The Future of ICS Security Products

•Download as PPTX, PDF•

1 like•1,743 views

The document discusses trends in industrial control system (ICS) security products. It notes the importance of asset inventory for detection and outlines different tiers of ICS detection vendors. Top tier vendors are growing rapidly through investments in R&D and acquisitions. They are distinguished by their large employee size, product maturity, and repeated selection in customer bake-offs and pilots. The document advocates starting with asset management, then adding detection integrated with asset data, and configuring incident response through a retained services model.

Technology

Asset
Inventory
To The
Rescue
◦ Didn’t have an asset inventory
◦ Outdated spreadsheet at best
◦ Amazed at what passive
monitoring could tell them
◦ Easy win for customers and
vendors
7

More accurate and more
detailed information on
your cyber assets.
Using only legitimate
protocol requests.
NOT SCANNING!
9

More accurate and more
detailed information on
your cyber assets.
Using only legitimate
protocol requests.
NOT SCANNING!
11

If you can’t stomach Active
then use your EWS or other
ICS component to query
cyber assets so Passive can
see the answers.
12

Asset Management
◦ Asset Inventory
◦ Configuration Mgmt
◦ Vulnerability Mgmt
◦ Change Management
◦ …
13

16
ICS Detection
Asset Mgmt
Vuln Mgmt
SIEM / SOC

Vulnerability
Management
◦ Requires software inventory
◦ Identify vulnerable sw / fw
◦ What to patch? When?
What application will
apply the patch?
18

Prioritized List of
Detection Sources
- Endpoint protection
alerts
- Blocked firewall egress
attempts
- New admin users
- …
20

Same
- Switch span port
or tap, passive
traffic collection
- Lots of signatures
- Same data
overwhelm issues
Network IDS
with ICS
Protocol
Smarts
Different
- Able to parse ICS
protocols
- Alert on legit,
high risk cmds
- Some anomaly
detection
- ICS Playbooks
22

Incident
Response
◦ What good is detecting if you
can’t respond?
◦ Detection products provide
data for after incident
investigation
◦ Knowing ICS and the product is
key for effective response
25

What Will
You Do
With The
Data?
ENTERPRISE SOC
Forward the ICS
detection system data
to Enterprise SOC.
Add ICS talent to the
SOC and response
team.
STAND ALONE
SYSTEM
Analysts use product
as primary ICS
detection system.
OT SOC
ICS detection system
used as one detection
source in an OT SOC.
27

Lots of
Change
◦ Asset Inventory will not be part
of detection product
◦ ICS Detection GUI won’t matter
◦ Integration with SOC systems
◦ Sensors will be in your switches
◦ Competitors will almost all
change
30

Slow Down / Pilot
Position As Interim / Learning
31

What
Would I
Do?
(in order)
◦ Start with an asset
management solution
◦ Get detection solution
◦ Integrates with asset mgmt
◦ Retains forensics records
◦ Get incident response retainer
◦ Focus on SOC integration
32

Asset Inventory / Management
- PAS
- Langner OT-BASE
- Asset Guardian
- MDT Software
- DCS vendors
33

What Is
Top
Tier?
BAKE OFFS
& PILOTS
We saw the
same four
repeatedly in
asset owner
competition
and pilots.
COMPANY
GROWTH
Top Tier now
are 100+
employees
and growing.
Accelerating
& leaving the
rest behind.
RAPID
PRODUCT
DEV
Huge
investment
in R&D
showing in
new features
and product
maturity.
35

Detection Tiers (US) July 18
Claroty / Dragos / Nozomi / SecurityMatters
36
CyberX / Indegy / Kaspersky / Sentryo
The Rest
https://dale-peterson.com/ics-detection-market-analysis/

Detection Tiers (US) Nov ‘19
Claroty / Dragos / Nozomi
37
CyberX / Indegy / Kaspersky / Sentryo* / Radiflow
11 Competitors
https://dale-peterson.com/ics-detection-market-analysis/

Acquisitions
Forescout buys SecurityMatters ($113M)
38
Cisco buys Sentryo (my guess ~$50M)
Tenable buys Indegy ($78M)
Also GE, Honeywell, Kaspersky …

Detection Tiers (US) Today
Claroty / Dragos / Nozomi
39
CyberX (Microsoft?) / Radiflow
SCADAfence + 5 Others
https://dale-peterson.com/ics-detection-market-analysis/

Thanks!
Any
Questions?
Dale Peterson, CEO of Digital Bond
peterson@digitalbond.com
https://dale-peterson.com
Founder of S4, every Jan in Miami SoBe
https://s4xevents.com
Twitter: @digitalbond
Unsolicited Response Podcast
YouTube: www.youtube.com/s4events
40

Presented: September 21, 2017 At: CS2AI, Washington, DC A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.

