FEATURES & ARCHITECTURE

OVERVIEW

ICS CyberVision

SITUATIONAL AWARENESS

INCID

ENT RESPONSE ANOM

ALY D

ETEC

TIO

N

www.sentryo.net

ICS CyberVision at a glance

ICS CyberVision Deployment architecture

Collecting data from the network with Sentryo sensors Sentryo sensors Sensors acquisition mode Sensors/center communication Deploying sensors

Extracting meaningful information from OT networks Meaningful information Centralizing and enriching information learned from the network Normalizing the information extracted from the OT network

Providing full situational awareness Create behaviors Build a visual, real-time representation Passive vulnerability management

Detection Detect & mitigate advanced threats Behavioral detection Machine learning approach

Security management Timeline & dashboards Reports

Threat intelligence

Integration in a SOC/SIEM environment

1

2

3 3 4 4 4

5 5 6 6

7 8 8 9

10 10 10 11

12 12 12

13

14

1email: contact@sentryo.net | w: www.sentryo.net

Sentryo ICS CyberVision delivers turn-key cybersecurity discovering and monitoring services tailored to mission-critical ICS environments through a hardware/software platform which allows OT staff (e.g. operations or engineering) and cybersecurity experts to jointly protect industrial assets against the most advanced cyber threats.

The ICS CyberVision platform provides tools for both the OT staff and Cybersecurity experts:

OT staff gains tools to:

• discover and classify their assets, quickly spot ICS vulnerabilities and efficiently implement their protection plans,

• automatically and continuously track change and detect abnormal events (new network flow, unauthorized change…) which could be weak signals of advanced cyber-attacks,

• rapidly pinpoint (i.e. qualify and characterize) the source of the problem without deep knowledge in cybersecurity,

• then, on their own, make initial decisions appropriately in a timely manner.

Cybersecurity experts gain tools to:

• support the OT staff in case of ICS cyber attack

• carry out and accelerate their response and investigation after a critical event leveraging threat intelligence provided by the Sentryo research lab.

ICS CYBERVISIONAT A GLANCE

Deep Packet Inspection of OT Protocols (20+)

Machine Learning IT & OT Adoption

Critical grade hardware sensors

OT Threat Intelligence & API ready

Designed for Large Scale & Complex Networks

Software Agent IT SOC/SIEM integration

Intuitive & Easy to Use

Designed for Industrial Iot

Advanced Anomaly Detection

Unique Data Visualization

2email: contact@sentryo.net | w: www.sentryo.net

ICS CyberVision is made up of sensors which are deployed at key locations on the field, control and supervisory networks. Sensors are hardware appliances which extract meaningful information from the machine to machine communication traffic using Deep Packet Inspection techniques. They are fully passive and cannot impact the OT network.

The extracted information is continuously sent to the ICS CyberVision center via a “collection network”. The collection network is either a dedicated network or a virtual communication channel over the OT network.

The ICS CyberVision center will be deployed as a hardware appliance or a virtual appliance. It can be deployed either on a given site or within a secure operation center to supervise several industrial sites.

The center will provide a visual, always up to date, representation of the OT network (inventory, connection mapping) featuring the vulnerabilities of the network components. It will learn the behavior of the OT network and will perform anomaly detection. Last, it will record and timestamp all information collected and events generated.

ICS CYBERVISION DEPLOYMENT ARCHITECTURE

SUPERVISORYLEVEL

MANUFACTURING &CORPORATE LEVEL

CONTROLLEVEL

FIELDLEVEL

CONTROLLERS

SENSOR

COLLECTIONNETWORK

CYBERVISIONWEB INTERFACE

I/O I/OI/O

SCADASTATION

ENGINEERINGSTATIONSERVERS

SOC/SIEMCYBERVISION

CENTER

ICS CyberVision deployment architecture

3email: contact@sentryo.net | w: www.sentryo.net

SENTRYO SENSORS

Sentryo sensors are industrial grade hardware appliances which can be located within control cabinets next to network devices and industrial controllers. See the Sentryo sensors datasheet for a detailed product overview.

