Scope & Proposed Solution
The oil storage terminal security project encompassed a large number of tanks, divided into three units. Each unit was to be connected to a Radiflow iSID intrusion detection system, for detecting anomalies, which may indicate an insider attack (e.g. installing malicious logic on a PLC or introducing an unauthorized device into the network).
iSID’s multiple security engines offer capabilities pertaining to specific type of network activity: modeling and visibility of OT and IT devices, protocols and sessions; detection of threats and attacks; policy monitoring and validation of operational parameters; rules-based maintenance management; and networked device management.
The three instances of iSID were to be monitored and managed remotely from a central Security Operations Center (SOC).
To allow the remote management of multiple iSID systems, Radiflow’s iCEN Central Monitoring System was used to display aggregated data from all iSID instances in an organization. This included full asset information, alerts (prioritized by severity and originating iSID detection engine) and network protocols used.
iCEN displays a status snapshot of all iSID instances across the organization, including their total risk and activity status, with easy drill-down and remote connection to each iSID instance.
Users are able to switch between geographical map and tabular display modes, both featuring color-coding for quick cross-site prioritization. iCEN provides a quick summary status, detailed properties and health monitoring status (CPU, RAM) for each monitored instance of iSID.
In addition, a number of Radiflow’s iSEG 3180 DPI Firewall/Ruggedized Secure Gateways were installed at each tank. The iSEG gateway provides DPI firewall capabilities for analyzing SCADA traffic.
Upon detecting an anomaly the 3180 will automatically generate alerts, block the abnormal activity and isolate any affected sub-networks. To facilitate compliance with local regulations, the iSEG RF-3180 includes an APA (Authentication Proxy Access) which allows remote access to authorized personal at predefined time slots.
To maximize efficiency, each RF-3180 Firewall/Gateway also hosted in its chassis an instance of Radiflow’s iSAP Smart Collector.
iSAP provides a cost effective, non-intrusive method for sending large volumes of data traffic from the gateways (using a mirrored stream) without over-taxing the local network (as is the case with typical data traffic collectors). This is done using Radiflow’s proprietary compression and filtering (removal of IT protocol data) algorithm. The use of iSAP allowed installing only a handful of instances of iSID, thus reducing the overall cost of the project.