Monitor Network Traffic for Suspicious Activity
Although a strong perimeter defense is vital to securing the control network, studies show that up to 70% of attacks are internally initiated. Monitoring network traffic for suspicious behavior is more complicated in a control systems environment due to the unique protocols and other traffic related anomalies.
Industrial Defender’s Network Intrusion Detection System (NIDS) passively monitors traffic within the security perimeter to detect and alert on any suspicious activity, whether internally generated or attacks that may have circumvented perimeter defenses. Unlike traditional enterprise NIDS, the Industrial Defender NIDS includes the ability to monitor the de facto protocols used by process control systems (Modbus TCP, DNP3, ODVA, Ethernet/IP ICCP, etc.). The NIDS contains control system rules that extend SNORT to generate alarms on activities such as disallowed read/writes, failed login attempts, and controller default password usage.
Tight Integration with the Security Event Manager
The NIDS comprises an integral component of the Industrial Defender technology suite which monitors and protects process control systems from a wide variety of internal and external threats and vulnerabilities. When the NIDS sensors detect suspicious traffic, they generate alarms which are sent to the Industrial Defender Security Event Manager (SEM) for interpretation and logging. Integration with the SEM provides operations personnel with a single “pane of glass” from which to monitor their security infrastructure for threats and malicious activity.
Network Device Monitoring
Unlike the enterprise IT network, the real-time process control network tends to remain stable over time; the addition of a new system must be brought to the attention of the system operators. NIDS sensors are able to detect the addition of any new systems on the network and can also discover rogue devices such as unauthorized wireless access points or laptops. Real-time traffic analysis and packet logging capability enable investigation into inappropriate traffic.
Network Performance Monitoring
Third-party devices are often added to the network to provide switching, routing and other common functions; if these systems aren’t functioning properly, they can impact overall system availability. Industrial Defender provides SNMP monitoring soft sensors that gather SNMP information such as status and throughput from these devices; correlating key metrics from all SNMP related devices provides a holistic view of the control environment.