Thomason Technologies announces its signature ICS/SCADA monitoring software, Industrial Threat Hunter®, which provides network visibility and security for operational networks, enabling operators to stop malicious activity before it impacts operations.
Industrial Threat Hunter
Network Security for Industrial Networks
How it Works
Industrial Threat Hunter is a software application that runs on a Linux operating system. After establishing a baseline of all devices communicating on the operational network, Industrial Threat Hunter monitors for any changes: new devices, new communications ports, new protocols, etc. Additionally, Industrial Threat Hunter monitors SCADA protocols including DNP3, Modbus, IEC 61850 and IEC 60870-104 for violations of the protocol. These violations could indicate something as simple as a programming error on the part of the manufacturer, or it could be more serious and indicate intentionally corrupted code, data leakage or attempts to flood or hijack sessions.
Industrial Threat Hunter is passive, to be connected via tap, mirror or SPAN port. For layer-2 only network protocols (like GOOSE), Industrial Threat Hunter can be connected to any active port. As a result, Industrial Threat Hunter cannot block operational traffic. Industrial Threat Hunter has been tested and approved for use on a number of industrial grade computers. Additionally, it is integrated with Cisco FirePower and Palo Alto Networks firewalls.
The vast majority of the time, Industrial Threat Hunter is very quiet on the operational network. But when something isn't right, you can count on Industrial Threat Hunter to sound the alarm.
Detect New Devices
1
Industrial Threat Hunter detects new devices and new communications between devices. Know immediately if a rogue or unauthorized devices is introduced to your OT network.
2
Identify Protocol Errors
SCADA Protocols were not designed to be secure and protocol errors can be an indication that someone is exploiting a vulnerability in the protocol. Industrial Threat Hunter alerts you before the attacker can decode your network operations.
3
Integrate with IPS or Firewall
Industrial Threat Hunter integrates with your existing IPS, Firewall or SEIM eliminating the need for another GUI. You don't need another silo or stovepipe solution. You just need the data.
Industrial Threat Hunter
Network Security for Industrial Networks
SCADA Protocol Vulnerabilities
Internet protocols were built to withstand a nuclear explosion, but they weren't designed to be bulletproof to hackers. DNP3, Modbus and all other SCADA protocols have serious vulnerabilities, making them vulnerable to those who would jeopardize our critical infrastructure. Industrial Threat Hunter meticulously investigates every SCADA packet and evaluates it deterministically against the protocol standards and sophisticated attack methods.
New Device Identification
Industrial Threat Hunter reports new devices including their MAC and IP addresses to your operations management system.
The threat landscape for industrial networks is growing regularly. Physical security and an air-gap are not enough to protect this extremely critical infrastructure. We know foreign nations are using the Internet to try and find ways into your infrastructure. Eventually, they will either find a way, or use physical access to intrude. Because SCADA and ICS networks are normally very static, new devices are rare and should be identified immediately.
New Protocols or Services
New protocols, services or communications ports should be even more rare in industrial networks. Often the first indication of an issue on the industrial network is the introduction of new a new device or new communications channel, but without monitoring it goes unnoticed. Industrial Threat Hunter immediately identifies any new device or new communications channel and reports the information to your command and control system giving you time to effectively respond.
About Industrial Threat Hunter
Cybersecurity has never been easy as the attackers get smarter every week. The evolution of technology increases the complexity of the problem and often times opens new vulnerabilities or threat vectors. Thomason Tech developed Industrial Threat Hunter after years of experience working with utility companies. We understands the complexities of OT versus IT networks. But as OT networks evolve, they require more robust security systems and IT security products don't exactly fit. For example, discovering a new device in an IT network is an exercise in futility, but a new device, protocol or communications channel in the SCADA network could be the start of a disaster.
Thomason Technologies, has been developing Industrial Threat Hunter for over five years. It is tested in some of the largest utilities and it is proven to be effective without producing false positives. Industrial Threat Hunter uses a minimalistic approach to providing proven security.
Industrial Threat Hunter monitors industrial protocols and validates every part of the packet. Do the sequence numbers make sense? Do the status numbers make sense? Are the checksums valid? Are the operations codes acceptable? And the list goes on. Along with the identification of new devices, services and communications processes, this information leads to the discovery of a possible attack before it causes any damage. Even a potential intruder with extensive knowledge and physical access to your network cannot evade Industrial Threat Hunter without turning it off (a really big indicator that something is wrong.) When you look over the cybersecurity kill chain, virtually every step would require the introduction of one or more of the elements above. As a result, the asset owner has a significantly better chance of preventing damage when notified ahead of time as opposed to waiting until something goes wrong.