You’re responsible for keeping an operational technology (OT) network running in the face of security challenges. The welfare of workers, the general public, and the company depends upon you. Your network has to be resilient against cyberattacks. Your job is made harder still by the increasingly connected OT networks. To overcome these challenges, you need to gain deep visibility into your network to find signs of intrusion.
Tripwire® Industrial Visibility is designed to tap into the native protocols on the OT network in such a way that it extracts data without affecting operations that may be sensitive to latency and bandwidth change. Our deep understanding of the myriad protocols used by OT systems makes this possible. EAGLE40 next-generation industrial firewalls are integrated with Tripwire Industrial Visibility to offer a comprehensive industrial cybersecurity solution, simplifying networks, maximizing uptime, reducing the number of devices and cost without compromising network security.
ICS Run Our World
Industrial control systems (ICS) are the workhorses of the critical infrastructures that keep society running. The networks in these critical infrastructure segments must be reinforced to establish cyber resilience:
- Energy
- Chemical
- Transportation
- Water & Wastewater
- Dams
- Nuclear
- Defense
- Government
- Emergency Services
- Financial Services
- Food & Agriculture
- Healthcare
- Smart Cities
- Critical Manufacturing
- Information Technology
OT Network Challenges
OT environments present unique challenges, such as latency and bandwidth issues and protocol proliferation:
- Latency and bandwidth issues: OT systems are sensitive to latency and bandwidth changes. Many of them were initially deployed on dedicated networks that performed well under known loading conditions. IT security system designers assume that network bandwidth is abundant and network speeds are high. When OT applications and hardware are placed under excessive load due to these emerging IT systems, they have the potential to starve critical applications of needed resources, causing them to crash.
- Protocol proliferation: ICS often have dozens of protocols in play. The variety and complexity of these protocols provides cover for a hacker’s activities. To prevent malicious activity on the OT network that could impact availability, it is necessary to understand what an intruder is doing. Tripwire Industrial Visibility is able to passively collect and parse these protocols and isolate abnormal activity. Tripwire Industrial Visibility has no impact on either the latency or bandwidth of a network.
OT Network Advantages
But it’s not all doom and gloom. OT networks also have unique tools that can be used to secure ICS if operators know where to look:
- Consistency: OT systems strive for repeatability. This reduces the variability of activity on the network and makes it harder for an intruder to hide in the noise. By modeling “normal” behavior of each device on the network, you can recognize abnormal activity caused by intruders who are probing and experimenting.
- Fewer applications: There are also relatively few applications running on an OT network as compared to IT. This makes it easier to listen to the conversation and determine if a user is doing what they should be.
- DPI: Deep packet inspection (DPI) makes it possible to open communication packets and read their contents. This information can then be used to understand what is happening as it happens.
- Protocols: Protocols are both a hindrance and a helper in ICS. The protocols used to communicate between ICS devices can be used to directly monitor actions occurring on the system. Understanding a large number of vendor protocols improves overall network visibility.
EAGLE40 with Embedded Tripwire Industrial Visibility
To tackle the challenge of deploying enterprise grade software into OT networks, Tripwire has partnered—within the Belden brand—with Hirschmann, an industry leader in ruggedized cybersecurity appliances, to provide EAGLE40 with embedded Tripwire Industrial Visibility. This is an integrated one box solution, so no additional purchase is needed to run Tripwire Industrial Visibility. Additionally, the integrated solution is industrial grade, fully ruggedized hardware with optional bump in the wire deployment capability, which means no SPAN ports (mirrored ports) are required.
The EAGLE40 firewall integrates seamlessly with Tripwire Industrial Visibility to:
- Monitor network traffic without an additional mirror/SPAN port
- Eliminate the need for additional sensor hardware
- Provide intrusion detection abilities
The following example shows how EAGLE40 works with Tripwire Industrial Visibility to protect a new PLC:
- A new PLC added to the network and sends data to its HMI
- Firewall detects a new device and notifies Tripwire Industrial Visibility
- Tripwire Industrial Visibility identifies a new threat, vulnerability or unsecure protocol and alerts the administrator
- Operator adds a firewall rule to block potential threat
- PLC is safe from threats
How Tripwire Industrial Visibility Works
Optimized specifically for ICS, Tripwire Industrial Visibility can understand the most important and commonly used ICS protocols. Let’s take a deeper dive into the ways you can use Tripwire Industrial Visibility to get the most safety, quality, and uptime possible from your OT environment.
