2. Session Agenda
• Background: Why is it difficult to protect Industrial Control Networks?
• Operational Visibility: You can’t protect what you can’t see!
• Cybersecurity: Effective & Integrated
• Nozomi Networks, Inc
4. w w w .nozom inetw ork s.com
Digital Transformation with Industry 4.0 / Industrial Internet (IIoT)
But there are complexities…
1. Systems were ‘air-gapped’
back then
2. Protocols were mostly
proprietary
3. Cybersecurity was less
onerous and resource-
intensive
4. IT and OT were separate
Why we’re here…
5. w w w .nozom inetw ork s.com
Industrial Control Systems (ICS) are More Exposed
Digital Transformation with Industry 4.0 creates complex Industrial IoT networks
In the past, ICS Networks were …
• Isolated from IT
• Run on proprietary protocols
• Utilized specialized
hardware
• Requiring proprietary embedded
operating systems
• Physically copper, twisted pair
Now they are …
• Bridged to corporate networks
• Utilizing internet protocols
• Running on general purpose
hardware with IT origins
• Utilizing mainstream IT operating
systems
• Increasingly fiber and wireless
6. w w w .nozom inetw ork s.com
Typical ICS / SCADA Components are Vulnerable
PLCs and RTUs are low computational computers built for controlling physical components such as
valves, pumps, motors, etc.
They communicate via proprietary protocols that are prone to tailored attacks
• Lack of authentication
• Lack of encryption
• Backdoors
• Buffer overflow
• Tailored attacks for controlling physical
components
7. w w w .nozom inetw ork s.com
So What are the Experts Saying About ICS Cybersecurity?
• The SANS Institute: est. 1989 as a cooperative research and education organization
• SANS program reach: 165,000 security professionals globally and growing
• With security practitioners across varied global organizations, SANS is the most trusted and largest source for information security
training and security certification in the world.
• Annual ICS Survey: hundreds of ICS practitioners and cybersecurity stakeholders across range of vertical industries (including energy,
manufacturing, and oil & gas)
8. w w w .nozom inetw ork s.com
2017 SANS Survey: Perceived Threat Levels to ICS
• How serious does your organization consider the current cyber security threats to
control systems to be?
26,2%
42,8%
25,5%
3,4% 2,1%
Severe/Critical
High
Moderate
Low
Unknown
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
9. w w w .nozom inetw ork s.com
Top Threat Vectors for OT - 2017 SANS Survey
9
• What are the top three threat vectors you are most concerned with? Rank the top three, with “First”
being the threat of highest concern.
0% 10% 20% 30% 40%
Other
Industrial espionage
Internal threat (intentional)
External threats (supply chain or partnerships)
Integration of IT into control system networks
Malware families spreading indiscriminately
Phishing scams
Extortion, ransomware or other financially…
External threats (hacktivism, nation states)
Internal threat (accidental)
Devices and “things” (that cannot protect…
First Second Third
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
11. w w w .nozom inetw ork s.com
Operational Visibility and Cybersecurity:
Critical Steps
Gain Visibility
✓ Asset inventory
✓ Network visualization
✓ Network modeling
✓ Network vulnerabilities and remediation paths
Detect / Hunt for Malware Attacks & Network Compromises
✓ Behavioral cyber threat detection
✓ Process anomaly detection with context and correlation
✓ Rules and signature-based threat detection
12. w w w .nozom inetw ork s.com 12
Best Real-Time Visibility & ICS Threat Detection
Switch
HMI
Local
SCADA
PLC
PLC
PLC
RTU
RTU
RTU
Replicated
Historian
Corporate
Firewall
Remote
Access
Central
Management
Console (CMC)
SIEM
Firewall
Firewall
Historian
DNS
Jump
Box
Patching
Server
Web
Firewall
Switch
HMI
Local
SCADA
Secure
Integration with firewalls enable rapid response
(Node Blocking, Link Blocking, or Kill Session)
and mitigates the issue.
Detect
User-defined policies are rapidly examined and
the appropriate corresponding action is triggered.
Monitor
A threat is detected by SCADAguardian and an
alert is generated.
