Video: Deploying Industrial Defender Agents on ICS and SCADA Systems (Part 1)

May 15, 2020

Learn how Industrial Defender's agents can be deployed on any ICS or SCADA system environment, regardless of endpoint type or granularity of network segmentation, and the steps our experts recommend taking when tackling an OT security improvement project.

In Part 1, you will learn how a simple deployment of ID's agents can give you visibility into:

  • Firewall rules protecting your boundaries
  • Rogue devices and access points
  • Change management on software and accounts
  • Vulnerabilities in your environment by using Passive Vulnerability Monitoring technology

Video Transcript & Slides

Thank you everyone for joining the Industrial Defender webinar which focuses on agent deployment and Industrial Defender’s ability to be deployed regardless of endpoint type or granularity of network segmentation.
I’m George Kalavantis and I head up the operations group at Industrial Defender, but I’m also a former asset owner with 17 years of utility experience. With me is Jeremy Morgan, our Principal Solutions Engineer, also with almost 15 years of asset owner and OEM experience. He will be taking us through the different deployment methodologies today. We felt that there was a need to educate the marketplace on the challenges of monitoring heterogeneous ICS environments and how Industrial Defender can meet those challenges with our different agent deployment methodologies and technologies. As many in the ICS space know, there is no silver bullet with respect to ICS asset identification and security. It takes many different deployment methodologies, i.e. active and passive, to fully identify an ICS environment. With that said, I will now hand it over to Jeremy to take us through the agent deployment.
Thanks George. Here’s a typical picture of a typical DCS and SCADA system with different network segments. Up top here, you have more IT-friendly assets. This will be the zone that’s most often connected to your corporate network to get data in and out between the plant and the rest of the enterprise. The next step layer down is where most of your engineers spend most of their time. This is where you have the HDMIs and the operators and the engineers all working and doing their day to day routines. Down here on the bottom is where IT meets the physical. This is where things really go from IT-centric to a process-centric and require a lot of specialized knowledge.
The first step is taking a look at the ease and breadth of coverage combined with risk. This really translates into simple first steps of deploying agents on the IT assets, configuration data from your firewall, and syslog forwarding from your devices that can easily deploy. You are also going to get a NIDS to provide network protection and aid in asset discovery on any asset with an IP address. Since most attacks originate in the zones that have the most human interaction, you’re getting a ton of value with just the first few steps. As you can see this will give a lot over coverage in the top two zones and really add visibility and awareness into your security checkpoints between layers. You now know and more importantly can take well-informed actions to the firewall rules protecting your boundaries. You can detect rogue devices and access points. You can truly detect and manage changes to software and accounts, and you can track vulnerabilities using our Passive Vulnerability Monitoring technology.
Hey Jeremy, I apologize for interrupting. This is routine work and Industrial Defender considers this complexity level Easy or ID Zone 1. George, what is that graphic? I’ve never seen that before in my life. Jeremy, just listen to me. At Industrial Defender, we were looking for an easy way to define the complexity of OT asset management and security coverage and how Industrial Defender can meet these challenges. Unfortunately, many of us during this pandemic have had to convert areas of our house to home gyms. In my case, my wife forced me to buy a Peloton last year. In retrospect, a wise decision. With that said, I found the bike’s FTP zone meter resonated. The FTP represents your fitness threshold. In our case, this graphic will represent the different levels of OT security and compliance coverage complexity. We will use this graphic throughout the presentation to identify the different challenges of data collection and how ID categorizes each level. Jeremy took you through the ID ZONE 1 – EASY. We believe that most companies, when leveraging embedded agents and typical feeds, can perform at this level. What differentiates Industrial Defender from other companies is our ability to extract information from harder to reach devices, regardless of network connectivity. Jeremy, please continue. George, I’ve never seen a Peloton in any of the documentaries I’ve been streaming, but I think I get it. On to the next zone.
In step 1, you’ve deployed Industrial Defender on your IT-friendly assets and have really gained insight and started reducing risk to you process. You are making progress and remediating misconfigurations and your local compliance staff is more self-reliant and is looking at getting the answers for the next audit by themselves. You now want to leverage these advantages across even more assets. This could be things like, GPS clocks, network switches, basically anything with a modern IP and a meaningful management interface like SSH. Mostly these are process adjacent, meaning in support of, but not actually doing protection or control logic, with one big exception, SEL relays. Even if they are in a mostly serial setup, we still have the ability to bring them into this zone. Again, the purpose is safely move up in complexity while getting closer to the physical process to increase awareness and reduce risk.
Industrial Defender considers this COMPLEXITY LEVEL LOW or ID ZONE 2. Hey Jeremy, great presentation thus far. I have a couple of questions. Are agents and SSH, the only collectors we have and secondly, why do we consider the SEL relay to be complexity level low? George, Industrial Defender has over 200 specific collectors and leverages several different collection methodologies. Telnet, SSH, http, wmid, winrm, webscraping, and file integration just to name a few. So regardless of whether it is a RTU, a HMI, a relay or a substation gateway, we have standard collectors built to extract the information. And the reason that the SEL connection is in a COMPLEXITY LEVEL LOW is due to our extensive experience interacting with them, so once Industrial Defender has performed the collection engineering, the SEL asset is considered no different than a CISCO switch in the Industrial Defender remote agent library. That’s great news Jeremy. Thanks for the clarification. So what’s next?
I’m glad you are excited, but we’ve done a lot already. You now know and more importantly can take well informed actions to document and monitor the firewall rules protecting your boundaries, to detect rogue devices and access points, to detect removable media actions in your HMIs and Engineering servers, to truly detect and manage changes to software and accounts, to track vulnerabilities using our Passive Vulnerability Management technology. When cyber security experts and all the different frameworks talk about Asset Management as the foundational key to a great cyber security, program these are the actions they are talking about. Remember, all the big named attacks started with humans doing things in either corporate and transitional areas. Stuxnet, Ukraine, Shamoon, wannacry: all of them were humans doing things in these first couple of layers, and that’s why we recommend doing these foundational actions first. It’s straight-forward, easy and safe to deploy, and allows you to effectively manage more risk.
Thanks, Jeremy. We have a covered a lot of ground and a lot of risk. Let’s save the more complex scenarios like air-gapped networks, deploying with data diodes, and asset management techniques for the lower layers for next time.