Hacker Halted 2016 - How to get into ICS security

Chris Sistrunk

ICS Security 101 by Sandeep Singh

OWASP Delhi

This document provides an overview of industrial control systems (ICS) security. It defines ICS and compares them to IT systems. Key differences include availability prioritization over confidentiality and integrity in ICS. The document outlines common ICS components like PLCs and protocols like Modbus. It also discusses common ICS security issues, penetration testing methodology, and approaches to securing ICS. Resources for learning more about ICS security are provided.

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM

Jim Gilsinn

This document discusses network reliability monitoring as a complement to network security monitoring (NSM) and security information and event management (SIEM) for industrial control systems. It notes that while NSM works well for monitoring traffic crossing between zones in ICS networks, it is less effective in lower level zones where most traffic remains internal. Network reliability monitoring provides an alternative by developing profiles of normal network traffic and scanning for deviations that could indicate issues. While complex algorithms are not needed, it requires strong protocol knowledge and root cause analysis can be difficult. Examples are given showing network reliability metrics and how man-in-the-middle attacks did not significantly impact traffic.

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...

Jim Gilsinn

Presented @ Emerson Exchange October 7, 2014 Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.

The journey to ICS - Extended

Larry Vandenaweele

This presentation was given at BSides Las Vegas 2015. The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional. The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.

The document discusses whether patching control systems is an effective security practice given the challenges of securing industrial control systems. It makes three key points: 1. Patching insecure-by-design devices provides minimal risk reduction since attackers can achieve their goals by exploiting legitimate system features rather than vulnerabilities. 2. Most industrial control systems operate within an insecure-by-design zone, so patching may not prevent attacks since attackers do not need to exploit systems to cause damage. 3. Many control system components have low impact even if compromised, so patching provides little benefit given the effort. Prioritizing patching for systems directly accessible from untrusted networks is recommended over broadly patching everything.

SANS ICS Security Survey Report 2016

Derek Harp

Cybersecurity in Industrial Control Systems (ICS)

Joan Figueras Tugas

CSIRS ICS BCS 2.2

David Spinks

This document summarizes a presentation on cyber security in real-time systems. It discusses threats to industrial control systems and SCADA systems, and the differences between traditional IT and industrial control system cultures. It provides examples of attacks on industrial control systems and poor monitoring of SCADA systems. It suggests that security operations centers may provide common ground between IT and ICS. Finally, it discusses recent media reports relating to hacking of rail signaling systems and aircraft systems.

2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...

Eran Goldstein

Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...

PECB

This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills. Main points covered: • The SCADA ICS function in critical infrastructure industry • Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective • Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment Presenter: This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer. Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8

Nist 800 82 ICS Security Auditing Framework

MarcoAfzali

This document discusses an investor opportunity involving auditing industrial control systems (ICS) for security compliance based on the NIST SP 800-82 framework. It highlights the standard's 16 sections for assessing ICS security and provides brief explanations of requirements under sections like planning/policy/procedures, administrative controls, access control, and network architecture. The document promotes CyberDNA as a trusted partner that can help organizations meet the various technical and policy requirements for securely auditing and protecting their ICS environments.

S4xJapan Closing Keynote

Digital Bond

RSAC 2016: How to Get into ICS Security

Chris Sistrunk

This document contains the presentation slides from Chris Sistrunk on how to get into ICS security. Some key points: - The number of security professionals is around 189,000 but those focused on ICS security is under 1,000, only 0.5% of security professionals. - For those with an OT background, the presenter suggests learning about security fundamentals. For those with an IT background, the presenter suggests learning about operational technology like PLCs and protocols. - The presenter provides many resources for learning about ICS security including training, conferences, books, and standards. He also suggests ways to build an at-home ICS network lab and get involved in information sharing

Industrial Control System Security Overview

pgmaynard

Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems face security threats due to outdated protocols with no encryption, long lifespans of 40 years without updates, and systems left unpatched due to maintainability concerns. The researcher worked on a European project with an Austrian electrical distributor to access a real-world testbed. Using custom plugins, they were able to launch a man-in-the-middle attack to hide an earth fault from operators by spoofing ARP packets and manipulating traffic. Signature-based detection is insufficient for ICS/SCADA systems, so anomaly detection using machine learning is being explored to identify suspicious traffic like malware or backdoors on the typically consistent and predictable ICS

Scada security presentation by Stephen Miller

AVEVA

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020

Jiunn-Jer Sun

Nozomi Fortinet Accelerate18

Nozomi Networks

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...