100% Passive

Sentryo sensors provide a passive, non-intrusive data collection service. Passive means that data are extracted from the OT Network but the sensor cannot send data packets on the network. Two types of sensors are offered: SENSOR3 and SENSOR7.

On the SENSOR7 the passiveness is “hardware enforced”. Indeed, the SENSOR7 includes two completely secure network cards implementing an optical diode component making SENSOR7 operate like a network tap. SENSOR7 provides a hardware enforced non-intrusive way to monitor the network, does not induce any change on the network itself and cannot be detected by intruders.

Centrally managed/no configuration

The sensor’s role is limited to collecting information and sending it to the center - there are no security rules in the sensor and they do not require any configuration.

As a result, Sentryo sensors are stateless. In the case where a sensor would fail or would be stolen (which is rare but is a possibility due to the fact that the sensors may be located in remote unprotected locations) it does not carry any information nor configuration rules.

When a sensor is initially connected to the center via the “collection network” it will get registered on the center’s internal PKI and will download its configuration automatically.

All sensors are managed centrally from the center and there is no need to manage each device individually. This includes installing new releases of the embedded firmware on connected sensors.

COLLECTING DATA FROM THE NETWORK WITH SENTRYO SENSORS

1-Extract meaningful

information from the network flows

using passive sensors

Take preventive decision based

on the situational awareness

Trigger incident response upon

advanced compromise

evidence to avoid damage

2-Dynamically build an inventory of all components

and a map of all connections

3- ‘Learn’ the system and

deliver statistical and behavioral

patterns. Detect abnormal events

Sentryo CyberVision Center Appliance

(HW/Virtual) or cloud

Sentryo SensorsHardware or software agents

Execute remediation plan

Implement preventive action to enhance network protection

The CyberVision workbench

CSO &CISO

Control Engineer

CybersecurityExpert

OT environments

4email: contact@sentryo.net | w: www.sentryo.net

SENSORS ACQUISITION MODE

Sensors offer two acquisition modes to acquire the traffic from the OT network:

• Bridge Mode: sensors include 4 ports which enable them to act as 2 separate TAP modules. This make them easy to use on OT redundant networks. In this mode, OT network traffic is copied between TAP ports and a read-only copy is taken for the monitoring software located inside the sensors.

• SPAN Mode: The easiest and most common way is to configure the ethernet switch to set up a SPAN port (or “mirror” port) which contains a copy of all of the other switched ports and to connect the sensor to this port.

DEPLOYING SENSORS

Deployment of the Sentryo sensors is a straightforward, easy operation. To learn more about it please refer to the Sentryo ICS CyberVision architecture guide which describes how to deploy sensors depending on the context of the OT network.

SENSORS/CENTER COMMUNICATION

There are also two connection modes which allow the sensors to communicate with the CyberVision center:

• Online: In this mode the sensor is connected to the center via the collection network.

• Offline: In this mode, the sensor is not connected to the center. A standard USB flash drive is inserted in its port and the sensor records network activity on the USB drive. The key is then manually connected to the Sentryo center using the center web interface to upload the file. This mode which retains all of the ICS CyberVision platform’s features is used for either “one shot” inventory and vulnerability assessment or to include remote locations (not “connected”) within a CyberVision monitoring architecture.

Collection Network

The security network can be either a dedicated physical or radio network or a virtual network (VLAN, VPN). The sensor will be configured via DHCP on a LAN or using a USB pre configuration package on a WAN.

Bandwidth requirements

The Sentryo sensors can monitor 700 Mbps for SENSOR3 and 3 Gbps for SENSOR7. This is more than enough since most industrial networks rely on low throughput protocol. Regarding the communications between the sensors and the center, the bandwidth depends on the number of monitored devices by the sensor. The required bandwidth can be estimated at 5 kbits/s per device.

