Siemens’ SNOK intrusion detection system (IDS) features a RUGGEDCOM switch and Secure-NOK’s unobtrusive SNOK intrusion detection technology.
The technology adds another security mechanism to complement a conventional defense-in-depth model. Once deployed, it’s an early warning system designed specifically to protect ICS networks and OT, while taking into account specific OT network characteristics and requirements.
The Siemens SNOK cybersecurity solution focuses on enhancing system integrity in addition to standard system hardening procedures. In combination, it provides visibility on the network and its elements as a whole to identify threat vectors and anomalies.
The technology is hosted on the Siemens RUGGEDCOM RX15xx Multi-Service Platform, which is a utility-grade Layer 2 and 3 switch and router, engineered with built-in security enhancements, such as Layer 2 MAC filtering, Layer 3 security protocols like IPSec, and a zone-based firewall. The switch is rugged-rated for use in harsh, demanding industrial environments. It is hot-swappable and has universal power supply (UPS) options, both to maximize uptime.
The Siemens RUGGEDCOM RX15xx offers a set of modular WAN, serial, and switching options with routing and management features. This allows for hassle-free upgrades in the field, and the flexibility to adapt to changing network architectures.
Operating from that hardware is the SNOK software. Its technology provides an early-warning network monitoring and sophisticated intrusion detection capabilities to identify and isolate cyber threats that may be undetectable by conventional IT security tools. It then provides early and actionable alerts to help incident response (IR) to be managed by IT and OT teams, depending on their IR protocols and respective responsibilities. SNOK adds critical, extra hardening to the defense-in-depth cybersecurity umbrella already protecting ICS networks and any enterprise IT networks to which they’re connected.
Behind the Scenes
The SNOK application operates behind the scenes, using four components to alert system owners of intrusions that traditional IT security tools might miss: Monitoring; detection; risk assessment, and response.
SNOK software agents end up deployed deep into an ICS network to continuously monitor network traffic as well as endpoints in the network. These are small, non-intrusive software applets, less than 1,000 kilobytes in size. The agents collect deep, low-level information to set a baseline of normal network behavior. The information is passed to SNOK analyzers that can identify anomalous behavior patterns in the network or any of its endpoints. These patterns can indicate a low-and-slow advanced persistent threat (APT) or other cyber threat before an actual attack and disruption can occur.
SNOK then alerts a compromised ICS network’s operators to the attack. It also provides sufficient data to help them make informed decisions about an effective response and corrective action.
SNOK-detectable anomalies include:
• Host baseline alerts (install base/processes, CPU, RAM)
• Abnormal traffic patterns and volume
• New IP connections and removable media insertions
• Detection of changes in PLC memory blocks
The Siemens SNOK IDS solution differentiates itself by running on the RX15xx Application Processing Engine (APE) module. The APE is an x86-based computer designed to occupy a single-line, module slot in a Siemens RUGGEDCOM RX15xx appliance. The APE can host a variety of x86-based operating systems and has connectivity to devices or networks that are connected to regular Ethernet and serial ports on the RX15xx device.
New and Legacy Compatibility
This solution is compatible with new and legacy ICS networks, designed to operate in SCADA environments with plug-and-play. It requires no changes in the existing network topology or existing hardware.
The SNOK platform has an extremely small footprint with virtually no operational load or other impacts on the ICS or SCADA networks. And because the SNOK software is signature-free (i.e., doesn’t require a database of known malware profiles), it also doesn’t require updates like antivirus software applications do.
The Siemens SNOK IDS powered by the RUGGEDCOM 15xx appliance and SNOK software can be flexibly deployed across critical infrastructure and other industries to meet a wide range of requirements.
The following are four scenarios that will cover most use cases:
• Single-site plant deployments: For complex plants, such as refineries and petrochemical complexes, with hundred sub-nets.
• Distributed deployments: For infrastructure spanning long distances, such as long-haul transport routes, such as oil pipelines, electrical transmission facilities, and wide-area telecommunication networks.
• Hierarchal, multisite deployments: For aggregating IDS monitoring and detection across multiple sites, rolling up logs, incidents, and alerts to a single security operations center.
• Hardening of PLC systems and networks: For all industrial automation systems and networks, to provide an additional protective layer and more holistic security approach.