CyberFence from Ultra Electronics 3eTI Helps Secure ICS Enclaves – Learn How In This Interview with Ben Garber of 3eTI

ICS, SCADA, OT, PIT and even IoT are all acronyms that define a class of systems which manage the flows of data between sensors, actuators and control systems. Over the past decade, the interconnection of these systems with Information Technology (IT) systems and the Internet has been occurring at an ever-increasing pace, creating significant concern among security professionals as vulnerabilities and attacks begin to emerge that leverage the unprotected gateways and dependencies between the two domains. These OT or Operational Technology [for lack of a better acronym] systems are under increased scrutiny by attackers as well, as new exploitation kits are being created and disseminated on a regular basis.  Robust security technology is needed to manage and defend the OT enclaves and to turn back the rising tide of attacks on critical and not-so-critical infrastructure. Therefore, I was intrigued when I discovered the CyberFence technology offered by Ultra Electronics 3eTI at a recent conference. CyberFence provides essential enclave protection for these mixed IT/OT environments. I was able to visit their lab for a demonstration in Rockville, MD and meet with Ben Garber – a cybersecurity expert for the company. Ben also graciously accepted my interview request. So read on to learn more about the exciting technology offered by Ultra Electronics 3eTI and click on the banner ad to be transported to their site to learn even more. 

Spotlight on Mr. Ben Garber

» Title: Mr. Ben Garber, Cybersecurity Expert, Ultra Electronics, 3eTI
» Website: https://www.ultra-3eti.com/
» Linkedin: linkedin.com/in/ben-c-garber-907540a

Read about Ultra Electronics 3eTI below.

September 18, 2018

Chris Daly, Active Cyber: Industrial Control Systems security appliances often require a special blend of capabilities and certifications to live in both the IT (Information Technology) and OT (Operational Technology) domains. What types of capabilities do CyberFence appliances deliver and what certifications do they carry to support your target audiences? What are the key competitive strengths of CyberFence appliances?

Ben Garber, Cybersecurity Expert, Ultra Electronics, 3eTI: CyberFence can provide drop-in encryption, both layer 2 and layer 3, stateful firewall, and deep packet inspection (DPI) capabilities a la an application-layer firewall to control and monitor messaging to industrial controllers. The device’s encryption capabilities are backed by FIPS 140-2 validation and Common Criteria (protection profile: network device), so customers can be sure that it is not just 3eTI saying our product is secure, but that it has been vetted by numerous third-parties, including the US government. In addition to certifications, 3eTI has submitted the device to penetration testing by various agencies within the Department of Defense, as well as laboratories like Idaho National Labs. These exercises allow us to identify potential vulnerabilities before the products hit the shelf.

Active Cyber: The 3eTI’ DarkNode appliance was purpose-built to support SCADA. What are some of the key security and performance features of DarkNode that support SCADA communications. Why is it called “Dark” node? How is this capability unique in the market and why is it a better approach for securing SCADA / ICS communications?

Ben Garber: For industrial applications, the device allows operators to narrowly define what commands can be sent to controllers. Automation controllers, like PLCs, typically cannot support the same protections we afford workstations as they are small, embedded computers that are purpose-built for automation. The DarkNode can act as a last line of defense by sitting in front of the controller and validating the commands that are being sent to it. The device creates a whitelist of allowable commands based off a monitoring period where it observes the command traffic for a given process. Any commands that deviate from this whitelist are alerted on or alerted and blocked.

In addition to the DPI capability, the DarkNode provides layer 2 encryption (up to AES-256) to obfuscate communications on a local area network. The combination of firewall, encryption, and deep packet inspection make the CyberFence a product with several layers of protection all in one small form factor.

DarkNode technology allows the device to behave as a bump in the wire. Without an assigned IP address, the device behaves like a layer 2 switch. Users surveilling the network would not be able to discover the device as it would not respond to network queries, hence the term ‘DarkNode.’ Having your security device ‘hidden’ on the network makes it much more difficult for would-be attackers to thwart the device.

Active Cyber: OT systems are known to use a variety of network protocols – many of which are not supported by general security appliances in the IT domain. How does CyberFence help customers bridge the security gap in connecting IT and OT domains? What types of OT network protocols are supported for firewall and deep packet inspection?

Ben Garber: 3eTI understands the IT-OT gap and provides operators with controls for both environments. The encryption and additional networking features provide IT administrators with flexible installation options while the protocol inspection affords OT operators insight into their networks while affording them control over what ultimately makes it to the automation controller.