ICS CyberVision sensor’s management interface

5email: contact@sentryo.net | w: www.sentryo.net

Relying on Sentryo Deep Packet Inspection technology, Sentryo sensors analyze raw data from the network flow by understanding OT protocols to extract certain information including:

Inventory information of each OT Networks components (e.g: PLC)

• Identification properties: MAC address, Protocol ID, TCP port, UDP port.

• Inventory properties: Vendor, Controller name, Project name, Project version, Model name, Firmware version, Hardware version, Hardware serial number, Sub-module location/slot, Product Code, Component Role (SCADA, Engineering).

• Visualization properties: Icons, Reference Colors, Default View, etc.

Process control information: Messages exchanged between process control devices

• Read and write commands, Variables’ IDs or names.

• Variables’ values (e.g. pressure).

• Basic PLC control: Program download commands, Start and Stop commands, Firmware update, Time Management.

• Advanced PLC Control: Program change detection (content), Program Information (Metadata, Block Header), Authentication (login and passwords), Database operations, Memory reset, Maintenance Mode, Diagnostic mode and information.

Network information: Messages exchanged between network devices

• ARP messages between switches & routers, packet sizes, number of packets.

All this information is accompanied by metadata which "contextualizes" them (time, source, destination, protocol, frequency, etc.).

EXTRACTING MEANINGFUL INFORMATION FROM OT NETWORKS

MEANINGFUL INFORMATION

Example of information collected by ICS CyberVision

There are dozens of industrial protocols supported by Sentryo which address different industry segments from Distributed Control Systems in the process industries (e.g. Honeywell, Emerson, ABB, Yogogawa), through PLC and SCADA systems in manufacturing (e.g. Siemens, Schneider, Rockwell Automation), to those dedicated to smart buildings (e.g. Bacnet standard) or smart grid (e.g. IEC 101/104 and IEC 61850 as new standards).

See the list of industrial protocols supported by ICS CyberVision in the Appendix.

6email: contact@sentryo.net | w: www.sentryo.net

Such a large number of protocols makes it vital to normalize the information extracted from the OT Network to perform analytical operations and data mining. By normalizing the information collected (process control, inventory, network) ICS CyberVision provides a unified interface to handle a multi-vendor environment.

As an example, some of the normalized properties for each object on the network are:

• NAME (name): Name of the component retrieved by analyzing different protocols

• IP (ip): IP Address

• MAC (mac): MAC Address

• HW_VERSION (hw-version): Hardware version

• FW_VERSION (fw-version): Firmware version

• MODEL_NAME (model-name): Model name

• MODEL_REF (model-ref ): Component model reference as defined by the manufacturer

• SERIAL_NUMBER (serial-number): Serial number

• VENDOR_NAME (vendor-name): Vendor name

• PROJECT_NAME (project-name): Project name, as defined by the automation programming tool

NORMALIZING THE INFORMATION EXTRACTED FROM THE OT NETWORK

Versatile DPI technology

The Sentryo deep packet inspection development framework allows Sentryo to build analyzers for new protocol stacks quickly. The framework can be delivered as an SDK to customers or partners who may want to create their own analyzers.

Multiplexed protocols

On an OT network, depending on the vendor, it is common that a controller relies on a single Ethernet port and TCP/IP connection to address separately 5 or 10 sub-modules which will interact with different part of the process. In that case Sentryo sensors are able to analyze the protocols intelligently enough to de-multiplex the communication flow in order to treat each logical connection with the submodule independently.

Full packet capture

Sensors continuously record all the traffic for a rolling period of time. Packets are buffered in the sensor memory. Upon request or upon a triggering event, the sensor sends its buffer to the center and continues to capture the full traffic until it receives another order.

In case of security incident this feature will allow the forensic team to search all the traffic before and after the incident occured.