Shah Sheikh

This document discusses how Crypto-Flow segmentation and encryption can help organizations comply with various security standards and regulations. It provides examples of how Crypto-Flow can be used to encrypt data in transit for ISO27001, PCI-DSS, IEC 62443, NESA, and the Cloud Security Alliance guidelines. It also outlines best practices for key management and testing the security of implemented encryption controls.

SCADA Cyber Sec | ISACA 2013 | Patricia Watson

Patricia M Watson

This document provides an overview of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), including fundamentals, evolution over time, vulnerabilities, security frameworks, good practices, and resources. It defines SCADA/ICS, describes how they have become more interconnected, lists vulnerabilities like outdated systems and remote access, outlines security standards like NIST and NERC, recommends practices like segmentation and patching, and provides example frameworks and resources.

Cybersecurity for modern industrial systems

Itex Solutions

The document discusses cybersecurity for modern industrial systems. It outlines the history of control systems from early humans to modern technology. It notes current risks and threats that exploit weaknesses in these systems. The rapid growth of internet-connected devices poses challenges to ensuring stability. While virtually all cyber assets are vulnerable, cybersecurity expertise is in short supply. Achieving reliable safety requires standards, regulations, best practices, visibility of systems and sharing knowledge across industries and nations.

Nozomi Networks Q1_2018 Company Introduction

Nozomi Networks

Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).

Nozomi Networks SCADAguardian - Data-Sheet

Nozomi Networks

DEF CON 23 - NSM 101 for ICS

Chris Sistrunk

Chris Sistrunk discussed implementing network security monitoring (NSM) on industrial control systems (ICS). NSM involves collecting network data through tools like Security Onion, analyzing the data to detect anomalies, and investigating anomalies to identify potential threats. While ICS networks pose different challenges than typical IT networks, the same NSM methodology of collection, detection, and analysis can be applied. Free and open source tools like Security Onion allow implementing NSM on ICS to hunt for threats without disrupting operations. The most important part of NSM is having knowledgeable people to interpret data and identify what is normal versus potentially malicious activity on the network.

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...

Lancope, Inc.

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ISE and TrustSec Recent breaches have demonstrated that insider threats and determined attackers are effectively able to operate on the network interior where they can wreak havoc on an organization. As a result, it has become necessary to implement security policies inside the network. This webinar describes a data intelligence-driven approach to dynamically segmenting the network to control threats and protect the enterprise through the use of NetFlow and Lancope’s StealthWatch® System in combination with Cisco ISE and TrustSec. This webinar will cover: • design and deployment scenarios • use cases • best practices • configuration examples • forward-leaning vision The primary takeaway of this webinar is a methodology for leveraging StealthWatch to drive segmentation policies and control threats on the network interior.

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...

Priyanka Aash

In 2017, a sophisticated threat actor deployed the TRITON attack framework engineered to manipulate industrial safety systems at a critical infrastructure facility. This talk offers new insights into TRITON attack framework which became an unprecedented milestone in the history of cyber-warfare as it is the first publicly observed malware that specifically targets protection functions meant to safeguard human lives. While the attack was discovered before its ultimate goal was achieved, that is, disruption of the physical process, TRITON is a wakeup call regarding the need to urgently improve ICS cybersecurity.

Rothke secure360 building a security operations center (soc)

Ben Rothke

Building a Security Operations Center (SOC) requires extensive planning and consideration of various organizational and technical factors. A SOC provides continuous monitoring, detection, and response capabilities to protect against cyber threats. It is important to determine whether to build an internal SOC or outsource these functions. Proper staffing, processes, metrics, and management are critical for SOC success.

What's hot

Should I Patch My ICS?

