ISA99/IEC 62443 Controls with Tripwire Industrial Visibility | Tripwire

Addressing ISA99/IEC 62443 Controls with Tripwire Industrial Visibility

The ISA99/IEC62443 cyber security framework for OT networks, is widely recognized as an industry standard. Complying with ISA99/IEC62443 best practices, is a safe path to enhance the cybersecurity posture of any given OT environment. Tripwire® Industrial Visibility is purpose built to secure the safety and reliability of OT networks. As such, it addresses the main ISA99/IEC62443 guidelines. Deploying Tripwire Industrial Visibility aids the OT network’s stakeholders to comply with external regulations and internal policies that acknowledge ISA99/IEC62443 as a cybersecurity best practice.

Tripwire Industrial Visibility passively connects to the network and utilizes proprietary Deep Packet Inspection (DPI) capabilities to parse the network traffic and retrieve critical asset data, providing the following:

OT Network Topology and Asset Data

Tripwire Industrial Visibility delivers full data of the entire OT network, including explicit IP assets, as well as remote I/O, PLC DLR and serial devices. For each asset, it retrieves full set of unique descriptors such as IP and MAC addresses, firmware version, serial number, etc.

Activity Monitoring

Tripwire Industrial Visibility establishes a high fidelity baseline for each asset’s behavior, alerting when a non-baseline communication takes place. The baseline, coupled with the deviations, if those occur, provide full documentation of the asset’s activities.

Alerts

Tripwire Industrial Visibility raises an alert upon occurrence of either anomalous activity (baseline deviations) and critical change (configuration download\upload, firmware upgrade, etc.). These alerts correspond to all scenarios in which a running code impacts a production process. Tripwire Industrial Visibility is the leading product for cyber security within the confinements of the OT network, i.e. Levels 0–2 of the Purdue Model. The visibility the solution introduces to OT networks enables security and control teams to combine their knowledge for rapid and efficient incident response and drive forward overall network resiliency.

 

ISA99/IEC62443 Use Cases

FR 1 – Identification and Authentication Control

This use case begins with the requirements for identification and authentication controls on the control system. Organizations must implement controls to limit unsuccessful authentication attempts, change/refresh all authenticators, and monitor access to the control systems as well as implement controls for account management. Many control systems may not support the ability to deny access based on the number of unsuccessful login attempts or to enforce authenticator refresh. By leveraging deep packet inspection (DPI), Tripwire Industrial Visibility can detect unsuccessful login attempts passively throughout the ICS network and detect known default passwords used during logins occurring over the network. It also provides alerting when the number of defined consecutive invalid access attempts is exceeded or when a default password is detected, and encrypts data that is collected and has the ability obfuscate sensitive data.

Tripwire Industrial Visibility creates baselines with approved configurations. If accounts or authenticators deviate from the approved baselines configurable alerts are generated.

FR 2 – Use Control

This use case begins with the requirement to implement multiple audit and accountability security controls to control systems. Tripwire Industrial Visibility provides auditable events by inspection of ICS network traffic. Even if a control system is not capable of creating the audit event, it is able to determine the event through DPI. Control system communication connections, user login/logouts, baseline network configuration, firmware changes, types of commands and registers used, and the values of the responses are captured by the solution and stored in the database. The audit able events for assets can be placed into a report for management review for a determined periodicity. Auditable events are configured to capture packets to support after-the-fact investigations of security incidents. The events are adjusted and configured based on current threat information.

Tripwire Industrial Visibility captures the event and provides details on what event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, allowing authorized users to select which events are audited. It provides a centralized architecture to manage audit records and prevent the alteration or destruction of the captured events.

Since the solution is capable of running in a virtual or physical environment, storage capacity for audit events can be modified to meet organizational requirements. Tripwire Industrial Visibility seamlessly integrates OT alerts into an organization’s existing security incident and event management (SIEM)—including Tripwire Log Center™—or security operations center (SOC) platforms to provide a holistic view of an organization’s risks and security stance. It can provide a timestamp for events or leverage an existing centralized timeserver.

Tripwire Industrial Visibility provides audit records and reports for indications of inappropriate or unusual activity. The events and alerts may be configurable based on current threat information and requirements. It integrates audit review, analysis, and reporting processes for investigation and response to suspicious activities.

Tripwire Industrial Visibility protects audit information from unauthorized access, modification, and deletion. It also provides different layers of access based on the user’s need to know.

FR 3 – System Integrity

This use case begins with the requirement to apply multiple system integrity controls to different aspects of the control system. These controls include the integrity of communications, software and information as well as controls for malicious code and the protection of audit information.