CENTRALIZING AND ENRICHING INFORMATION LEARNED FROM THE NETWORK

7email: contact@sentryo.net | w: www.sentryo.net

CENTRALIZING AND ENRICHING INFORMATION LEARNED FROM THE NETWORK

ICS CyberVision is first and foremost a platform for creating a representation of a machine-to-machine network with the help of visualizations oriented towards OT staff (control engineers) and APIs for cybersecurity experts. Turning a set of messages between machines into an intuitive visual representation helps to give meaning to and interact with the large mass of information collected on the OT network.

All the information learned by the different sensors which are spread out on the OT network are centralized and stored within the ICS CyberVision center repository.

Information is enriched using Sentryo heuristics and knowledge database:

Layer 2: Ethernet MAC addresses, IEEE vendors, Multicast, Broadcast, Protocol specific addresses, 802.1q…

Layer 3: IP addresses, GeoIP (if public addresses), ASN owners, Broadcast

Layer 4: TCP/UDP port, network services

Layer 7: Applicative layer inspection S7, S7plus, Modbus, OPC-UA, UNI-TE, UMAS, Profinet, Ethernet/IP, Emerson Ovation…

PROVIDING FULL SITUATIONAL AWARENESS

Extract meaningful information Database

Analyze and Enrich

Network Model (Components, Flows, Properties)

Cybersecurity & OT Events

Behaviours & Tags

Vulnerabilities

Long Term Storage

Visualization

Map

API

Anomaly Detection

Monitor Mode/

Baseline

EventTimeline

Forensics

TimeMachine

Reports

Thir

d pa

rtie

s ap

plic

atio

ns

CyberVision center

Threat Intelligence

Sentryo sensors

OT & IT

Syslog

Rest API JSON

The CyberVision architecture

8email: contact@sentryo.net | w: www.sentryo.net

CREATE BEHAVIORS

Information extracted from the network is combined to create “normalized behaviors” which characterize the behavior of the OT network (e.g.: SCADA station A is reading and writing variable values within the memory of PLC1).

BUILD A VISUAL, REAL-TIME REPRESENTATION

The ICS CyberVision visualization engine dynamically builds a visual and real time representation of the OT network revealing each device (asset inventory) with its properties and known vulnerabilities as well as each logical connection between devices and all the behaviors observed on the OT network. This kind of “google map” of the OT network will allow the OT network manager to get a full situational awareness of the environment by zooming in and out.

Example of ICS CyberVision map

Group creation wizard in ICS CyberVision

This interactive map can be directly enriched by a control engineer’s interactions adding business context and risk analysis information details. The control engineer will typically group the components to map the process subsystem and will add specific information like contact name, telephone number, …

9email: contact@sentryo.net | w: www.sentryo.net

PASSIVE VULNERABILITY MANAGEMENT

Inventory information is correlated with internal and external feeds. ICS CyberVision compares normalized properties (such as reference numbers, serial numbers and software versions) with the Sentryo Knowledge Database. If it finds a match, this signals that the PLC/IO module in question could be vulnerable.

Vulnerabilities discovered are managed via the web interface of the CyberVision center where they are “acknowledged” and/or documented. As an example, after discovering a vulnerability in the http server software of a controller, the software component is uninstalled and the correction is documented within the center.

To populate and enrich the database, the Sentryo threat intelligence team gathers information details regarding current vulnerabilities from external sources like, ICS CERT, Siemens CERT, Schneider CERT. The team also monitors the new hacking tools modules, publication in hacker conference and multiple other lesser known forums.

Vulnerability identification within ICS CyberVision

10email: contact@sentryo.net | w: www.sentryo.net

DETECTION

DETECT & MITIGATE ADVANCED THREATS

Sentryo ICS CyberVision is not detecting the initial infection stage of the malware (including cases where it exploits a zero-day vulnerability on a Windows computer). Instead, it will detect the effects of the malware which will probably result in sending orders that appear to be “legitimate”, (e.g. typically sending a new command from a SCADA station to a controller or writing a set point within a certain memory register of a PLC). Knowing precisely the “OT network behavior model” (meaning the machine to machine message exchange scheme and the associated business and technical context), ICS CyberVision will detect that these orders, that appear to be legitimate, are not normal and will trigger an alert.