Digital Bond

SANS ICS Security Survey Report 2016

Derek Harp

Cybersecurity in Industrial Control Systems (ICS)

Joan Figueras Tugas

CSIRS ICS BCS 2.2

David Spinks

2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...

Eran Goldstein

Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...

PECB

Nist 800 82 ICS Security Auditing Framework

MarcoAfzali

S4xJapan Closing Keynote

Digital Bond

RSAC 2016: How to Get into ICS Security

Chris Sistrunk

Industrial Control System Security Overview

pgmaynard

Scada security presentation by Stephen Miller

AVEVA

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020

Jiunn-Jer Sun

Nozomi Fortinet Accelerate18

Nozomi Networks

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...

Shah Sheikh

SCADA Cyber Sec | ISACA 2013 | Patricia Watson

Patricia M Watson

Cybersecurity for modern industrial systems

Itex Solutions

Nozomi Networks Q1_2018 Company Introduction

Nozomi Networks

Nozomi Networks SCADAguardian - Data-Sheet

Nozomi Networks

DEF CON 23 - NSM 101 for ICS

Chris Sistrunk

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...

Lancope, Inc.

What's hot (20)

Should I Patch My ICS?

SANS ICS Security Survey Report 2016

Cybersecurity in Industrial Control Systems (ICS)

CSIRS ICS BCS 2.2

2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...

Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...

Nist 800 82 ICS Security Auditing Framework

S4xJapan Closing Keynote

RSAC 2016: How to Get into ICS Security

Industrial Control System Security Overview

Scada security presentation by Stephen Miller

A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020

Nozomi Fortinet Accelerate18

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...

SCADA Cyber Sec | ISACA 2013 | Patricia Watson

Cybersecurity for modern industrial systems

Nozomi Networks Q1_2018 Company Introduction

Nozomi Networks SCADAguardian - Data-Sheet

DEF CON 23 - NSM 101 for ICS

Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...

Similar to The Future of ICS Security Products

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...

Priyanka Aash

Rothke secure360 building a security operations center (soc)

Ben Rothke

Securing Systems - Still Crazy After All These Years

Adrian Sanabria

This document discusses the ongoing challenges of securing systems and networks. It notes that while cybersecurity basics like asset discovery, vulnerability management, and hardening are important, they are also very difficult tasks given the complexity of modern IT environments. The constant evolution of threats, emerging technologies, and lack of standardized frameworks add to these challenges. However, taking a perspective focused on resilience over perfection, prioritizing the highest risks, and learning from breaches can help tackle security issues in a pragmatic way. The presentation provides strategies for discovery assets, managing vulnerabilities, and hardening systems effectively.

.conf Go Zurich 2022 - Security Session

Splunk

The document appears to be a presentation from Splunk on security topics. It includes sections on cyber security resilience, the data-centric modern SOC, application monitoring at scale, threat modeling, security monitoring journeys, self-service Splunk infrastructure, the top 3 CISO priorities of risk based alerting, use case development, a security content repository, security PVP (posture, vision, and planning) and maturity assessment, and concludes with an overview of how Splunk can provide end-to-end visibility across an organization.

BSidesAugusta ICS SCADA Defense

Chris Sistrunk

Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.

Visualization in the Age of Big Data

Raffael Marty

The extent and impact of recent security breaches is showing that current security approaches are just not working. But what can we do to protect our business? We have been advocating monitoring for a long time as a way to detect subtle, advanced attacks that are still making it through our defenses. However, products have failed to deliver on this promise. Current solutions don't scale in both data volume and analytical insights. In this presentation we will explore what security monitoring is. Specifically, we are going to explore the question of how to visualize a billion log records. A number of security visualization examples will illustrate some of the challenges with big data visualization. They will also help illustrate how data mining and user experience design help us get a handle on the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PROIDEA

PPT-Splunk-LegacySIEM-101_FINAL

Risi Avila

This document discusses replacing a legacy security information and event management (SIEM) system with Splunk Enterprise. It outlines 10 common problems with legacy SIEMs, such as an inability to ingest and analyze all relevant log and machine data. Customer case studies show how Splunk can help organizations replace aging SIEMs in a few months to gain scalability, faster security investigations, and the ability to ensure compliance. The presentation covers Splunk's security monitoring and analytics capabilities and migration options from legacy SIEMs to Splunk. Attendees are invited to sign up for a SIEM replacement workshop to discuss their specific needs.