Firewall
13. w w w .nozom inetw ork s.com 13
Scaling Geo-Distributed & Multi-Tenant Deployments
Control Room
CMC
CMC
Area 1
Control
Room
Onshore
Area 2
Control
Room
OnshoreCMC
Switch
HMI
Local
SCADA
PLC
PLC
PLC
RTU
RTU
RTU
Replicated
Historian
Corporate
Firewall
Remote
Access
Central
Management
Console (CMC)
SIEM
Firewall
Firewall
Historian
DNS
Jump
Box
Patching
Server
Web
Firewall
Switch
HMI
Local
SCADA
Firewall
14. w w w .nozom inetw ork s.com
Address incidents with a hybrid approach
14
Rules-based Analysis
Assertions
Yara/Packet Rules
Behavior-Based
Anomaly Detection
INFECTION
ATTACK
DISCOVERY
Threat & Anomaly Detection
15. w w w .nozom inetw ork s.com
Three Challenges for Visibility & Detection
You can’t be disruptive
How to automatically build your
security profile of the OT?
You need a global view
IT + OT
Passive DPI
Automatic Learning and
behavioral based anomaly
detection
Monitoring and correlation
function for IT and OT events
16. Operational Visibility: You can’t protect what you can’t see!
Case #1: Network Visibility & Monitoring
Case #2: Asset Discovery & Inventory
17. w w w .nozom inetw ork s.com
“At Vermont Electric our mission is to provide safe, affordable, and reliable energy
services to our members. In order to do that, we need both operational visibility and
cybersecurity protection for our critical operations systems. We’re working with
Nozomi Networks because their deep industrial cybersecurity expertise is embedded in
one clean, comprehensive solution, from network modeling to process anomaly
and intrusion detection.
“
17
Kris Smith
SCADA & Operations Engineering Manager
CASE STUDY 1 - Network Visualization and Monitoring
18. w w w .nozom inetw ork s.com
Q: How can I look in my OT network without being disruptive? Which applications on the IT side are directly
connected with the OT network?
Standard Approach Advanced Approach
A non-intrusive tool that quickly monitors in real
time ICS network communications and processes.
This illustrates ICS network data flows at the
application level and provides a high degree of
operational and special awareness.
• Collect documentation
• Interviewing OT people
• Analyze manually the connections
• Traditional network monitoring tools based on
SNMP or Netflow
Limitations
• Lack of a real time map of communications
• Limited characterization of traffic applications and
patterns
• Active approach (SNMP) or standards not
supported by all vendors (Netflow)
CASE STUDY 1 - Network Visualization and Monitoring
19. w w w .nozom inetw ork s.com
CASE STUDY 1 - Network Visualization and Monitoring
19
20. w w w .nozom inetw ork s.com
CASE STUDY 1 - Network Visualization and Monitoring
20
Nodes Variables
Go deep in details…
21. w w w .nozom inetw ork s.com
CASE STUDY 1 - Network Visualization and Monitoring
21
Links Contents
Go deep in details…
22. w w w .nozom inetw ork s.com
CASE STUDY 1 - Network Visualization and Monitoring
22
Link Persistency
.... and create your own alerts, for example:
23. w w w .nozom inetw ork s.com
CASE STUDY 1 - Network Visualization and Monitoring
23
Public Connections
.... and create your own alerts, for example:
24. w w w .nozom inetw ork s.com 24
CASE STUDY 2 – Asset Inventory
“
“Enel Power Plants are a strategic asset we
are committed to protect. Malfunctions or
damage to this infrastructure would be a
threat to our national security. With Nozomi
Networks’ SCADAguardian we can now
detect and collect operational and
cybersecurity issues in real time, and take
corrective actions before the threat can
strike.”
“Through this partnership, we have made a
substantial improvement in our Remote Control
System. Nozomi Networks’ SCADAguardian is
now a fundamental element of our network
infrastructure and an essential tool for our
daily activities … to substantially improve the
reliability, efficiency, and cybersecurity.”
Gian Luigi Pugni
Global ICT Cybersecurity
Federico Bellio
Head of Controls
“
25. w w w .nozom inetw ork s.com
Q: How can I consistently adopt an asset management process within an OT environment
with updated information?
Standard Approach Advanced Approach
An non-intrusive tool that discovers and classifies
the OT assets, quickly adding updated information
of the network traffic and allowing both the
enrichment from external sources and the
exporting of data to other tools
• Collect documentation
• Interviewing OT people
• Analyze manually the configurations
• Traditional IT CMDB tools
Limitations
• Outdated information/documentation
• Demanding in terms of work load
• Agent based approach with impact on the OT
resources
CASE STUDY 2 – Asset Inventory
26. w w w .nozom inetw ork s.com
CASE STUDY 2 – Asset Inventory
26
OT Vendor,
Product, Serial
Firmware version of
the PLCs
Operating System
27. w w w .nozom inetw ork s.com
CASE STUDY 2 – Asset Inventory
27
Firmware version
of the PLCs
Hardware
Components
Product Name
Vendor
Vulnerabilities
28. w w w .nozom inetw ork s.com
CASE STUDY 2 – Asset Inventory
28
29. w w w .nozom inetw ork s.com
CASE STUDY 3 - Hybrid ICS Threat Detection
29
“When it came to cybersecurity protection for critical systems, we wanted the most advanced technology
available. After extensive review, we chose Nozomi Networks. They brought superior know-how in ICS
cybersecurity, and a proven track record with other industry leaders. We're using SCADAguardian as the
basis of our ICS Cyber program, from operational monitoring to ICS threat detection.”
