ICS Network Detection Products: Selecting and evaluating the right solution for your ICS environment
Our approach is vendor neutral. As such, there is no sales spin, just an impartial evaluation of products, with unbiased guidance from those who know how to use them. It is our goal to help customers understand the differences in the products available, select the one that is best for their needs, design a pilot evaluation in conjunction with an onsite vulnerability and risk assessment, and help deploy the solution.
Monitoring ICS networks for potential security incidents is an important element of any mature ICS cybersecurity program. However, until recently, implementing intrusion or anomaly detection on ICS networks was not very practical because commercially available intrusion detection systems (IDS), designed for enterprise IT networks, were not capable of analyzing the unique protocols used in industrial automation networks. In the past 5 years about 20 new products have been introduced that were designed specifically for ICS networks and have the ability to perform deep packet inspection on ICS protocols.
Most of the ICS anomaly detection products on the market follow a similar deployment architecture. Sensors are installed in various ICS network security zones to gather and pre-process network traffic. The sensors forward their data to an anomaly detection server that typically resides at Level 3 or Level 3.5 of the ICS network. One or more clients are then configured for the ICS network administrator and others to manage and view a dashboard of the ICS network security posture, either locally or centrally.
While many ICS engineers would shudder at the thought of installing a “foreign device” into their ICS networks, it is important to note that these products are typically passive, meaning that they can listen but cannot inject communications onto the ICS network. Among other features, many ICS anomaly detection products can identify assets, provide a view of protocols in use, alert to potential incidents, provide custom policy monitors and aid in incident response. Having all of this information visible on one console provides the ability to cohesively monitor and analyze the control system environment as opposed to managing each vendor’s equipment and data separately with vendor specific products.
While these products offer valuable insight into the real-time security posture of their ICS networks, asset owners are struggling with determining if, when and how they might deploy this technology across their fleet of ICS systems. Grappling with these issues can be incredibly complex challenge for organizations with multiple facilities and multiple ICS platforms. Not only do they have to select a solution they also have to justify the investment and get buy in from both corporate and local stakeholders (e.g. IT, automation, operations) as well as support from their primary automation vendors.
This effort typically starts with an evaluation of the various solutions available in today’s market. There are a number of variables to consider such as which ICS vendors and protocols are supported, ease of use and training requirements, reporting interface, hardware requirements, sensors placement and communication architecture and the end goal of implementing a scalable solution.
aeSolutions can help guide organizations through this process. First, we have deep knowledge of many of the ICS network detection products and vendors. Second, we can help evaluate these products in an online (e.g. production network) or offline (e.g. test or lab) environment. Finally, we can incorporate these tools into an aeCyberPHA™ ICS cybersecurity vulnerability and risk assessment which helps organizations identify cybersecurity vulnerabilities in their systems, quantify the risk to operations and design & implement solutions, such as ICS network detection, that are commensurate with the risk.
We Can Help
Our Core Services