OT Visibility and Anomaly Detection

Solution Suite for Threat Detection & Monitoring

Proactive cybersecurity non-intrusive monitoring of distributed production networks for changes in topology and behavior.

Features

AUTO-LEARNING

Generation of baseline topology & behavior model, including all devices, ports and connections

NON-INTRUSIVE ANALYSIS

DPI protocol-based analysis of a mirrored network traffic stream, with no disruption of operations

CENTRAL OR LOCAL

Central-location deployment (using iSAP Smart Collectors) or local deployment at remote sites

PLC MONITORING

Continuous supervision of configuration changes in PLCs and other network devices

ATTACK VECTOR ANALYSIS

Detection of down-vector vulnerabilities caused by networked device interoperability

MSSP-READY

Central management of multiple iSID instances at MSSP’s SOC using Radiflow iCEN

Radiflow’s OT visibility & anomaly detection suite provides security personnel with network visualization, threat detection, alerting and configuration of communication rules for devices and protocols.

 

Centered around the iSID industrial threat detection & management platform, the Radiflow solution enables local (on-premises) or central monitoring at the corporate or at an MSSP’s SOC. The solution incorporates the iSAP smart collector, installed at distributed networks’ remote sites, to collect, compress (to prevent network overload) and send over GRE all LAN traffic from the local switch, using port mirroring to a centrally installed iSID over VPN tunnels; and the iCEN management solution for large distributed networks, for monitoring large iSID arrays through a single dashboard.

 

iSID Industrial Threat Detection & Management Platform

 

iSID’s multiple security engines offer capabilities pertaining to specific type of network activity: modeling and visibility of OT and IT devices, protocols and sessions; detection of threats and attacks; policy monitoring and validation of operational parameters; rules-based maintenance management; and networked device management.

 

iSID employs Radiflow’s iSAP Smart Collectors, installed at distributed networks’ remote sites, to collect, compress (to prevent network overload) and send over GRE all LAN traffic from the local switch, using port mirroring to a centrally installed iSID over VPN tunnels.

 

iSID allows for different modes of deployment, allowing organizations to optimize their cyber-security expenditure: on-site at the industrial (ICS/SCADA-based) facility; at the operator’s central monitoring location; or at an MSSP’s SOC (Security Operations center) using the iCEN management platform for multiple instances of iSID.

 

Multiple Security Packages for Comprehensive OT Threat Detection

iSID enables non-disruptive monitoring of distributed SCADA networks for changes in topology and behavior, using multiple security packages, each offering a unique capability pertaining to a specific type of network activity:

  • Network Visibility: Using passive scanning of all OT network traffic, iSID creates a visual network model for all devices, protocols and sessions, with alerts upon detected topology changes (e.g. new devices or sessions.)
  • Cyber Attack: The Cyber Attack package handles known threats to SCADA network, including PLCs, RTUs and industrial protocols, based on data gathered from across the cyber security research community.
  • Policy Monitoring: Define/modify policies for each network link, for validating specific commands (e.g. “write to controller”) and operational ranges (e.g. “do not set turbine to above 800 rpm.”)
  • Maintenance Management: Limit network exposure during scheduled maintenance by creating work orders for specific devices during set time-windows. A log report of all maintenance activities is issued upon session completion.
  • Anomaly Detection: The Anomaly Detection package creates a behavioral network model using multiple parameters, including device sequence sampling time, frequency of operational values and more, toward detecting behavioral anomalies.
  • Operational Behavior: Monitor and audit the management of devices (PLC, RTU & IED) at remote sites, with alerts for firmware changes or configuration modifications (e.g. software updates or turning edge devices on or off) and activity logging.

 

 

 

iSID Features

 

Map View

iSID’s Map View displays a graphical representation of all network devices in multiple display modes (Perdue, Flow, Analyst & Custom). Maps are zoomable and elements can be dragged to any location on the screen. In addition, the Attack Vector analyzer can detect vulnerabilities within the interplay between different business processes.

 

 

 

Asset Management

The Asset Management tab presents all system assets, categorized and filterable by type (e.g. PLC, Server, HMI, Engineering Station, Broadcast, etc.) or by any asset characteristic. Asset types are automatically detected by iSID; the user can change each asset’s designation or add a custom asset type.

 

 

 

Alert Management

The Alerts screen displays alerts by the security package that generated them, as listed across the top bar: Cyber Attack for suspicious network behavior; Policy Monitor for communication policy violations; System Alerts for anomalous behavior in iSID; Asset Management for new CVEs or device control alerts; and Network Visibility for networking alerts.

 

 

The iSAP Smart Collector

The iSAP Smart Collector is a cost effective solution for non-intrusively sending all OT network data traffic to the iSID Industrial Threat Detection system for analysis.