Tripwire Industrial Visibility security fabric monitors all network traffic using DPI capabilities, built specifically for ICS networks and protocols. Using advanced machine-learning algorithms, built with the machine-to-machine character of these networks in mind, the solution automatically allowlists legitimate, baseline activities and alerts on any changes or anomalies. The solution detects the effects of malicious code or unauthorized software and generates alerts. The situational awareness engine takes into consideration spoofing, poisoning, and man-in-the-middle attacks.

Tripwire Industrial Visibility monitors the OT network, leveraging a unique combination of signatures, purpose-built OT behavioral models and proprietary anomaly detection capabilities to immediately detect and provide actionable information on any human errors, network failures or malicious activities. By correlating information across the network, the solution gives organizations the situational awareness they need, out of the box, to identify the root cause of incidents and changes, so risks are mitigated.

Tripwire Industrial Visibility monitors the OT network to detect for known suspected malicious communications, leveraging a unique combination of signatures, purpose-built OT behavioral models and proprietary anomaly detection capabilities to immediately detect and provide actionable information on any human errors, network failures, communication integrity deterioration, or malicious activities.

Tripwire Industrial Visibility creates a configuration baseline of assets on the ICS network. Communication information, software, OS, firmware, serial numbers, and card rack slots are captured for baseline configuration. For example, such baselines are used to monitor field devices for their latest configuration information to detect security breaches (including unauthorized changes).

It is also able to obfuscate data to protect sensitive information. The solution protects audit information from unauthorized access, modification, and deletion, and provides tiered access to ensure error messages are only revealed to authorized personnel.

FR 5 – Restricted Data Flow

This use case begins with the requirement to segment the control system via zones and conduits to limit the unnecessary flow of data. Tripwire Industrial Visibility identifies the specific assets on the network, the lines of asset communication, the type of commands and registers used, and even the values of valid responses. This decoded information provides visibility for open/insecure protocols, proprietary protocols, account information on CDAs, information flow, network access control, and even unsuccessful login attempts. Tripwire constructs network/communication maps with the ICS communications that are decoded. This robust information assists organizations by identifying control system zones and all data flow conduits. The solution provides a map of all assets communicating on an ICS network (Field Bus/Serial & IP Networks).

Tripwire Industrial Visibility delivers analysis of information flow throughout the ICS network (Field Bus/Serial & IP Networks). Baselines of control systems communication are created to detect any deviation in real-time.

FR 6 – Timely Response to Events

This use case begins with the requirement to respond to security violations by notifying the proper authority, reporting needed evidence of the violation, and taking timely corrective action when incidents are discovered. Tripwire Industrial Visibility provides auditable events by inspection of ICS network traffic. Even if a control system is not capable of creating the audit event, the solution is able to determine the event through DPI. Examples of these events include control system communication connections, user login/ logouts, baseline network configuration, firmware changes, types of commands and registers used, and the values of the responses. The auditable events for assets are placed into a report for management review for a determined periodicity. Auditable events are configured to capture packets to support after-the-fact investigations of security incidents. Data is preserved in the asset’s history in the solution’s database. These robust features support an organization’s ability to respond to events on the control system. Tripwire Industrial Visibility security fabric monitors all network traffic using DPI capabilities, built specifically for ICS networks and protocols. Using advanced machine- learning algorithms, built with the machine-to-machine character of these networks in mind, the solution automatically whitelists legitimate, baseline activities and alerts on any changes or anomalies. The solution protects audit information from unauthorized access, modification, and deletion. It also provides different layers of access based on the user’s need to know.

FR 7 – Resource Availability

This use case begins with the requirement to apply configuration and asset management controls to control systems. Tripwire Industrial Visibility assists organizations by identifying baseline communication patterns on an ICS network (Field Bus/Serial & IP Networks). It decodes the embedded identity information in digital messages to detect the communication protocols used and displays the entire network of assets and asset architecture. Communication information, software, operating system, firmware, serial numbers, and the card rack slots are captured for baseline configuration. Tripwire Industrial Visibility passively collects all ICS network traffic. This traffic can be sent to a test or simulated environment. Within the test environment, production traffic can be utilized to determine the effects of equipment changes. Historical data is stored for each individual asset, allowing organizations to review and report on changes that deviate from the authorized baseline. Reports can be executed on the assets to verify accepted changes. These reports can be routed to designated approval authorities and the documentation then placed in the organization’s change control database. Tripwire Industrial Visibility reflects the current system configuration of assets on the ICS network. If unauthorized components are connected to the ICS network, unauthorized changes to the ICS network, unauthorized changes to cyber assets occur, or unauthorized communications take place on the ICS network, it creates alerts for designated officials.

Schedule Your Demo Today

Let us take you through a demo of Tripwire security and compliance solutions and answer any of your questions.

Request a Demo