Addressing U.S. Department of Energy Cybersecurity Considerations
CHALLENGE
Preventing Loss of Production Capacity
Unplanned downtime happens for multiple reasons – a component breaks down from operating 24/7, a networking change impacts production lines, or a cyber incident disrupts communication.
Not only does it take time to understand and address problems that arise, you lose valuable production capacity. To mitigate risks like this, some manufacturers carry extra inventory just to cover potential downtime.
In the manufacturing business, time is money, so unplanned downtime and excess inventory can hit your bottom line hard. According to Gartner, that cost clocks in at somewhere between $300k – $500k an hour.
Imagine the benefits of proactively identifying potential equipment problems, and bringing your stock on hand down by 50% or more?
SOLUTION
Build a Secure Future Using the Solution Preferred by Global Electric Utilities
- Comprehensive OT and IoT visibility
- Advanced threat detection
- Accurate anomaly alerts
- Proven scalability
- Easy IT/OT integration
- Global partner ecosystem
- Exceptional customer engagement and support
Meeting and Exceeding the 17 DOE Considerations
According to its guidance, the U.S. government does not select, endorse or recommend any specific technology or provider as part of their initiative. Instead, each entity must assess and select the technology or provider that’s best for it.
Furthermore, the agencies that developed the 17 DOE recommendations (CESER, CISA and the NSA) state:
“The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities.”
With that in mind, the table below lists each of the 17 considerations and describes how the Nozomi Networks solution addresses each of them.
Technology Built for ICS Networks and Protocols
GOVERNMENT CONSIDERATION
- Technologies built for ICS networks with integration compatibility with ICS protocols and communications.
- Technologies that provide sensor-based continuous network cybersecurity monitoring, detection, and facilitate response capabilities for ICS/OT (i.e., the technology is ICS-focused and already understands ICS communications, such as deep packet inspection capabilities for ICS protocols).
NOZOMI NETWORKS SOLUTION
“Nozomi Networks has superior ICS protocol support and asset visibility in their products. Nozomi is a good fit for electric utilities, oil and gas, and manufacturing companies worldwide.”
Forrester Research
- Provides “always on” continuous monitoring of OT, IoT and IT protocols for assets from all vendors
- Analyzes network communications using protocol-specific Deep Packet Inspection (DPI) for dozens of industrial protocols
- Detects cybersecurity and process reliability threats
- Accelerates incident response with actionable intelligence and time-saving response tools
The Nozomi Networks Solution is Built for ICS Networks and Protocols
A key requirement for good cybersecurity is identifying all assets in the ICS environment and mapping the communications between them.
The Nozomi Networks solution automates asset inventory and provides real-time visualization that identifies communication and other issues. This improves situational awareness and accelerates incident response.
Technology that Shares Information
GOVERNMENT CONSIDERATION
- Technology software that has a collective-defense capability/framework to allow the sharing of insights and detections rapidly with the Federal government, participants, and trusted organizations such as relevant information sharing and analysis centers (ISACs)/information sharing and analysis organizations (ISAOs). Data and insights collected must be sharable across the Federal government, to the greatest extent possible, and should be compatible with other sector sensing partnerships.
- Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.
- Technologies must protect or anonymize participant identity, and ensure that risks and vulnerability information is not inadvertently disclosed between participants unless explicitly authorized by the participating entity.
NOZOMI NETWORKS SOLUTION
- Provides highly accurate ICS attack, vulnerability, and anomaly data, the foundation for information sharing
- Integrates out-of-the-box with SIEM/SOAR, threat sharing platforms, and other products for rapid information-sharing across the organization and beyond
- Shares data more broadly via reporting and exporting capabilities, as well as through an Open API
- Receives continuously updated Threat Intelligence and Asset Intelligence, reducing the Mean-Time-to-Detect (MTTD) and the Mean-Time-to-Respond (MTTR)
- Provides customizable data storage options
- Available in the widest range of on-premises hardware/virtual/software sensor options
- Analyzes data 100% within the sensor, without the need for input from outside analysts or remote access connections
- Shares data off premises via optional cloud product (Vantage), integration with many IT, OT and security products, or via an Open API
- Protects participant identity when sharing sensitive data
- Granular anonymization features are in development
The Nozomi Networks Solution Shares Data and Insights with Many Systems
Technology that Correlates Data and Has Flexible Data Storage
GOVERNMENT CONSIDERATION
- The technology allows for centralized queries and correlation. Sensitive information that contextualizes anomalies that may indicate adversary presence may be stored off-premises for analysis.
- Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises.
- The technology is passive in its deployment, using isolation technologies to ensure that the technology itself cannot be used as a vector for adversaries to gain access into sensitive ICS networks.
