By Joe Scotto
The City of Raleigh needed an industrial security solution that could detect attacks, identify threats and implement compliance and change control policies using a combination of anomaly detection, policy-based rules and device integrity checks.
The project’s goal was to maintain the safety and availability of the city’s water and other utilities, while protecting public health, the local economy and the environment from cyber threats.
In addition, because Raleigh, NC, is one of the fastest growing areas in the country, they required a solution that would grow and adapt to their dynamic needs, which now include providing potable water, wastewater, and reclaimed water services to the City and to the communities of Garner, Knightdale, Rolesville, Wake Forest, Wendell, and Zebulon.
The city deployed a solution that combines signatures, purpose-build OT behavioral models that combined policy and anomaly detection capabilities, to immediately detect and provide actionable information.
The industrial security solution they implemented was able to monitor their OT network in the following ways:
• Discovers operator stations, engineering workstations, and servers
• Discovers controllers using the network
• Discovers controllers connected and not generating traffic on the network
• Passively monitors network traffic
• Provides a visual asset map of controllers, protocols used, and conversations with other devices
• Identifies changes to controllers made over the network
• Identifies changes made to controllers using physical connections
• Gathers information on the code within controllers
• Alerts on specific events based on custom policies
• Provides a complete audit trail of all ICS activity
• Integrates with SIEM
Raleigh didn’t simply want to rely on passive network listening technologies for asset inventory, and monitoring changes made and activity occurring on its OT assets.
Along those lines, they implemented a deeper and comprehensive approach that can identify assets within the network, gather configuration information from those assets, generate logical topographies for the assets and baseline the network communication of assets.
This is the list of the capabilities they deployed as part of the project:
1. “Device Integrity” checks that perform periodic validation of each controller’s state and whether any changes have been made directly on the device
2. The ability to Identify common and uncommon events through protocol specific network activity tracking, asset configuration tracking, policy creation and associated alerting
3. Deep monitoring of the OT infrastructure and devices – to detect whether devices are communicating on the network or are silent
4. The ability to audit all activities executed directly on controller devices to know, among other things, what vendors and system integrators are doing to the environment when they are working on it
5. Gather controller activity forensics, policy definition and workflow alerts to determine whether actions taken warrant a notification or alert and to whom
Joe Scotto is the chief marketing officer at industrial cybersecurity provider, Indegy.