Unlike IT environments where there is a plethora of networking protocols, protocols between controllers and servers are consistent and limited in variety within OT networks. Controllers also generally see the same commands every
day, with changes only coming during special situations or when the process needs to change for operational goals. This behavior allows operators to effectively create whitelists of commands that are only relevant to their respective process.

The CyberFence device provides DPI for Modbus/TCP, EtherNet/IP (explicit), DNP3/DNP3sec/DNP3w/WITS, BACnet, FOX, and provides a dynamic firewall for OPC DA (classic). Stateful firewall support, a function separate from DPI, is for any network protocol and allows operators to limit which network devices can communicate through it by filtering on port, IP address, and MAC address. Customers are also afforded access to the Generic DPI engine, which allows them to craft their own DPI rules for products that might not yet be supported.

Active Cyber: New threats are emerging at a growing pace that focus on the OT domain. What type of threat detection capability does 3eTI provide and how is this capability delivered? How are new threats identified and vetted by 3eTI? Is machine learning included in the approach?

Ben Garber: 3eTI’s CyberFence product alerts users to any commands that are not expected or fall outside of the allowable list of commands the controller can receive. The device is positioned to protect against new threats, or zero-day vulnerabilities, by simply limiting what commands can be sent to the controller. The CyberFence is agnostic of what happens upstream, whether that is operator error, malicious operator, malware, or a targeted attack. It will only allow messages through that are on the device’s whitelist. Any messages that fail the whitelist are alerted on or both alerted on and blocked.

No definition or signature updates are needed for the device, as it parses based on the protocol standard. The CyberFence simply sits in front of the edge device (PLC, RTU, etc), listens and records all of the unique commands it sees. Once the user is satisfied the process is complete, they take the results of the monitoring session and these recorded commands become the whitelist filter. Any commands coming in through the device are validated for protocol conformity (e.g. is that, in fact, Modbus/TCP on port 502?), and then validated against the whitelist filter. This approach does not require any updates for DPI support unless the underlying protocol standard itself changes.

Active Cyber: Security is often a collateral duty for network engineers or facility managers when it comes to OT systems. Security orchestration and automation can help in reducing the overall security burden. How does 3eTI play with orchestration and automation tools to secure OT systems? What APIs can be leveraged for integration and what partner ecosystems are supported by CyberFence appliances?

Ben Garber: The CyberFence affords operators the ability to automatically generate a list of allowed commands through the device’s learning capability. With the device in monitoring mode, it will listen and record all the unique commands it sees. This helps bridge the knowledge gap required in tailoring a ruleset for an industrial protocol. The problem is that many operators are not familiar with the commands given at a packet level. This, understandably, makes it difficult to create a whitelist of allowed commands. The CyberFence alleviates this by making the process automated and presenting operators with a suggested whitelist based on traffic it observed.

Interacting with the device can be done through web UI, SOAP API, or our central management system, CyberFence Manager (formerly UltraVision). Alerts are sent via syslog for integration with any SIEM or syslog manager. Alerts are also available through SNMP v2/v3.

The device also provides the ability to mirror either the red or black ports to allow operators a convenient place to monitor traffic. This can be used in conjunction with a passive analytics solution to provide a hardware agent that can monitor at the edge.

Active Cyber: What are some of the new directions that the OT security market is headed and how is 3eTI addressing these changes? What features of the IoT market does 3eTI feel engaged to support?

Ben Garber: Security solutions for the OT environment have traditionally concentrated on perimeter protection. Firewalls, data diodes, and air-gaps are a great way to thwart attacks on external-facing systems. However, most attacks these days come from within the network. A lack of monitoring and control, combined with social engineering, within the system are primarily to blame for attacks in the ICS-realm today. The CyberFence affords operators the ability to monitor commands at the edge and provide them with a last line of defense against potentially dangerous situations.

3eTI sees a need within plant operations for the ability to control the messages that can be sent to SCADA systems. Without this type of protection, any command within the protocols standard can be sent to the controller. The controller will try to perform whatever task it was commanded to do. This can be bad when a piece of malware sends a command to upload new, and corrupted, firmware much like we saw with the recent Hatman/TRISIS attack. Changing the firmware of the device should be a rare occurrence. Utilizing a device such as the CyberFence can prevent this command from ever going through during normal operations. Operators would then be alerted that the command was sent, allowing them to remediate as appropriate.

Thank you Ben for sharing information about your products and insights into securing the OT systems environments of today. I can truly appreciate the possible benefits to be gained from using CyberFence and other 3eTI products to improve security operations and active defenses. Please return again soon to give me and my audience an update on your tools and their associated use cases. I know that the growing complexities of securing OT systems will keep you busy on improvements and enhancements to cyber defenses and in matching defenses to the ever-growing sophistication of cyber attacks.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.