CISOs and security teams face an uphill battle when it comes to detecting and mitigating ever more frequent and sophisticated cyber threats, especially in OT environments.

Cyber attackers are learning new tactics, getting more creative, and are becoming more relentless than ever to exploit industrial organizations. As seen in the Oldsmar water system attack and the Colonial Pipeline ransomware attack, adversaries are targeting IT and OT environments to inflict damage on organizations that can affect the daily lives of civilians.

Considering the evolving and ever-expanding threat landscape,security and incident response teams might be feeling lost at times when defending their OT networks. Even more so with the recent increasing convergence of IT and operational technology (OT) threats, industrial organizations are seeking new practices on how to leverage their existing IT security stack to address the new cyber threats that are targeting OT environments.

This is where SCADAfence and IBM QRadar have partnered together to create a joint integration to tackle OT security challenges. Now security teams who are using IBM QRadar can be provided with the required visibility and security for adopting advanced Industrial IoT and OT technologies. This new integration with QRadar allows users to simply integrate alerts from the SCADAfence Platform to their QRadar feed, as well as viewing it in a dedicated SCADAfence dashboard.

Diagram 01. The SCADAfence & IBM QRadar integration dashboard

Many industrial organizations count on IBM Security QRadar, an intelligent SIEM, to provide actionable threat intelligence to help detect and respond to security incidents that need to be mitigated. SCADAfence’s integration with IBM QRadar allows our joint customers to capitalize further on their current security stack, so they can have complete visibility into their OT networks with real-time alerts, all in one user-friendly dashboard.

Leveraging SCADAfence and IBM QRadar

CISOs and their organization are always looking to enable their IT and security teams to detect and respond to security incident events more efficiently, but they also want to simplify how to address the lack of visibility into the security of OT environments at the same time. At SCADAfence, we believe we can achieve more through collaboration and integrations. Organizations can leverage SCADAfence’s OT security platform and alerting with QRadar’s strengths across all their industrial OT and IIoT environments to provide complete OT visibility and threat detection to respond to security incidents all in one dashboard.

Diagram 02. The SCADAfence & IBM QRadar integration alerts dashboard

Complete OT Network Visibility 

SCADAfence’s leading OT security platform is configured to minimize any interruption to the normal operation of the customer environment and provides OT insights and produces risk management recommendations that are appropriate to your organization’s needs. This is accomplished by discovering the assets and their roles in the network which provides visibility into their behavior. With a wide range of algorithms and mechanisms, the SCADAfence Platform detects anomalies that can compromise security, safety and reliability.

Multi-Layered Approach to OT Defense

Easily integrate the benefits of the SCADAfence Platform to provide endpoint controls with behavioral indicators of compromise across endpoints and operational networks. This will allow IBM QRadar users to have the visibility to respond across IIoT and OT environments, all within a single dashboard. This integration empowers customers with SCADAfence’s OT security technology while providing the needed visibility into OT equipment.

Automated Asset Inventory 

The SCADAfence Platform allows IBM QRadar customers to automatically discover and continuously manage their entire asset inventory up to date with detailed information on all the devices connected to their OT networks. Regardless of the vendors and controllers deployed in the infrastructure, the platform automatically generates asset inventory without needing any prior knowledge.

Efficient Detection of Incidents

With IBM QRadar and SCADAfence, users can correlate network traffic behavior with host and user behaviors across multiple network areas. Easily surface critical events and detect incidents across machines and networks that would previously go completely undetected. Quickly react and precisely prevent further attack propagation with an automatic correlation of OT manipulation commands with compromised host indications.

Proactive Operational Insights

SCADAfence Platform continuously alerts IBM QRadar users of any abnormal behavior or configuration changes that may have an impact on their operations’ stability before it actually affects their operations. The SCADAfence platform utilizes the most advanced OT security technology to gain the most up-to-date industry insights, which helps provide users with better security alerts and recommendations on how to remediate today’s OT vulnerabilities that may impact your environment.

Diagram 03. The SCADAfence & IBM QRadar integration log activity dashboard

Discover the instant value of OT security in your QRadar environment. Mutual customers with an active subscription to SCADAfence can go to the IBM Security App Exchange and download SCADAfence Platform integration for IBM QRadar.

Over time, we have learned that we develop products not for our own innovation, but for you the customers, to help improve your OT security. In 2021, we were excited to launch three newly designed products that include many new features that will improve your OT security experience.

We launched the SCADAfence Platform 6.6, Governance Portal 2.0 and the Multi-Site Portal 2.6. We launched these new product versions to ensure that we offer the industry’s leading industrial cybersecurity products that provide the best detection & response capabilities in large-scale OT networks, asset discovery and governance. Some of the new features include the MITRE ATT&CK framework for ICS support, we’ve included many new security alerts, improved our state-of-the-art technology, enhanced reporting, new zero trust capabilities and more.