 

Increasing network coverage by means of passing traffic from remote networks to a central IDS may create network overload problems, due to the large volumes of data sent to the central IDS. Radiflow’s iSAP Smart Collector solves this problem. Installed at each remote site, it receives all LAN traffic from the local switch (using port mirroring), and filters out much of the irrelevant traffic data, leaving intact the SCADA traffic (e.g. ModBus data).

 

iSAP helps reduce your overall cyber-security expenditure by requiring only one iSAP device for each remote network site. Each iSAP securely connects to a centrally located iSID Threat Detection server, where corporate-wide network and device activity is analyzed.

 

To further reduce bandwidth consumption, the iSAP Smart Collector uses Radiflow’s patented compression algorithm reaching ratios of up to 1:10. Once received at the central location, the iSID server is able to decompress the sent data packets with no loss of information. The user is able to set the amount of compression applied, if at all, to different data classes.

 

Radiflow iSAP is a versatile tool that can be deployed in any site, large and small, allowing for completely passive network coverage without modification of your existing infrastructure.
The Radiflow iSAP RF-2180 Smart Collector and the iSEG RF-3180 Secure Ruggedized Gateway are fabricated on identical hardware built by Radiflow and tested to the standards stated in the product specifications herein.

 

Features:

  • Aggregation and tunneling of monitored network traffic to the iSID Threat Detection System for analysis
  • Non-interfering operation, using of mirrored traffic streams at remote sites
  • Unidirectional transmission of network traffic through one-way link, for increased OT network protection
  • Data compression & filtering: compression of industrial protocols at up to a 1:10 ratio, as well as filtering out of irrelevant traffic data
  • Encrypted tunneling for sending mirrored OT traffic over transport networks
  • Field-ready: designed to meet the harsh environmental conditions at remote sites and substations

 

Download iSAP Smart Collector Datasheet for more information and technical specifications.

 

 

iCEN Central Monitoring for iSID

 

Designed for large enterprises and Managed Security Service Providers (MSSPs), iCEN provides a unified view of sites’ risk scores, OT assets, iSID status, alerts and maintenance, all through an user-friendly web-based interface. iCEN displays a status snapshot of all iSID instances across the organization, including their total risk and activity status, with easy drill-down and remote connection to each iSID instance.

 

Users are able to switch between geographical map and tabular display modes, both featuring color-coding for quick cross-site prioritization. In addition, iCEN provides a quick summary status, detailed properties and health monitoring status (CPU, RAM) for each monitored instance of iSID. MSSP users are able to create and configure different organizations operating multiple instances of iSID, on a single iCEN system, creating a single monitoring and management system for all of their Radiflow-protected customers.

 

 

 

iCEN displays aggregated data from all iSID instances in an organization, including:

  • Total assets according to asset type
  • Total alerts according to severity and alert engine
  • Top network protocols
  • Risk Score for each site, for easy prioritization of mitigation activities.

 

Features:

 

  • Centralized provisioning: iCEN enables single-click central provisioning of up-to-date cyber-attack detection signatures to multiple iSID instances, for improved response time and detection of new threats organization-wide.
  • User management and role-based access control: iCEN features Local and remote (using Active Directory) user management capabilities, with support for different user roles and permissions. MSSPs monitoring multiple organizations’ networks are able to grant permissions to iCEN operators, by organization, based on the Least Privilege principle for data security.
  • Secure connection: All connectivity to and from iCEN is secured is secured and encrypted. If needed, iCEN supports a one-way iSID-to iCEN connection to ensure the isolation of OT environment from external threats.
  • Simple installation: iCEN is installed using the Radiflow Installation Manager (RIM) – a single installer for all Radiflow products. RIM not only simplifies the installation process, it also provides the ability to install/upload iCEN from a client computer to the dedicated iCEN server.

 

Download the iCEN datasheet for more information and technical specifications.

 

OT Visibility and Anomaly Detection: Use Cases

  • Technician on-site: iSID will automatically monitor maintenance activities during the predefined time window. Operations outside of the maintenance boundaries will trigger alerts.
  • Unauthorized PLC configuration changes: iSID will detect known protocol commands which affect PLC configuration.
  • SCADA server attack: iSID will detect and alert upon changes in the industrial model, including command sequence and timing anomalies in the command sequence and timing.
  • Spyware: iSID will generate alerts upon malware attempts to ex-filtrate sensitive data from operational networks. Spyware activity indicators include anomalous network behavior, usage of unknown protocols and establishing of external connections.
  • Man-in-the-Middle: iSID will detect and alert upon rogue devices in the network impersonating a valid server, workstation or SCADA controller, by means of Mac or IP address theft.
  • Industrial-tailored malware: iSID will identify and alert upon all known tailor-made ICS malware, based on data gathered from across the cyber-security research community. Detection of unknown malware is done based on indications of unauthorized SCADA commands as well as specific anomalies in the industrial process.

 

 

 

Implementation

Skip to content