Dubai Electric & Water Authority (DEWA)
30. w w w .nozom inetw ork s.com
Q: How can I detect unauthorized and/or malicious behavior inside my OT environment?
Standard Approach Advanced Approach
An non-intrusive tool that monitors OT
communications for detecting anomalous behavior,
unauthorized accesses and internal threats
• Air gapped environment
• Data diode or static OT firewall
Limitations
• Demanding in terms of work load and
maintenance
• Outdated approach that is in conflict with the
current IT/OT convergence requirements to
enhance performance, reduce costs and give
flexibility and scalability to the infrastructure
CASE STUDY 3 - Hybrid ICS Threat Detection
31. w w w .nozom inetw ork s.com 31
Phase 1 –
INFECTION
Phase 2 -
DISCOVERY
Phase 3 -
ATTACK
Behavior-based anomaly
detection enriched with A.I
and analytics engine
Rule-based analysis,
using (Yara, Packet, etc.)
for threat hunting
Signature assertions &
queries with out-of-box
and custom functions
Behavior Anomaly Detection
Rules
Yara/Packet
Rules
Yara/Packet
Rules
Assertions Assertions
Attack Phases
CASE STUDY 3 - Hybrid ICS Threat Detection
32. w w w .nozom inetw ork s.com
USE CASE 3: ICS Anomaly Detection
32
Thanks to Anomaly Detection, all deviations from the baseline can be alerted at different levels
A new communication is
detected
A ”rogue” MAC address
is identified
A new Modbus
connection is detected
INCIDENT DETAILS
A Modbus Reprogram
Command is detected
NEW INCIDENT
pcap traces of the attack
are automatically
generated
33. w w w .nozom inetw ork s.com
CASE STUDY 3 - Hybrid ICS Anomaly Detection
33
Many traditional IT communications and common vectors for malware attacks are also commonly present in
the OT environment (i.e. smb)
34. w w w .nozom inetw ork s.com
CASE STUDY 3 - Hybrid ICS Anomaly Detection
34
Rule-based analysis allows to you identify, in real-time, known attacks and malware
35. w w w .nozom inetw ork s.com
Securing Industrial Networks
35
Level 4
Production
Scheduling
Level 3
Production
Control
Level 2
Plant
Supervisory
Level 1
Direct Control
Level 0
Field Level
Sample threats that we detect
• Monitoring of remote access connection to networks
• Connection to Internetcorporate network DMZ
• MITM & Scanning Attacks (Port, Network)
• Unauthorized cross level communication
• IP conflicts
• Weak passwords (FTP /
TFPTP / RDP / DCERPC)
• Traffic activity summaries
Bad configurations (NTP /
DNS / DHCP/ etc.)
• Network topologies
• Used ports of assets
• Unencrypted
communications (Telnet)
• Insecure Internet
connections
• Anomalous protocol behavior
• Online edits to PLC projects
• Communication changes
• Configuration downloads
• New assets in the network
• Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes
• Authentication to PLCs
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Program, Test)
• Fieldbus I/O monitoring
37. w w w .nozom inetw ork s.com
Nozomi Networks Today: The leader of Industrial Cybersecurity
Since Oct 2013
+250,000 Monitored
+220 Global Installations
FOUNDED
DEVICES
CUSTOMERS
SERVING VERTICALS
38. w w w .nozom inetw ork s.com
The Nozomi Networks Solution
38
Process NetworksControl Network SCADAguardian
SCADAguardian implements an innovative technology for monitoring
and assessing Industrial Control Systems.
Is an appliance (physical or virtual) that passively connects to the
industrial network non-intrusively
Listens to all traffic within the control and process networks,
analyzing it at all levels of the OSI stack, passively (L1 to L7)
Uses Artificial Intelligence and Machine Learning techniques to
create detailed behavior profiles for every device according to the
process state to quickly detect critical state conditions
Provides best-in-class network visualization, asset management,
ICS anomaly intrusion, vulnerability assessment, as well as
dashboards and reporting
39. w w w .nozom inetw ork s.com
One Comprehensive Solution for ICS Cybersecurity & Visibility
39
Nozomi Networks’ Solution Architecture