With the combination of our additional new funding, hiring top experts in R&D & the executive team, 2021 has truly been an amazing year for SCADAfence. We have strengthened our leading OT security offering to provide the most advanced and cutting-edge technology in the OT security industry.

After months of excessive testing by internal & external research teams, The SCADAfence Platform version 6.6 consistently demonstrated best-in-class performance and provided 100% detection with close to zero false positives.

Current customers can upgrade their SCADAfence Platform to the latest version and see the new features in action. But let’s take a closer look at the main new features, with some screenshots.

Designed for our users, by our users

After talking to our rapidly expanding customer base and asking how we can make their user experience as efficient as possible, it was time for a further optimized UI design. We’ve updated All our product’s user interface with a smoother and sleeker feel, that was designed with ease of use in mind, based on customer feedback.

Our new UI will allow our customers and their OT security teams to easily manage their OT environments while navigating through the platform.

Diagram 01. The SCADAfence Platform’s Assets Manager dashboard

The ‘Einstein’ Baseline

We’ve always prided ourselves in having the most advanced baseline technology in the industry, with over 40% more accuracy than other solutions in the OT security market. According to Gartner’s Vam Voster, “ SCADAfence’s self-tuning baseline minimizes false positives; this means that no user configuration is required, nor is any stop-and-restart needed to relearn. This system allows for a scalable solution for a huge organization and seamless integration with OT networks.”

With the SCADAfence Platform, our customer’s baseline period takes just 2 days, unlike our competitors who tend to take up to six weeks. On top of the baseline period, we wanted to make our industry-leading baseline even more advanced and accurate, so we are excited to introduce our new ‘Einstein’ baseline.

Unlike other OT security solutions, SCADAfence’s new ‘Einstein’ baseline continuously updates and learns more about the latest network traffic and will “forget” old and irrelevant behavior that is not relevant to the customer’s environments and systems. This results in detecting new malicious behavior which increases the visibility into networks, even if in the first phase they were infected or compromised.

In addition, changes in network behavior might occur due to changes in process or network equipment. This also requires an adaptation of the baseline.

This is a major improvement in the accuracy of the detection, and coping with dynamic networks.

New System Mode – Offline PCAP Analysis

SCADAfence’s customers and partners can now run PCAP analysis for offline risk assessment processes. The offline analysis will allow customers and partners to test and analyze their traffic files taken from their network and analyzed offline. This analysis enables users to get a better understanding of their network traffic while not affecting their current network. This feature has been uniquely designed to provide completely offline analysis without interference from live network traffic.

Governance 2.0

The SCADAfence Platform release 6.6 is equipped with our latest version of our  IT/OT Governance and compliance portal. After receiving continuous feedback from our customers and dozens of deployments of our Governance portal we updated our industry-leading governance portal.  In addition to a complete UI facelift, the new Governance Portal version 2.0, has more speed, more advanced results and more compliance regulations. In fact, we’ve added nine (9) new compliance frameworks to fit our customers’ growing compliance needs.

Diagram 02. The SCADAfence Governance Dashboard

Scaling with SCADAfence’s Multi-Site Version 2.6

SCADAfences’s customer deployments are growing to where they are reaching hundreds of sites. This poses a significant burden for most administrators to configure each site’s settings individually. With SCADAfence Multi-Sites’ Portal Central Configuration, this is no longer an issue.

Diagram 03. The SCADAfence Multi-Site Dashboard

The Multi-Site Portal now allows customers to distribute their configurations to all their sites from the Multi-Site Portal to the distributed SCADAfence Platforms. The security configuration is managed via profiles and covers many security aspects including alerts policy, IP groups, central licensing, 3rd Party tools integrations and more.

By deploying the central configuration, administrators will now save more time while increasing productivity and efficiency while using the SCADAfence Platform in their multiple sites.

Central Software Updates

As part of the central configuration capabilities, SCADAfence customers now have the opportunity to update the SCADAfence Platform software from the Multi-Site Portal. This new feature allows customers to upgrade their SCADAfence Platforms with the latest version in all their sites centrally from the Multi-Site Portal, without the need to access each site’s Platform and upgrade it manually.

This allows organizations and their administrators the flexibility to increase the management of their sites and the OT networks, which results in productivity and saving time.

Sprinting Into 2022

This latest product release had a strong emphasis on user experience, security and improving the management of different industrial protocols (ENIP/CIP, S7, BACnet, etc.). In conclusion, the SCADAfence Platform version 6.6 enables organizations in manufacturing, critical infrastructures and more industrial sectors to operate securely, reliably and efficiently with the right amount of OT security within their industrial environments.