- Complete Network Visibility: By reading the network traffic, it can isolate all assets on your OT network to understand the flow of traffic between them. This data is then used to create graphical network maps that make it easier for operators to visualize activity and to notice anomalies. It taps into OT network communication by listing through the SPAN port of routers and switches connected to the network segment and uses deep packet inspection to open data packets and interpret protocols.
- Downtime Prevention: One of the primary benefits of Tripwire Industrial Visibility is its ability to stop bad actors in their tracks. Attackers intending to infiltrate your network to cause damage are recognized quickly, enabling their rapid removal. You’ll also have quicker recognition of system penetration, as hackers can be detected before attempting to upgrade access permissions, modify system configurations, or change files.
- Machine Learning: Tripwire Industrial Visibility employs machine learning in a number of ways. It creates a baseline of expected behavior from good actors. When a bad actor deviates from a baseline, it flags them to operators. Even bad actors using legitimate credentials can be easily detected. Unlike IT networks, OT networks have far more consistency in the behavior of users. Machine learning is applied to understand what is normal and then alert when unexpected behavior occurs. In addition to user behavior, network activity can also be monitored for “normal” behavior. The traffic from a correctly behaving network is fed into a machine learning system, and the system learns to recognize normal activity. Whenever something unusual occurs, an alert is generated. This saves you time and prevents you from being responsible for evaluating each and every data point.
- Attack simulation: Tripwire Industrial Visibility uses vulnerability data to hypothesize a series of attacks that could be executed against your OT network. This information helps executives fully understand security holes and to scale the impact of a potential breach. Users can highlight a sensitive asset and the system will posit attack vectors that could be executed against it.
- Event logging: Tripwire Industrial Visibility includes Tripwire Log CenterTM, which provides secure and reliable log collection from multiple sources to help you investigate outages and correlate events of interest. Its automated normalization engine parses log data to help you quickly identify what data is most relevant and build actionable correlation rules. An intuitive visual interface lets you customize log data rules around your specific use cases. This function also allows you to prefilter information before it reaches your SIEM.
- Passive scanning: Tripwire Industrial Visibility works smoothly with legacy ICS technology, using passive scanning to maximize uptime. This is due to the fact that a strategic combination of agentless and agent based passive scanning keeps legacy systems up and running during scans. Unlike traditional vulnerability management and security configuration management (SCM) products, it employs no touch sensing that can be used when legacy systems would otherwise crash when polled.
How EAGLE40-07 Works
EAGLE40-07 belongs to the multiport EAGLE40 family of industrial firewalls. This next-generation device with multi-layer firewall, routing, and VPN encryption combats the growing sophistication of the cyber landscape.
- Advanced intrusion detection and prevention capabilities for comprehensive cybersecurity
- Optimizes network performance with seven Gigabit Ethernet ports and enhanced encryption capabilities
- Ruggedized hardware maximizes uptime under harsh industrial conditions EAGLE40 with embedded Tripwire Industrial Visibility has the Tripwire Industrial Visibility server preloaded on the device. In addition, Tripwire Industrial Visibility sensor technology (Remote Dissector) is also integrated with the EAGLE40-07 firewall, eliminating the need for additional hardware and providing a comprehensive cybersecurity solution.
Summary
Tripwire Industrial Visibility provides deep, ongoing network assessment for OT operators in industrial control systems. Because Tripwire understands the complex challenges posed by increasingly connected legacy technology, we’ve developed a way for you to see exactly what’s going on in your OT environments at all times using native industrial protocol communications. You can now take advantage of Tripwire Industrial Visibility embedded in the EAGLE40-07 industrial firewall as one integrated solution.