- The ICS sensing technology is capable of working with correlation and aggregation technologies to allow for OT/IT sensing cross correlation and analysis.
NOZOMI NETWORKS SOLUTION
- Includes powerful query capabilities, providing fast access to security and operational data
- Queries can be imported/exported between systems
- Data can be aggregated with on-premises CMC or cloud-based Vantage.
- Stores data short-term or medium-term (> 1 year)
- Allows tuning of raw data collection for relevant streams
- Provides long-term storage via SIEM integration and automated data exports for data warehousing
- Conducts passive network analysis
- Select from the widest array of hardware/virtual/software sensor options
- Works in air gapped environments, without cloud or remote analyst connectivity
- Integrates with SIEM and other IT and security tools for IT/OT correlation of data
- Combines vulnerability assessment, threat and anomaly detection, asset inventory and risk monitoring in a single tool. Internal correlation of data reduces some cross-tool requirements.
Technology that Performs Anomaly and Threat Detection
GOVERNMENT CONSIDERATION
- Technology has the capability of baselining normal ICS operations and can compare/detect abnormal operations from a known good baseline.
- Data at rest should be cryptographically protected, (e.g., leverage NIST FIPS 140-3 certified cryptology to protect the data).
- Technology has the capability to detect known unauthorized remote access operations.
- Technology has the capability to detect unauthorized movement from the IT to the OT environment including via non-Internet Protocol (IP) communication pathways.
NOZOMI NETWORKS SOLUTION
- Learns normal network and process behavior
- Detects security and process anomalies
- Uses continuously updated Asset Intelligence to eliminate benign alerts
- Knows when “new” or “different” is not a risk, focusing your attention on true incidents
- Encrypts secrets at rest and data in motion using cryptography that exceeds FIPS standards
- FIPS accreditation in progress
- More Nozomi Networks software and security compliance info
- Detects anomalies of all types, including invalid remote access connections
- Supports in depth security policies such as alerting if a VPN connection writes to a safety controller
- Integrates with remote access solutions for increased data granularity and correlation
- Detects anomalous traffic including infections from outside the OT networks
- Shows anomalous traffic on network visualization graph
- Tracks attacker movements across IT, OT and IoT assets
The Nozomi Networks Solution Provides Superior ICS and IoT Threat Detection
Technology that Supports the MITRE ATT&CK for ICS Framework
GOVERNMENT CONSIDERATION
- Technology has the capability to detect unauthorized network activity and actions consistent with the MITRE ATT&CK for ICS framework including detecting potential tactics that may be used for disruptive or destructive actions.
- Technology has analytic and detection capabilities, which are dynamically updatable leveraging timely, validated, and trusted external or internal threat intelligence.
- Technology has the capability to detect access credential misuse.
- Technology to identify violations of implemented application allowlisting policies enforced on IT and OT systems.
NOZOMI NETWORKS SOLUTION
- Supports both the MITRE ATT&CK for ICS and Enterprise frameworks
- Associates malicious activity with one or more techniques in the MITRE ATT&CK framework
- Speeds understanding of an incident, and response times
- Uses Nozomi Networks highly accurate threat detection as the foundation for attack tracking
- More details: Enhancing Threat Intelligence with the MITRE ATT&CK Framework
- Employs behaviour-based anomaly detection and multiple types of signature and rules-based detection
- Correlates results with operational context for rapid insights
- Applies dynamically updated Threat Intelligence and Asset Intelligence provided by the highly regarded Nozomi Networks Labs team
- Detects failed logins and some instances of credential misuse
- Raises alerts and sends notifications when multiple failed logins are detected
- Shows a graphical view of network patterns for human inspection, improving situational awareness
- Monitors and evaluates all behaviors for policy failures on an ongoing basis
- Identifies violations with more granularity than simple allow/deny analysis
- Provides operational context for fast response
The Nozomi Networks Solution Supports the MITRE ATT&CK for ICS and Enterprise Frameworks
The Nozomi Networks solution associates malicious activity with techniques in the MITRE ATT&CK for ICS and Enterprise frameworks.
For example, a request to stop a process using the well-known TRITON malware generates an “OT Device Stop Request” alert.
Included in the alert is the Change Program State technique (T875), which is associated with both Execution and Impair Process Control tactics.
This information helps analysts understand the behavior and improves response time.
For more details, read Enhancing Threat Intelligence with the MITRE ATT&CK Framework.
U.S. Government Cybersecurity Considerations for Pipelines
The Nozomi Networks solution helps you meet and exceed the 17 government cybersecurity recommendations.
Start building a secure future today, using the solution preferred by the midstream oil & gas industry.