We’re confident that these updates and those coming in the future will bring a better experience for users and we are here to help with all your OT security needs.

In the wake of the different ransomware attacks on Colonial Pipeline, JBS Foods, Oldsmar Florida water system and other critical infrastructure, President Joe Biden signed a national security memorandum that is aimed to strengthen the cybersecurity for critical infrastructures. The goal of this memorandum is to establish improved information sharing and collaboration initiatives with the private sector. Additionally, the White House wants to raise the security of ICS and address the different security risks and vulnerabilities in critical infrastructure environments.

The National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems formalizes the Industrial Control System (ICS) Cybersecurity Initiative which directs the Departments of Homeland Security and Commerce and the Department of Commerce’s National Institute of Standards and Technology (NIST) to create and issue cybersecurity performance goals for critical infrastructures.

The new initiative of collaboration between the federal government and the critical infrastructure sector will work together to defend the critical infrastructures of the United States. “Encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” according to the memorandum.

Additionally, the memorandum will increase the adoption of cyber security solutions that provide better visibility into ICS, “The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”

Another objective of this incentive to strengthen the security of ICS is to deploy interconnected industrial sensor technology. By deploying sensors, critical infrastructure environments will enhance their visibility into security events in their operational systems.

This will allow organizations to detect any intrusion on their network more quickly. As quoted in the memorandum, “We cannot address threats we cannot see; therefore, deploying technologies that can monitor control systems and detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

Why The Industrial Control Systems Cybersecurity Initiative Matters

Following in the lines of the Biden Administration’s recent cyber security executive order, the memorandum establishes the Industrial Control Systems Cybersecurity Initiative (the “ICS Initiative”). The ICS Initiative is a collaborative effort between the Federal Government and the critical infrastructure community to improve the cybersecurity of systems supporting national critical functions.

This new initiative is important for the critical infrastructure sector as it encourages, facilitates and scales the deployment of ICS security technologies to monitor and detect malicious activity and provide the right mitigation steps in response to cyber attacks. By using the ICS Initiative as guidance, the Federal Government will collaborate with the industrial sectors to share different cyber threat information for ICS systems of critical infrastructures.

Initially, this initiative was launched in April 2021 with a pilot effort within the electricity subsector with over 150 electricity utilities representing almost 90 million customers agreeing to deploy control system cybers security technologies. The same effort is underway with the natural gas pipelines sector which will be followed by water and wastewater, chemical and other sectors later this year.

Critical Infrastructure Cybersecurity Performance Goals

The Memorandum also directs the need for government agencies to create and issue baseline cybersecurity goals across the critical infrastructure sectors. The need for improved security controls will be dependent on the control systems in the critical infrastructure environments.

These measures will “further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety,” according to the memorandum.

NIST and CISA will establish the preliminary goals for control systems for critical infrastructures sectors by Sept. 22, 2021. Then the final cross-sector control systems goals will be published by July 28, 2022.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memorandum states.

Moving Forward

ICS security is not an easy task at hand and defending the wide range of industrial networks and facilities is often neglected or not enough resources are allocated. By creating a voluntary collaboration of infrastructures operators and the cyber security agencies of the government it will strengthen the awareness of the different attacks on critical infrastructures.

The US government putting a strong emphasis on visibility is a smart move. The research and deployment of cyber security for ICS are only now starting to change for the better. The legacy systems are finally converging between the physical and the interconnected networks. By becoming interconnected to the Internet it has created new security risks for the critical infrastructures sectors that haven’t been properly evaluated. The memorandum is a good first step into ensuring better security for ICS, but it’s only one small step on a long road to more secure critical infrastructure sectors.

There is a lot of buzz recently on the topic of MITRE ATT&CK for ICS and rightfully so.

Multiple industrial sectors are experiencing a growing threat landscape for operational technology (OT) networks and ICS and SCADA systems. This is clearly demonstrated by the number of recent successful ransomware attacks, which have compelled critical infrastructure organizations to better prepare themselves for incoming cyber threats.

To be more prepared, the different stakeholders responsible for infrastructures and services are enhancing and maturing their security operations centers (SOCs) and are adopting more cyber threat intelligence. This has resulted in considering adversarial Tactics, Techniques, and Procedures (TTPs) to be the most valuable tool.

While adopting the latest and greatest new security tool can help an organization’s security posture it’s equally as important to understand the different threat landscapes and attack methods that an organization could fall victim to. Recently the security community has started to have a common belief that the new attacks by adversaries have become more sophisticated with new techniques that are making it easier to exploit new vulnerabilities or new methods for lateral movement.

Too often we see that the majority of successful attacks are using common methods and techniques and are able to exploit an organization due to poor implementation of security controls or poor security posture. Therefore organizations need to have a better understanding of the attack techniques and adopt security solutions that will increase the detection of attacks which will make it easier for security teams. This is where the MITRE ATT&CK for ICS framework comes into play.