Sentryo’s ICS CyberVision platform provides an agile learning environment that allows OT professionals to create a cybersecurity policy covering all business cases. This is achieved via the ICS CyberVision platform’s interactive ‘learn first’ function which allows for the building of OT network behavioral models which are then used as white lists.

This learning mode is obviously iterative. At first the behavioral model enforced will not be comprehensive and will generate false anomalies which will be integrated within the model to the point where the model will cover all the expected behaviors of the OT network.

BEHAVIORAL DETECTION

The Sentryo ICS CyberVision platform does not currently rely on pattern matching mechanisms to catch known signatures. In that sense, it is very different from traditional IDS which try to match packets going through the network against signature patterns.

Instead, the ICS CyberVision platform reconstructs a multidimensional symbolic graph for every network layer including all information and behaviors stored within the center. The ICS CyberVision detection engine will take ‘snapshots’ of it or reference points which are named “baseline”. These baselines, which record all dimensions of the model, encompass all

the behaviors observed on the OT systems and considered as legitimate during a certain time window. Baselines corresponding to different operating modes of the industrial process can be created.

The engine performs differential gap analysis between each baseline. The differences are shown using advanced visualization techniques. Each difference could be expected or unexpected – and the operator is required to acknowledge these differences.

11email: contact@sentryo.net | w: www.sentryo.net

Showing difference and alerting

For example, there could exist differences between two symbolic graphs or baselines:

• A new component (potentially a rogue access point or maintenance laptop) will be seen as a new node.

• A new flow (a supervision connection or network scan from a compromised station) will be seen as a new edge.

• A new order (such as reprogramming a PLC or starting/ stopping a CPU) will be seen as a new symbol of an edge between two nodes.

Via an easy to use REST API, the OT staff can also implement their own “behaviors” tailored to their specific risk context in order to detect sequences of events which are known to be malicious. For example, via a Python script, one can create tags that represent specific behaviors. This will be the case for example for a PLC controlling a very sensitive part of the process for which the communication scheme will be predefined as a “normal behavior” based on a key register or variable.

By comparing a current or past situation on the OT Network to a baseline, OT staff can quickly identify any aspects of the network that have changed and progress towards a desired cybersecurity policy.

MACHINE LEARNING APPROACH

The ICS CyberVision platform leverages machine learning techniques to improve the accuracy of detection (minimize false positives) and provides increasing value in term of qualification.

ICS CyberVision is a learning system. Based on the data passively extracted from the network, ICS CyberVision will learn “machine routine”, building over time a very precise understanding of the communication patterns. Everything the machine has learned can be reviewed via ICS Cybervision HMI.

Although users are an integral part of the learning process, traditional machine learning systems used in cybersecurity are agnostic to the fact that inputs/outputs are from/for humans. However, Sentryo has leveraged the intersection of machine learning and human-computer interaction to make algorithms more accurate.

That’s why, machine learning algorithms are used inside ICS CyberVision to :

• detect anomalies inside the network

• identify attacks

• fingerprint hacking tools

• etc.

12email: contact@sentryo.net | w: www.sentryo.net

SECURITY MANAGEMENT

TIMELINE & DASHBOARDS

Currently when there is a security breach IT cyber security experts step in and spend weeks to research and gather historical information to find the root cause. To avoid this process Sentryo ICS CyberVision behaves as a flight recorder

logging and organizing all relevant data. This eases the expert’s job and dramatically reduces the lead time to restore the system back to its normal state.

ICS CyberVision example of event dashboard ICS CyberVision example timeline / calendar

REPORTS

Sentryo ICS CyberVision provides dashboards to the security officer. They display how the ICS security policy is enforced and how abnormal events, if any, would be managed.