SplunkLive! - Splunk for Security

Splunk

The document is an agenda for a security session presentation by Splunk. It includes an introduction to Splunk for security use cases, a demo of the Zeus security product, and a discussion of enterprise security and user behavior analytics solutions from Splunk. Key points include how Splunk can provide a unified platform for security data from multiple sources, detect advanced threats that are difficult to find, and help connect related security events to better understand security incidents.

security onion

Boni Yeamin

Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...

SolarWinds

In this webinar, our SolarWinds sales engineer and guest speaker Eric Hodeen discussed how to reduce your vulnerabilities and harden your infrastructure. They also reviewed best practices, share resources, and demonstrate how our products can be used to help manage vulnerabilities at your organization. They reviewed common infrastructure hardening best practices and how to use the DISA STIGs to teach the basics such as validation of FIPS require protocols, baseline STIG’ed configuration for the enterprise, and other tips on securing your infrastructure . During this interactive webinar, attendees learned how to:: • Leverage automated network configuration tools to deploy standardized configurations, detect out-of-process changes, audit configurations, and even correct violations • Audit device configurations and logs for NIST FISMA, DISA STIG, and DSS PCI compliance • Discover patch statuses and vulnerabilities, and automate patch management • Detect, track, and compare system and application configuration changes to confirm changes, even when systems are off-line • Leverage access rights management to understand and act on high-risk access and reduce vulnerabilities

IoT Security and Privacy Considerations

Kenny Huang Ph.D.

The document discusses several IoT security and privacy considerations, including using privacy by design principles to embed privacy into systems from the start, establishing accountability standards and open technology standards to build trust, and addressing common problems like lack of developer security experience, insecure communication protocols, and ensuring secure firmware updates throughout the lifecycle of IoT devices.

Splunk for Security Breakout Session

Splunk

The document discusses security session presented by Philipp Drieger. It begins with a safe harbor statement noting any forward-looking statements are based on current expectations and could differ from actual results. The agenda includes discussing Splunk for security, enterprise security, and Splunk user behavior analytics. It provides examples of how Splunk can be used to detect threats like fraud and advanced persistent threats by analyzing machine data from various sources. It also discusses how threat intelligence can be incorporated using STIX/TAXII standards and open IOCs. Customer examples show how Nasdaq and Cisco have replaced their SIEMs with Splunk to gain better scalability and flexibility.

Application security meetup k8_s security with zero trust_29072021

lior mazor

SplunkLive! Paris 2016 - Plenary session

Splunk

How the latest trends in data security can help your data protection strategy...

Ulf Mattsson

Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures. In this webinar, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Angeloluca Barba

A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries. Asset visibility and network baselining Continuous network monitoring Threat intelligence ingestion Thorough incident response plans

Improving System Upgrades and Patching using SolarWinds

SolarWinds

Experiences in Mainframe-to-Splunk Big Data Access

Precisely

Adding mainframe data to the stream of machine-to-machine or “log” data for operational and security/compliance purposes is no longer a nice-to-have - it's a requirement. View this presentation to hear the real-world experiences of four organizations who bridged the gap between the mainframe data and Splunk to create true operational and security intelligence. You'll learn: The business needs that drove the requirements to bring their Mainframe data into Splunk The options they considered to meet these requirements How they are using Syncsort Ironstream® to meet and exceed their needs

TIG / Infocyte: Proactive Cybersecurity for State and Local Government

Infocyte

This webinar and presentation outlines the Infocyte HUNT threat detection and incident response platform, and how it enables state and local government organizations: - Reduce risk across local, off-network, and cloud IT assets - Expose and eliminate hidden cyber threats and vulnerabilities - Streamline your overall security operations - Achieve and maintain compliance Using Infocyte, TIG can provide their customers with cost-effective, easy-to-manage, and on-demand cybersecurity consulting services (e.g. compromise assessments, incident response) and managed security services (e.g. managed detection and response). Visit https://www.infocyte.com/ to learn more and request a demo, or request a cybersecurity risk assessment (Compromise Assessment) using the link below: https://www.infocyte.com/free-compromise-assessment/

Similar to The Future of ICS Security Products (20)

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of I...