What is the MITRE ATT&CK For ICS Framework?

The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is an initiative started in 2015 with the goal of providing a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The knowledge base helps security professionals make sense of the numerous varieties of tactics and techniques attackers use to infiltrate networks, steal data and other methods of exploiting organizations. The MITRE ATT&CK framework enables security professionals to move beyond identifying the simplest and most common attack methods and instead allocate resources to get a better understanding of adversaries’ behaviors.

The enterprise ATT&CK framework consists of 11 tactics that tend to answer which tactic and what the cyber criminal wants to achieve when exploiting an organization.

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Exfiltration Impact

Diagram 01. The SCADAfence Platform’s built-in MITRE ATT&CK framework dashboard

This globally accessible knowledge base has become the security industry-accepted framework due to its specifically detailed list of methods of how enterprise IT and OT environments can be exploited and compromised. Security experts have mentioned that if an organization can defend against every technique in the framework then its environment will be entirely secure.

Since the framework has become the industry standard, in January 2020 they released the MITRE ATT&CK for Industrial Control Systems (ICS) framework. This list of OT-specific TTPs collected from real-world data and provides a common classification for industrial security teams to improve their detection and how they should respond to cyber incidents. Now that OT defenders have a community-accepted attacker framework and list of TTPs which is constantly updated, it’s time to integrate this attack intelligence into the security solution being deployed in incident response processes.

With over 500 adversarial techniques in the framework, it would be very difficult for any organization to defend against all the methods and techniques no matter how solid their security strategy is.

How Can an Organization Implement the MITRE ATT&CK Framework?

The ATT&CK framework can be super useful and informative for any organization that needs to increase its threat knowledge and strengthen its security posture. While MITRE offers the materials for free, it’s suggested to adopt a solution that has the framework integrated into their security solution. This will allow security teams to deploy the framework for the organization’s security needs.

If an organization has a dedicated security team whose responsibilities include analyzing threat data, it’s recommended to start mapping threat intelligence based on the ATT&CK framework, instead of relying on previous mapping frameworks. This will allow the security teams to map out both external and internal attack information based on the ATT&CK framework which includes real-time alerts, incident responding and more. Once the security team has mapped out the attack data, they will be able to compare the ATT&CK framework with the organization data and prioritize attack techniques.

SCADAfence For MITRE ATT&CK

Earlier this year the SCADAfence Platform launched our advanced support for the MITRE ATT&CK framework. SCADAfence shares this new approach with the OT and ICS industry by mapping individual assessments and results to the framework. Aggregated results provide a visual map of the framework within our platform that identifies the systematic strengths and weaknesses of the organization’s security architecture. SCADAFence is the only OT security company that offers these mitigation steps within the map of the framework. This is aligned with SCADAfence’s development teams work motto – “fueled by innovation”.

Diagram 02. The SCADAfence Platform provides organizations with a MITRE ATT&CK visual map

The SCADAfence research team is constantly updating and understanding the development of the framework’s tactics and techniques. They offer feedback and actionable mitigation steps on the tactics and techniques of the framework which align with best practices for OT security and ICS.

The SCADAfence Platform correlates security alerts to the MITRE ATT&CK framework, providing visibility to the user on the attack tactic and technique. A new MITRE overview tab was added to our platform to analyze the security posture.

Diagram 03. The SCADafence Platform showing all the stages of the attack based on the MITRE ATT&CK framework

All system alerts from the SCADAfence Platform are mapped to the MITRE ATT&CK for the ICS model. The SCADAfence Platform also provides a map of an attack that is advancing according to the MITRE kill chain, and per each alert, the corresponding classification is presented as well. In the case of security incidents, this can greatly help customers to understand the phase of the incident, its extent and impact, and respond in a quicker and more effective way.

SCADAFence is the first OT security and ICS vendor that has developed and integrated the ATT&CK for ICS framework within their platform in such a comprehensive manner. Customers are already getting a better understanding of where and how cybercriminals are trying to gain access to their environments according to the framework. By implementing SCADAfence’s ATT&CK for ICS  technology it has provided them with a better picture for organizations when it comes to securing ICS.

In one specific case, one of our customers was able to detect and identify an active attack in the SCADAfence MITRE ATT&CK dashboard. Their security team was able to quickly identify the attacker’s movements through the kill chain and stop them in their tracks before any damage was done to their organization.

As cyber criminals continue to use more sophisticated attack methods, organizations need to prioritize the time and resources into understanding the behaviors of these attackers to stay secure against incoming threats. By leveraging the most advanced OT security vendor which covers the MITRE ATT&CK framework you will be able to quickly detect, visualize and mitigate any security gaps within your organization.