Representative End User Clients
Representative Automation Clients
Representative Software Clients
Anomaly and breach detection are hot topics in industrial cybersecurity circles. Companies recognize that sophisticated attackers can overcome even the best defenses and attention has shifted to minimizing the impact of successful intrusions. Rapid detection is an essential ingredient and anomaly and breach detection solution providers now offer a variety of methods.
While cybersecurity is the primary driver for anomaly and breach detection solutions, in fact, this may not be the biggest benefit for industrial companies. These solutions also help companies detect and troubleshoot failing control devices, operator errors, and unauthorized changes that could lead to safety incidents, compliance violations, and operational disruptions.
Recognizing these broader benefits can help companies justify investments in anomaly and breach detection technology. It is difficult for staffs to convince managers who have not experienced a significant breach to spend more on cybersecurity technology. But most plants have experienced operational disruptions due to control system failures. So, managers can certainly appreciate how costs can grow when plant staffs struggle to diagnose and resolve issues.
This issue was the focus of a recent ARC briefing from SecurityMatters executives. The company provides an anomaly detection solution that has helped companies in power generation, electrical T&D, oil down-stream, gas transportation and storage, water & wastewater, chemical, pharmaceutical, infrastructure, and manufacturing detect, avoid, and manage a variety of common control system problems.
Anomaly and Breach Detection
Industrial cybersecurity anomaly and breach detection solutions utilize a variety of approaches for monitoring the integrity of industrial control systems. Breach detection solutions focus on configurations and activities within control system endpoints. Anomaly detection solutions monitor communications within control system networks for unauthorized devices, invalid connections, and illegal commands.
Anomaly Detection Solutions
Anomaly detection solutions passively access control system networks through spanning and mirroring ports of network switches. This eliminates any negative effects on the flow of messages and network bandwidth.
Industrial anomaly detection solutions include deep packet inspection capabilities comparable to (and exceeding) industrial protocol firewalls that support protocols like Modbus and DNP3. These solutions parse message content for key information like control commands, registers, and data for abnormal connections and illegal action requests.
Industrial anomaly detection solutions vary in how they establish rules for determining when messages are normal and legal. Policy-based solutions rely upon users to define legal operations and normal traffic patterns. Behavior-based solutions have the capability to automatically “learn” what is normal. Data collected during system training periods is analyzed with sophisticated statistical classification and machine learning techniques. Some solutions use continuous learning to adapt to system changes.
While there are significant differences between policy-based and behavior-based solutions, the boundary is not rigid. Policy-based solutions can include features that record messages and help users identify what is and is not normal. Behavior-based solutions can enable users to manually adjust learned profiles.
The SecurityMatters Solution
SecurityMatters, a Dutch company, was launched in 2009 to commercialize anomaly detection technology developed by the founders during their PhD research. They demonstrated the industrial applicability of their approach in a pilot project to protect the process control networks of a major oil & gas company. The success of this pilot convinced them to focus the company’s efforts exclusively on the industrial sector.
Today, SecurityMatters has a global team of people and an impressive list of successful projects in power generation, electrical T&D, oil downstream, gas transportation and storage, water and wastewater, chemical, pharmaceutical, infrastructure, and manufacturing. Recent investments by industrial companies such as Phoenix Contact, Bosch, and KPN attest to SecurityMatters’ strong position in the industrial anomaly detection space.
SilentDefense, the company’s primary product, is a hybrid solution that blends behavior-based and policy-based anomaly detection approaches. The solution automatically establishes profiles of normal behavior during an initial training period. Learning software running in the background periodically updates the profiles. Policy-based threat scenarios provide additional anomaly detectors during normal operation.
The company’s combination of behavior-based and policy-based technology provides several benefits. It enables faster, more efficient detection of anomalous behavior without frustrating users with excessive false positives and tedious root-cause analysis. It ensures continuous, controlled, adaptation to valid system changes without the need for a team of analysts and network modelers. It enables development of libraries of common threat scenarios SecurityMatters uses to accelerate system initialization for new installations. Common threat scenarios also provide threat intelligence that can be shared with existing customers to help them avoid problems that they have not yet experienced.
Operational Troubleshooting Benefits of SilentDefense
According to company executives, SecurityMatters has delivered operational troubleshooting benefits in all its installations. They shared several cases with ARC to demonstrate the product’s ability to help customers avoid major disruptions and potentially hazardous operating situations:
- A large power company discovered RTUs that were being reset when certain normal message sequences were received. This affected the proper operation of automatic reclosers, placing the company at risk of the devices not functioning when needed. As no failure had actually occurred up to that point, operators were completely unaware of this potentially serious safety hazard.
- At another company, SilentDefense detected that dead bands in RTUs had been configured incorrectly, making the system overly sensitive to normal voltage fluctuations. This caused an overflow of alerts that hampered the operation of a key SCADA server and prevented operators from even being aware of the alert flood.
- At a third company, SilentDefense identified a misconfiguration in the main plant production system. In particular, the system displayed several failed communication attempts between the DCS and one of the PLCs, along with the presence of odd function codes that were not used towards any other field device. Also in this case, the customer was unaware of the failure and misconfiguration, which could have led to production flaws.
These examples illustrate how SilentDefense acts as a continuous monitor of control system integrity. It detects when a device is acting abnormally and provides information that operators and engineers can use to minimize any impact on performance. Industrial managers and control engineers can quickly understand how this can increase reliability and reduce maintenance costs.
Recommendations
Every industrial company can benefit from rapid detection and diagnosis of control system problems. ARC believes that anomaly detection offers companies a way to achieve this goal. We recommend that all companies discuss the opportunities to apply it in their facilities with anomaly detection suppliers, such as SecurityMatters. These companies have the appropriate experience and capabilities to understand and address the unique requirements of a wide variety of industrial plants and facilities.
ARC Advisory Group clients can view the complete report at ARC Client Portal on Office 365 or Box.com
If you would like to buy this report or obtain information about how to become a client, please Contact Us
Keywords: Industrial Cybersecurity, Operational Troubleshooting, SecurityMatters, SilentDefense, ARC Advisory Group.