ICS CyberVision offers advanced reporting capabilities. Reports are available either in html format or as excel spreadsheets.

ICS CyberVision reports

13email: contact@sentryo.net | w: www.sentryo.net

THREAT INTELLIGENCE

Threat intelligence is no longer an option for managers of OT networks. Worms like Stuxnet have famously targeted OT systems but threats stretch far beyond that one instance. For example, cybersecurity experts have reported a number of exploits involving Microsoft Windows XP or 7, Adobe PDF or standard SCADA software. Meanwhile, the skills needed to attack ICS networks are spreading. Hackers are selling tutorials featuring the latest techniques and tools needed to perform attacks on ICS systems. Hackers are also hiring themselves out as attackers for fees that are dropping all the time. Automated tools such as shodan.io help with reconnaissance.

Sentryo has established a research lab in order to provide accurate threat intelligence information so that customers and partners can discover any intrusions before they have caused any severe damage. The Sentryo research lab collects, analyzes and evaluates intelligence from multiples sources: ICS CERT, CERTs, OT vendors (Siemens, Schneider, Rockwell, Emerson…) bulletins, results of scanning tools (Nmap…), IoC, malware feeds, conferences, academia, technical blogs…

In addition, the Sentryo lab performs its own malware analysis in order to create specific IOCs (Indicator of Compromise) and provide Sentryo customers with easy to use scripts to detect malware presence on the OT network.

Threat intelligence provides information related to vulnerabilities (for passive detection purposes), flow identification (for packet inspection purposes), Hacker Techniques & Tactics and attack patterns (for key behaviors and potential attack vectors purposes). Threat intelligence information fuels the Sentryo Knowledge Database (every week), the CyberVision platform (every two months) and early threat intelligence briefings (every month). For early briefings (e.g. Ukrainian cyber-attacks against ICS), the Sentryo research lab analyses in detail the various reports and information published by different companies and gathers intelligence from technical blogs or social media.

As a result, threat intelligence enriches the value of the CyberVision platform through increasing knowledge.

14email: contact@sentryo.net | w: www.sentryo.net

INTEGRATION IN A SOC/SIEM ENVIRONMENT

The ICS CyberVision platform detects anomalies in a very different way from that of IT SIEM platforms. It does not correlate technical logs to detect breaches or malwares and does not need to set and update complex rules which require deep cybersecurity expertise.

However, because the ICS CyberVision platform records in a continuous way all meaningful information and associated metadata, this information, along with event alerts generated by the behavioral detection engine, can be integrated into third party SIEM platforms or can be accessed directly through Sentryo APIs.

This integration can be done in two ways:

• All the logs stored in the ICS CyberVision center can be exported to the SIEM platform via a SYSLOG interface. Such an integration will allow cybersecurity experts to correlate the logs coming from OT systems with those collected on the IT systems in order to enhance detection capabilities. It will also allow cybersecurity experts to conduct in-depth analysis using

their own tools. ICS CyberVision/SIEM integration has been validated with leading SIEM vendors (e.g. Splunk, AlienVault, QRadar, …). Refer to the Sentryo SIEM integration technical specification for more information.

• The ICS CyberVision center provides a standard interface (HTTPS REST) which allows cybersecurity experts to directly access all the data stored by the center. Cybersecurity experts can use the APIs in order to query the ICS CyberVision platform in particular for forensic investigations. Following a cyber-attack, they will also be able to load into ICS CyberVision their organization-specific IoC files in order to “hunt” for a particular IoC (e.g. governmental agencies or CERTs share well-known IoCs)…). Refer to REST API specifications for more information.

e: contact@sentryo.net | w: www.sentryo.net

Sentryo HQ 66 Bd Niels Bohr CS 52132

69603 Lyon-Villeurbanne - France

Telephone +33 (0) 970720876