The protection of the nation’s critical infrastructure has been near the top of the Obama administration’s priority list since early his his first term as President, and even though an Executive Order issued in February of 2013 has led to the creation of the Cybersecurity Framework, we still have a long way to go in adequately securing theses vital assets.
A newly unveiled suite of tools from security company Dragos Security called CyberLens, which enables passive discovery and identification of cyber assets and data on control system networks, may be just what the doctor ordered for the Industrial Control System (ICS) community.
ICS asset owners and operators are challenged to maintain constant visibility in to what is on their network, including sensitive devices such as Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) which are vital to critical infrastructure such as energy, transportation and water utilities.
“Normally, identifying assets can be difficult or impossible on sensitive networks because network mapping generally involves active scanning.” said Dragos Security Co-Founder Robert M. Lee. “Active scanning can damage or deny service to sensitive network-enabled devices.”
Lee and his partners say that the suite of tools incorporated into CyberLens can enhance efforts to satisfy compliance standards such as North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) through cyber asset and communication link identification, and can also be used to identify changes in system connectivity and communication links using it’s timeline feature serving as a strategic asset for incident responders.
“The security community tends to not utilize their number one defense: network knowledge. Your defenders should know how the network looks and the attackers should have to try to fight to figure it out,” Lee continued. “With that level of knowledge network anomalies stand out more easily, incident response is easier, and designing and implementing effective defense systems is much more feasible.”
Co-Founder Matthew E. Luallen agreed, adding that these tools provide an unmatched view into the network, and also has optional customizable security features to meet the needs of the user.
“Understanding your network and having a current map of what assets are on it down to the type of data flows is security. Knowledge of the network is a foundational element security teams should have over the adversaries,” said Luallen.
“I am personally excited to provide the ICS community with the capability to inventory cyber assets and perform deep packet ICS protocol inspection. CyberLens(R) serves as an ICS organization’s archaeologist – discovering the cyber assets, identifying the communications pathways and visually depicting ICS protocol metadata.”
CyberLens features include:
- Performing live and passive network data captures through the deployment of one or more sensors around the network
- Operating standalone, processing pre-obtained packet captures and mapping the results offline
- Generating an interactive graphical map for users to see all network devices, how they are connected, and in what ways they communicate
- Saving or printing off the maps and any of your settings for future use
- Displaying a printable and easy to read list of all the devices on the network
- Uses available data to perform timeline analysis to see network changes or aid incident response
- Shows network statistics for each link including the type of protocols, volume, and netflow
- Enables a variety of alerts including the identification of new devices or failing of old devices
- Creates multiple user accounts with secure logins
- Easy deployment with a complete installer on multiple Operating Systems
- Full packet inspections and dissections of traditional Information Technology protocols as well as control system protocols through unique protocol lenses such as DNP3, ModbusTCP, BACNet, AB PCCC, ISO-TSAP, S7 and more.
- Extensions to enable additional data flows to asset inventory, centralized logging and intrusion analysis programs
- Custom lenses and APIs support to perform deep packet inspection within proprietary ICS protocols
- Observes commands sent to field control devices and validate devices such as Data Historians
“CyberLens is designed to empower the end user. Whether it is an operator, auditor, or management it doesn’t matter. The team is putting a lot of time and effort on making CyberLens intuitive, easy to use, and functional,” said co-founder Jon Lavender.
“The GUI is web based and works across all modern browsers on Windows, Mac, and Linux operating systems. We didn’t want to stop there, we understand that technologies evolve and companies/customers are often faced with having to integrate software solutions that lots of times aren’t compatible. That is why we have built an API for CyberLens to provide users the flexibility of programmatically accessing the network data behind the GUI,” Lavender continued.
Co-Founders Lavender, Lee, Luallen and Justin Cavinee established Dragos Security LLC in August 2013 because each of the members recognized the importance of control systems to the security of critical infrastructure and decided to pool their experience and passion into creating a company that could assist the global community.
As academics, developers, and operators, the team members knew first hand what it means to develop and research products the community needs. The desire of the team was thus to create effective products and provide well thought out research that enabled the community to better achieve security, availability, and reliability.
“The key to long-term computer security is flexibility. Protocols, malware, networks, and equipment are all constantly changing. Effective security tools need the flexibility to change with the environment,” said Cavinee. “This is why we built CyberLens as a modular framework where we can easily adapt it to fit user needs and make sure that our future features are entirely optional for the end user.”
Industrial Control System asset owners and operators with appropriate permission to deploy and operate a tool such as CyberLens are eligible for Beta testing participation. To inquire further about the Beta and gain access to the application, email: info@DragosSecurity.com
“There are so many features in the tool as well as features in development; I’m optimistic on the levels of defense users are going to be able to achieve with this product,” Lee said.
- Top Five Hacker Tools Every CISO Should Understand
- NERC CIP Version 5: One Giant Leap
- Leveraging the Windows Registry in Digital Forensics Investigations
- Digital Forensics and Incident Response
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock