection Challenge Results – Part 1
(Note that while this article is titled “Part 1”, it covers Phase 2 – Threat Detection)
Case Study: Enel Secures Global Power Generation Network
When Enel wanted to improve reliability, efficiency and cyber security, one of their selection criteria was to eliminate time consuming ICS monitoring.
They selected the Nozomi Networks solution, which provided full visibility and monitoring of their control network. This includes sites at remote, isolated locations, as well as connections between Enel and the Transmission System Operator.
“Nozomi Networks SCADAguardian is an essential tool for our daily activities and substantially improves the reliability, efficiency and cyber security of our remote control system.”
Federico Bellio, Head of Power Generation
- Infographic: Nozomi Networks Takes the Lead in ICS Cyber security
- Webpage: Customer Testimonials
- Webpage: Solution Overview
- Webpage: Guardian
- Webpage: Central Management Console
- Blog: Nozomi Networks Finishes Strong in S4 ICS Detection Challenge
Co-Founder and Chief Product Officer
Andrea Carcano is an expert it in OT and IoT security. He collaborates with security, OT and IT teams at dozens of large organizations around the world and understands the challenges they face in addressing escalating cyber risks. Andrea leads a team of people that are defining innovative cybersecurity solutions for OT and IoT networks. He has a Ph.D. in Computer Science focused on critical infrastructure.