By: Carolyn Crandall, Chief Marketing Officer, Attivo Networks
I am pleased to share that today Attivo Networks® announced a new release of its deception-based Attivo BOTsink® solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world.
SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker. Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.
With this announcement, Attivo is extending its inside-the-network threat detection, which has been available for enterprise networks, public, private, and hybrid cloud environments, to now also cover SCADA devices. Attivo will provide upstream and downstream threat detection for business, process controls, and field sensors. Organizations will now have real-time visibility into reconnaissance and stolen credentials attacks, and will gain visibility to external, insider, and third party threats as they move laterally through the network. Regardless of whether the malware originates from a USB device, from clicking an a phishing email or other point of access, Attivo will set the traps and provide the visibility required to quickly detect and stop an attack.
How it works:
Deception is a different and highly effective solution for protecting SCADA environments, since it does not rely on knowing the attack signatures or patterns, and it also does not need to monitor all traffic to look for suspicious behavior. Deception also does not require software to be loaded or maintained on the SCADA device. Instead, deception techniques are used to confuse, delay, and redirect the enemy by incorporating ambiguity and by misdirecting their operations.
Lured to the Attivo deception engagement server, the attacker will be tricked into engaging and believing they have succeeded in their attack. The deception server has a contained “sinkhole” so that once engaged, the attack can be studied without risk of additional harm. Once the attacker engages, there is no way of hiding. Their IP address is immediately identified, and attack forensics created so that an actionable, substantiated alert can be sent to enable prompt blocking, quarantining, and remediation of the infected device. Additionally, a port can be opened to communicate with the Command and Control to get additional information about their methods, tools, and techniques.
Alerts occur in real-time based upon the detection of an attacker. All alerts will provide forensics with the substantiated, actionable detail required to identify the infected device, identify the attacker IP, and methods and tools. Since alerts are based on actual engagement and provide the attack detail, security operations individuals can quickly and confidently address the quarantining of a device and remediation of the attack.
The Attivo threat intelligence dashboard installs with the software, provides the ability to customize settings, and gives a centralized view of all alerts. From the dashboard, drill down into specific threat detail is provided. Additionally, IOC, PCAP, STIX, CSV and other reporting formats can be created to share the attack information detail. Third party integrations with SIEM solutions– Splunk, ArcSight, and QRadar are provided along with integrations with popular firewalls to automatically block, quarantine, and remediate infected devices.
It is no longer a matter of “if” an attack will occur on an IACS for critical infrastructure. A modern day security approach now assumes the network has been breached and accepts that even the best security prevention systems have gaps, and attackers will get into the network. It is now highly recommended to have an active defense program that includes prevention and inside-the-network threat detection. A defense-in-depth approach based on layered prevention security is a good approach, but adding a next line of defense that can reliably detect zero-day signature-less attacks, stolen credential, and insider/3rd party threats greatly reduces the risks of catastrophic damage and/or the exfiltration of company data. Whether you choose to start by protecting only your most critical devices or choose to turn your entire network into a ubiquitous trap, the Attivo dynamic deception platform provides a fast, reliable, and cost-effective solution to detect and defend against malicious cyber attacks.
Additional information on ICS- SCADA Threat Detection: