One of the key decisions needed when implementing an industrial cyber security solution is the approach best suited for your industrial control environment. Is it passive, active or hybrid? To unpack the nuances of each, consider the following analogy:
Imagine going to a restaurant in a foreign country where you do not speak the language. That being the case, you can still glean some information from other patrons. You can ascertain who is male vs female judging by the voice; you can make an educated guess as to the person’s age, potentially their mood as well, and likely more than that. That’s how firewalls or non-ICS specific networking monitoring solutions behave in industrial networks – they spot MAC addresses, associate network protocols with ports, etc. Harvesting this information in this format is basic because it lacks enough details for comprehensive asset tracking or for vulnerabilities management.
Now let’s assume you understand the language and you just listen to conversations. You're parsing the network traffic. It’s a restaurant, people are talking about what they eat and their favorite food in general, or perhaps other restaurants they’ve recently visited. You understand everything they say, but…most of the conversations are not interesting to you. What you really want to know is where they live, what school they attended, when they were born, etc. You want specific details about specific people. These details are elusive even under the best of circumstances and it takes time to get the information you are seeking simply by listening. Typically however, the exact information you are seeking won’t come up naturally.
When dealing with ICS, industrial control vendors use different communication protocols or “languages”. Typically, vendors even have different protocols based on the specific device model. But let's say that you figured all that out. You understand every single bit and byte of the industrial communication protocols. Turns out it only gets you half way there. To secure all the information you want, you need to actively ask. And that's the secret sauce. You ask questions. You might pointedly ask people for their age (uptime), where they attended school (firmware versions), where they live (hardware configuration) etc. And while you probably shouldn’t go up to people in a restaurant and start asking personal questions, with industrial control systems you can, as typically they don’t use encryption or authentication.
There is a lot of confusion and misinformation in the market regarding what active technologies mean. Active is about querying devices using their native communication protocols. It is not port scanning, knocking, banner grabbing, exploiting or leveraging vulnerabilities of any sort, or querying devices in a way that can make them unstable.
What makes Indegy unique is that we listen and speak the native communication protocols that are leveraged by engineering stations of the various control vendors to extract data from devices.
Why do we do it? What do we leverage the collected data for? How do we know which flavor of a certain protocol should be used? And generally – how do we address the devils that are in the tech details of this groundbreaking technology? I encourage you to check out our on-demand webinar entitled: Cracking The Code On OT Security where we cover the specifics of this topic in full detail.