Rothke secure360 building a security operations center (soc)

Securing Systems - Still Crazy After All These Years

.conf Go Zurich 2022 - Security Session

BSidesAugusta ICS SCADA Defense

Visualization in the Age of Big Data

PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków

PPT-Splunk-LegacySIEM-101_FINAL

SplunkLive! - Splunk for Security

security onion

Government and Education Webinar: How to Reduce Vulnerabilities and Harden yo...

IoT Security and Privacy Considerations

Splunk for Security Breakout Session

Application security meetup k8_s security with zero trust_29072021

SplunkLive! Paris 2016 - Plenary session

How the latest trends in data security can help your data protection strategy...

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Improving System Upgrades and Patching using SolarWinds

Experiences in Mainframe-to-Splunk Big Data Access

TIG / Infocyte: Proactive Cybersecurity for State and Local Government

More from Digital Bond

Attacking and Defending Autos Via OBD-II from escar Asia

Digital Bond

This document discusses security issues related to accessing and controlling vehicles via OBD-II ports, drawing comparisons to struggles securing industrial control systems. It notes that accessing these systems often means compromising them, as protocols were designed without security. While an analysis of a Progressive Snapshot dongle found no security precautions, lessons from securing critical infrastructure suggest restricting access and implementing least privilege. The document advocates learning from past ICS mistakes to develop secure vehicle protocols and modules.

Remote Control Automobiles at ESCAR US 2015

Digital Bond

The RIPE Experience

Digital Bond

Windows Service Hardening

Digital Bond

Lessons Learned from the NIST CSF

Digital Bond

Assessing the Security of Cloud SaaS Solutions

Digital Bond

The document discusses assessing the security of cloud SaaS solutions. It covers cloud security standards like ISO 27001, CSA Cloud Controls Matrix, and CSA STAR certification. Trust in the cloud is difficult due to lack of transparency from cloud providers. The document provides approaches for evaluating a cloud provider's security controls, privacy practices, and data protection. It also includes sample questions from the CSA consensus assessment initiative to assess these areas for a specific cloud SaaS solution.

Monitoring ICS Communications

Digital Bond

Active Directory in ICS: Lessons Learned From The Field

Digital Bond

This document provides lessons learned from implementing Active Directory domains in control system environments. It covers topics like time synchronization, DNS, Active Directory replication, domain controller maintenance, backup and restore, user and group guidelines, and ICS group policy. The key lessons are: accurate time sync is critical; DNS configuration on domain controllers must include the loopback address; Active Directory replication links need to be properly configured; flexible single master operations roles should be transferred before domain controller maintenance; individual user accounts should be used instead of shared administrator accounts; and group policy can be used to apply security settings to control systems. The presentation provides guidance on best practices, common problems encountered, and their solutions.

Accelerating OT - A Case Study

Digital Bond

This document summarizes a presentation given by Craig Heilmann of IBM Security Services at the S4 ICS Security Conference in January 2015. The presentation discussed accelerating cyber security for operational technology (OT) using a case study. The case study involved a large manufacturer that wanted to transform its security operations over 5 years but faced constraints. The solution was to focus first on operations using an "elastic and agile" model with processes, operations, and technology improvements to quickly detect, respond, and disrupt attacks. This included enterprise-wide password changes and a security program framework to continuously adapt and mature capabilities over time. Cost modeling was also introduced to better plan and rationalize security spending.

API Training 10 Nov 2014

Digital Bond

Unidirectional Security Appliances to Secure ICS

Digital Bond

Internet Accessible ICS in Japan (English)

Digital Bond

Survey and Analysis of ICS Vulnerabilities (Japanese)

Digital Bond

ICS Security Training ... What Works and What Is Needed (Japanese)

Digital Bond

Vulnerability Inheritance in ICS (English)

Digital Bond

This document discusses vulnerability inheritance in programmable logic controllers (PLCs) from third-party libraries and software. It provides a specific example of vulnerabilities found in the CoDeSys runtime and engineering software used by hundreds of industrial control system vendors. The document outlines how two major Japanese PLC vendors were found to be affected by these vulnerabilities due to their use of CoDeSys, and concludes that vendors need to implement secure development practices like security testing to prevent inheriting vulnerabilities from third-party components.

Incubation of ICS Malware (English)

Digital Bond

This document discusses SCADA honeypots, which are devices or systems placed on a network with no operational purpose in order to detect attacks. Honeypots can detect attacks since anything accessing them is suspicious as they have no legitimate use. While some debate their effectiveness, honeypots can provide valuable information by allowing researchers to learn how attackers work when they interact with the honeypot. The level of interaction and visibility of the honeypot must be considered to balance obtaining useful data with security risks.

