Feature Focus: Building Management System (BMS) Security and Risk Monitoring

November 23, 2020

Preview threat detection features we’ve built into Industrial Defender for building management systems (BMS), including risk scoring, security monitoring and network analytics.

Video Transcript & Slides

Let’s log in. Here you’ll see the risk dashboard. This is a new feature we just introduced, where we’re summarizing all the assets, scoring them based on our risk matrix, and then summarizing them by location to give you a quick view of where the risk in your environment is. So, you can see in this specific example, we’ve got 19 assets spanning 3 different locations.
We’ve got risk scores, from a low score over here at headquarters to a very high score where something’s going on, obviously over at the secure storage area.
You can see the sun burst on the left highlights BMS risk across the outermost ring. So, you can see that this asset has got some risk due to configuration, exceptions, or anomalies. It’s got some unreviewed security events. The baselines are in good shape. We’ve got a high-ranking CVE on this asset. So, as we roll across, we’ll see that there’s no ICS-CERT bulletins for this asset. It’s healthy, it’s reachable. It’s got no security events to be worried about. And you can do this for all the assets at a specific location.
We then jump over to our science building. Looks like everything’s OK, except for this one asset, which is a Jace controller. It’s got some configuration baseline anomalies, and we’ll dive into some of that in a minute here.
You can see over at headquarters, everything is OK.
So, let’s dive into one of the high-risk assets over in our secure storage area. And we’ll basically go into how we’re calculating that risk, and then we’ll go into some analytics about the asset. So, you can see it’s in a group of other BMS assets, and we’re looking at some of the collected data. You can see that this asset, when we look at its peers, is doing well, but it seems to have a lot more open ports and services, less firewall rules and more users configured, so those are potential areas for risk.
As far as software trends go, it’s about trending with the group and seems like it’s probably getting patches. Maybe it was offline for a few days, and didn’t report the data there. No software baseline deviations, which is good, and you can see how it’s trending in events. We’ve got a spike in events that occurred a few days ago, so that’s something we’re going to want to dig into.
From a baseline perspective, this is where we’re taking some machine learning and determining what’s normal for an asset or a group of assets, and you can see that the group norm is much, much higher. We saw some evidence on that back there as well.
As we finish off, you can see that we’re showing you how this risk score is being calculated. On the back end, we give you the ability to change and modify these settings to meet your company’s needs or risk lens.
We also saw some interesting risk behavior over in the science building, specifically on that Jace controller. So, I’m going to head over to our asset administration function. We’ll be able to go look at all the assets that are in that science building.
When I drill through on that Jace controller, it looks like a few days ago someone had upgraded its firmware to Tridium version 4.9. I know that’s a version that closed some vulnerabilities, so that’s good. The vendor is actually doing that maintenance. They told me that they were going to do that, but now I have the ASM telling me definitively based on understanding of the BACnet protocol what was updated, which dovetails nicely into vulnerability monitoring.
Here I have another Jace controller that they’re due to upgrade in a different building, and with our vulnerability monitoring view, we can see that we have an older version of Tridium running.
Here we’ll bring you through to the vulnerability details where you can see it’s a fairly low-rated vulnerability, but it is concerning, specifically because it has an outstanding ICS security bulletin with it. So, these are all part of the vulnerability monitoring feeds that we’re monitoring for our customers.
If you look at the vulnerability feed bulletin, Industrial Defender will provide you that bulletin in context.
Another core component of Industrial Defender is the ability to accurately report on these assets in your environment. So not only reporting from a generic inventory standpoint, but also reporting to align with specific standards, whether it’s the NIST Cybersecurity Framework (CSF) or the 20 CIS Controls. All these standards are built into Industrial Defender to provide reporting quickly and easily to management, inventory teams, or IT teams. Let’s say you’re using the NIST CSF. Specifically, you’re being asked, what does your software inventory look like across your building environment?
You can then click on the report and view it. These reports are schedulable and emailable. So, you can see we’ve collected some data from Windows, from the Fortinet infrastructure that’s powering this demo, some Linux titles. There are quite a few Linux titles in this environment. As we head to the second page, we’ll see some of those Jace controllers and the software versions they’re running. This is a very nice report that can easily be summed up in many different formats in many ways.
Industrial Defender gives you the ability to report on this as far back as all data you’ve ever collected in the system, so let’s say we want to go back maybe just a few days.
You can quickly create this report and gather up all the data for your assets that are tagged as BMS. Maybe you want all the locations, maybe you just want the science building based on the query you’re being asked. We’ll do a model here to let you see what software titles look like across the board.
Another feature, which we’ll end on, is our Netflow application. This comes with our NIDS sensor, as well as our deep packet inspection, which are one on the same. It goes through all the network communications that we’re seeing, whether they be traditional IT or BMS protocols, and starts to break up those protocols into the top services, top source IPs and top destinations.
We’ll drill through on each to get an understanding of who is talking to whom.
Another great feature of Netflow is the ability to monitor inbound and outbound external communications. So, if you’re worried about vendor remote access, or if these systems are potentially accidentally connected to the public Internet, that could be seen here very quickly. In a very closed off environment, you should see very little inbound external communications. You would see assets reaching outbound getting their updates and patches, but inbound communication should be few and far between. Here you can see quickly all the different IPs coming in from the outside world.
Another nice part about the Netflow feature is we also give you a network topology map. Here you can see all the communications, just over the wire. But if you want a full drawn topology map, this is one based on the Industrial Defender-specific communications.
If you flip over to network, we’ll then be able to quickly show you in a star-type view who was talking to whom. These are all the end points that Industrial Defender is actively monitoring.
If we switch it over to discovered assets, this includes all assets.