I had a briefing recently on SCADAguardian, a systematic approach to diverse critical infrastructure monitoring. Nozomi’s product, a defense against industrial security attacks, is designed to protect operational technology (OT) in security operations centers through the use of deep packet inspection against tables of known malware behavior, as well as pattern recognition and relationship observations. The company demonstrated a compelling visual monitoring UX that targets industrial systems security as it converges with on-premises computing and cloud system assets.
ISPs have long been criticized for deep packet inspection, the practice of devolving 100 percent of network traffic into constituent components, packets and destinations for the purpose of throttling, shaping and/or controlling network traffic. Part of the contention over deep packet inspection has to do with the long battles for net neutrality. ISP customers (consumer and business) complained, based on the precept that all traffic should be treated with equal priority--and also that all traffic should be fully private.
However, if you’re looking for malware, suspect conversations or unusual behavior, deep packet inspection is perhaps the way to go.
Think about all of the data that's coming in: From industrial control systems, to supervisory control and data acquisition (SCADA), to internet of things (IoT), the data communications turf can range from recent innovation to what was state of the art 30 years ago. Some SCADA and industrial equipment run on ancient protocols, communicating via ancient bus protocols like GP-IB and RS-422, serial links like RS-232C, and even ancient dialects of Ethernet.
These new and/or gray-haired protocols, in turn, may control steel mills, power plants, traffic signals, hydroelectric dam gates and industrial machinery of a wide variety--or, in the case of IoT, a coffee pot or video camera. Ensuring the security of these and other devices is critical, but coverage of these assets requires a diverse monitoring infrastructure, whose communications signatures are equally diverse. As protocols are encapsulated to be communicated across a wide organizational turf, centralized monitoring methodology must take many inputs, devolve the traffic into constituent parts, and monitor and compare traffic--all in real-time.
This is what Nozomi is aiming to do. Using a combination of YARA and several other tools, Nozomi creates a link to an organization’s data infrastructure. YARA and other inspection tools then filter every byte of traffic, watch the relationships among hosts and OT device infrastructure to look for malware/virus pattern matches and abnormal or out-of-profile communications.
YARA can run multiple concurrent worker instances that allow a scalable number of stream watchers so traffic is not impeded. Rules for YARA are compiled to binary in C/C++ for speed and built into libraries. According to the company, this allows for the monitoring of diverse, even custom-built industrial control devices alongside malware signatures from a variety of sources.
A visual console of the communications relationships also amplifies abnormal behaviors among hosts and devices. The chatty nature of communications among hosts and devices becomes correlated into a total infrastructure picture, which in turn can be linked with other security information sources (APTs, signatures, etc.) for analysis across all components within the infrastructure.
This combination of deep packet inspection, customized device control signatures, communications relationship monitoring, and more, Nozomi asserts, is key to completing the link between IT and security ops/ICS/SCADA monitoring.