Dynamic Zoning Based On Situational Activity in ICS (Japanese)

Digital Bond

Havex Deep Dive (English)

Digital Bond

Unsolicited Response - Getting BACnet Off of the Internet (Japanese)

Digital Bond

Using Assessment Tools on ICS (English)

Digital Bond

More from Digital Bond (20)

Attacking and Defending Autos Via OBD-II from escar Asia

Remote Control Automobiles at ESCAR US 2015

The RIPE Experience

Windows Service Hardening

Lessons Learned from the NIST CSF

Assessing the Security of Cloud SaaS Solutions

Monitoring ICS Communications

Active Directory in ICS: Lessons Learned From The Field

Accelerating OT - A Case Study

API Training 10 Nov 2014

Unidirectional Security Appliances to Secure ICS

Internet Accessible ICS in Japan (English)

Survey and Analysis of ICS Vulnerabilities (Japanese)

ICS Security Training ... What Works and What Is Needed (Japanese)

Vulnerability Inheritance in ICS (English)

Incubation of ICS Malware (English)

Dynamic Zoning Based On Situational Activity in ICS (Japanese)

Havex Deep Dive (English)

Unsolicited Response - Getting BACnet Off of the Internet (Japanese)

Using Assessment Tools on ICS (English)

Recently uploaded

“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/ Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit. The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers. Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.

Trusted Execution Environment for Decentralized Process Mining

LucaBarbaro3

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Serial Arm Control in Real Time Presentation

tolgahangng

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

akankshawande

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Nordic Marketo Engage User Group_June 13_ 2024.pptx

MichaelKnudsen27

JavaLand 2024: Application Development Green Masterplan

Miro Wengner

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

alexjohnson7307

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

WeTestAthens: Postman's AI & Automation Techniques

Postman

Public CyberSecurity Awareness Presentation 2024.pptx

marufrahmanstratejm

Dandelion Hashtable: beyond billion requests per second on a commodity server

Antonios Katsarakis

This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Wask

https://www.wask.co/ebooks/digital-marketing-trends-in-2024 Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

Recently uploaded (20)

“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...

Trusted Execution Environment for Decentralized Process Mining

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Serial Arm Control in Real Time Presentation

Your One-Stop Shop for Python Success: Top 10 US Python Development Providers

Skybuffer SAM4U tool for SAP license adoption

Programming Foundation Models with DSPy - Meetup Slides

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Nordic Marketo Engage User Group_June 13_ 2024.pptx

JavaLand 2024: Application Development Green Masterplan

Monitoring and Managing Anomaly Detection on OpenShift.pdf

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

June Patch Tuesday

WeTestAthens: Postman's AI & Automation Techniques

Public CyberSecurity Awareness Presentation 2024.pptx

Dandelion Hashtable: beyond billion requests per second on a commodity server

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Building Production Ready Search Pipelines with Spark and Milvus

GraphRAG for Life Science to increase LLM accuracy

The Future of ICS Security Products

1. The Future of ICS Security Products

2. 2

3. New Product Category Detection

4. 4

5. 5

6. 6

7. Asset Inventory To The Rescue ◦ Didn’t have an asset inventory ◦ Outdated spreadsheet at best ◦ Amazed at what passive monitoring could tell them ◦ Easy win for customers and vendors 7

8. 8

9. More accurate and more detailed information on your cyber assets. Using only legitimate protocol requests. NOT SCANNING! 9

10. 10

11. More accurate and more detailed information on your cyber assets. Using only legitimate protocol requests. NOT SCANNING! 11

12. If you can’t stomach Active then use your EWS or other ICS component to query cyber assets so Passive can see the answers. 12

13. Asset Management ◦ Asset Inventory ◦ Configuration Mgmt ◦ Vulnerability Mgmt ◦ Change Management ◦ … 13

14. 14

15. 15

16. 16 ICS Detection Asset Mgmt Vuln Mgmt SIEM / SOC

17. 17

18. Vulnerability Management ◦ Requires software inventory ◦ Identify vulnerable sw / fw ◦ What to patch? When? What application will apply the patch? 18

19. Detection

20. Prioritized List of Detection Sources - Endpoint protection alerts - Blocked firewall egress attempts - New admin users - … 20

