The Multi-Faceted Capabilities of Advanced Threat Detection Systems in OT Cybersecurity

The capabilities of advanced threat detection systems (TDS) in OT environments are progressing “full steam ahead”. Powering past simple log collection and alert reporting to over-burdened security personnel, state-of-the-art TDSs automate numerous vital services that no ICS network can afford to be without:

1. Network Visibility. TDS scans all OT network traffic and creates a visual network model that includes all network segments, devices, protocols, and sessions. It finds all assets, including legacy and “forgotten” ones.   
2. Learning Behavior. Carefully inspecting packets that traverse the network, TDS automatically learns how each device and network segment behaves, establishing a baseline of what is considered “normal” behavior. It even discovers dormant assets that are still attached to the network, but essentially doing nothing.
3. Topology-Change Detection. TDS automatically figures out the topology of the network and displays it on a console in an easy-to-understand, graphic format, subsequently detecting any changes to the network such as the addition of a device or a new session. It raises alerts immediately upon noticing such changes.
4. Cyber-Attack Protection. Hackers never sleep. The modern TDS is continuously enriched with the latest threat intelligence (TI) that enables it to handle new threats to PLCs, RTUs, industrial protocols, etc. as these threats become known. The TI is based on data gathered from across the cybersecurity research community and is continuously included in the TDS’s ever-expanding knowledge base, enabling security personnel to keep up with the bad guys.
5. Policy Monitoring. TDS goes far beyond firewall policies. It can define and modify the policies of each network link, validating specific commands and making sure they are reasonable. For example, it can monitor such policies as “permit writing to Controller X”, and it can police operational ranges such as “do not allow the setting of Turbine Y to higher than 800 rpm.”
6. Operational Behavior. TDS monitors and audits the management of devices such as PLCs, RTUs, and IEDs whether local or at remote sites. It alerts on firmware changes, software updates, turning on or off edge devices, and configuration modifications. It also provides activity logging for forensics and compliance purposes.
7. Anomaly Detection: TDS automatically creates a behavioral network model using multiple sophisticated parameters such as device-sequence sampling time, frequency of operational values, and more, enabling it to detect and alert on behavioral anomalies.
8. Maintenance Management. OT cybersecurity is a special “animal”. Since devices and applications in the IT world – endpoints, servers, and business apps – are seldom mission-critical, they can, for the most part, be taken offline at will for patching, upgrading, and replacement. Not so devices in production plants and critical infrastructure where only limited, widely spaced windows for making changes are available. So what do you do in the production environment if an actual threat is detected? TDS deals with certain cyber threats by providing work-arounds that will temporarily protect devices or network segments. These work-arounds are strong enough to maintain security until a maintenance window is reached whereupon patches, upgrades, and replacements can be applied safely without impacting production.
9. Central Management. From a security standpoint, a production facility may “stand alone” as its cybersecurity is managed by plant personnel via a local TDS. But in many cases, companies and government agencies operate multiple and/or remote facilities and need to monitor TDS functions from a distant, central location. In such cases, an instance of the TDS can be deployed locally and duplicated across multiple facilities, while the status, functions, and behaviors of each are monitored from a central, unified console. In other cases, a single, centralized TDS can provide the entire gamut of management capabilities across multiple facilities without the need for local deployments. 

The Radiflow Advanced Threat-Detection Solution

iSID is Radiflow’s advanced TDS designed for OT environments. It delivers all of the capabilities and benefits of the most advanced and resilient threat detection systems. 

iSID is designed to maximize cybersecurity while minimizing human involvement. For example, it maps out the network and displays an easy-to-understand graphical representation of all network devices in multiple display modes (Purdue, Flow, Analyst, Custom).

Local staff needn’t be experts to understand how the security is functioning. iSID finds all the network segments and assets by itself and presents them in a helpful and even customizable format. iSID alerts on configuration and behavior changes in an easy-to-understand format. In fact, iSID delivers all nine of the capabilities described above. 

Flexible: Deploy It as You Like

The Radiflow Threat Detection solution, “iSID”, can be deployed and managed per facility, deployed per facility and managed centrally, or deployed and managed only centrally while covering multiple facilities. 

The central management capability, called “iCEN”, provides a unified view of site risk scores, assets, security statuses in remote facilities, alerts, maintenance, and much more, all via a user-friendly, web-based interface.

Some of iCEN’s major management features include:

• Centralized provisioning. iCEN enables single-click central provisioning of up-to-date cyber attack detection signatures (threat intelligence) to multiple facilities for local detection of new threats and improved response time.
• User management and role-based access control. iCEN features local and remote user management capabilities (via Active Directory) with support for various levels of user roles and permissions, helping to keep everything secure, facility by facility.

The Radiflow Threat Detection System (TDS) is currently protecting thousands of sites in flexible and effective configurations. Contact us to see how it can protect your operations in the way that best works for you.