21. 21

22. Same - Switch span port or tap, passive traffic collection - Lots of signatures - Same data overwhelm issues Network IDS with ICS Protocol Smarts Different - Able to parse ICS protocols - Alert on legit, high risk cmds - Some anomaly detection - ICS Playbooks 22

23. 23

24. Incident Response ◦ What good is detecting if you can’t respond? ◦ Detection products provide data for after incident investigation ◦ Knowing ICS and the product is key for effective response 25

25. 26

26. What Will You Do With The Data? ENTERPRISE SOC Forward the ICS detection system data to Enterprise SOC. Add ICS talent to the SOC and response team. STAND ALONE SYSTEM Analysts use product as primary ICS detection system. OT SOC ICS detection system used as one detection source in an OT SOC. 27

27. 28

28. 29

29. Lots of Change ◦ Asset Inventory will not be part of detection product ◦ ICS Detection GUI won’t matter ◦ Integration with SOC systems ◦ Sensors will be in your switches ◦ Competitors will almost all change 30

30. Slow Down / Pilot Position As Interim / Learning 31

31. What Would I Do? (in order) ◦ Start with an asset management solution ◦ Get detection solution ◦ Integrates with asset mgmt ◦ Retains forensics records ◦ Get incident response retainer ◦ Focus on SOC integration 32

32. Asset Inventory / Management - PAS - Langner OT-BASE - Asset Guardian - MDT Software - DCS vendors 33

33. 34

34. What Is Top Tier? BAKE OFFS & PILOTS We saw the same four repeatedly in asset owner competition and pilots. COMPANY GROWTH Top Tier now are 100+ employees and growing. Accelerating & leaving the rest behind. RAPID PRODUCT DEV Huge investment in R&D showing in new features and product maturity. 35

35. Detection Tiers (US) July 18 Claroty / Dragos / Nozomi / SecurityMatters 36 CyberX / Indegy / Kaspersky / Sentryo The Rest https://dale-peterson.com/ics-detection-market-analysis/

36. Detection Tiers (US) Nov ‘19 Claroty / Dragos / Nozomi 37 CyberX / Indegy / Kaspersky / Sentryo* / Radiflow 11 Competitors https://dale-peterson.com/ics-detection-market-analysis/

37. Acquisitions Forescout buys SecurityMatters ($113M) 38 Cisco buys Sentryo (my guess ~$50M) Tenable buys Indegy ($78M) Also GE, Honeywell, Kaspersky …

38. Detection Tiers (US) Today Claroty / Dragos / Nozomi 39 CyberX (Microsoft?) / Radiflow SCADAfence + 5 Others https://dale-peterson.com/ics-detection-market-analysis/

39. Thanks! Any Questions? Dale Peterson, CEO of Digital Bond peterson@digitalbond.com https://dale-peterson.com Founder of S4, every Jan in Miami SoBe https://s4xevents.com Twitter: @digitalbond Unsolicited Response Podcast YouTube: www.youtube.com/s4events 40

Editor's Notes

Like most things OT, Ops said it was impossible. Ethernet, Windows, anti-virus, application whitelisting, virtualization, we were even told passive IDS would break ICS in 2006. So predicting years ago that active would be used was easy.
What cards are in the PLC, what firmware, when was the logic last updated
Physical location, criticality, who is in charge You really need asset management which includes other items
Will some pivot to this
Move away from spreadsheets, manual asset inventory. Automate Drawing showing Vuln Mgmt, Passive Detection, Asset Management, SOC, all talking through Rest API
Increasingly popular feature in this new class of ICS detection products … but they don’t apply the patches so you need another vulnerability management solution. Decision tree – exposure, criticality, safety, CVSS, and exploit in the wild (Never, next, now)
Rebekah Mohr, Ben Goerz Kimberly Clark tomorrow on the S4 Events YouTube Channel
Cisco’s acquisition of Sentryo and their Cyber Vision products is just the start.
Said this 18 months ago and still true. At least position that you could rip and replace this detection solution. Perhaps subscribe rather than buy, although a lot of times the break even is between 2 and 3 years.

The Future of ICS Security Products

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Future of ICS Security Products

Similar to The Future of ICS Security Products (20)

More from Digital Bond

More from Digital Bond (20)

Recently uploaded

Recently uploaded (20)

The Future of ICS Security Products

Editor's Notes