In Part II reviewed Industrial Defender’s Automation Systems Manager (ASM) based on interview and some limited detail documents. Today I had the opportunity to get an online demo of the ASM interface and ask a lot of questions for just over an hour. You can see in the diagram below that the ASM has a number of software applications, more than can be covered in an hour, but here are my thoughts pro and con.
ASM really begins with the Asset Management module. Minimal information is entered into the ASM, and then the ASM gets the rest of the information through either agent, Industrial Defenders IT and ICS agents, or agentless technology, such as WMI for Windows systems. Information on the ports, services, software, users, etc. are all pulled into the ASM where it can be monitored for change and used for other purposes, such as the security patching program.
What about assets that are not entered into the ASM? An ARP Watch feature on either the Network IDS sensor or ASA collector appliance looks for any MAC or IP addresses not in the ASM and generates an alert that an unknown device is on the network.
North American electric utilities probably already understand the NERC CIP value this ports, services, user information can provide from a compliance standpoint, but it is valuable for any sector’s security monitoring and management. Alerts can be generated when new ports, services or software are on a system (and yes they have ways to deal with dynamic ports and services that start and stop).
The Asset Management module has the information and management component of patch management, but it does not actually apply any patches. Assets can be put into groups, and there should be some thought put into the groups. You can have OS groups, device type groups (eg HMI, EWS, Historian, PLC, router), or anything else you can think of. Your groups will affect the security patch management workflow because the ASM user needs to designate what new patches apply to the groups.
One of the most interesting futures is the capability to import security patch information from the ICS vendors. For example, GE or Siemens could provide a list of the approved and required OS, database, and ABB security patches tested and approved for deployment in a file that the ASM could import and then apply to the appropriate assets. The ASM user would then see all the security patches that need to be applied by working with the asset through the agent or agentless connection.
Configuration Change Management
Read the title carefully. This module does not provide the ability to change the configuration of a firewall, router or ICS device. Rather it provides the ability to identify changes.
A simple example — the IT Department has the skills to manage the Control Center / Enterprise firewall, but the Operations Group is worried that changes will be made without their approval. ASM could identify and generate an alert for all firewall changes. This is not a replacement for a Tripwire-type product, but it can identify changes in any configuration file.
They even have some change management support for field devices such as the ABB Harmony Controller. The ASM can generate an alert when the Project File or Firmware has changed. This is only available for a limited number of field devices today.
This is a classic Industrial Defender capability as a SCADA SIEM vendor. They can get data from a variety of file logs, their ICS agents, security products such as HIDS/HIPS or any other information source.
For example you could get a running total of the packets blocked by the firewall, HIDS alerts, virus activity, …
Dashboard / GUI
This is where the real win is possible. SCADA and DCS are used to looking at displays and having set actions when certain alerts are raised. The standard dashboard is easily understood, visual, and has a lot of items an asset owner should monitor. Even better it is highly configurable. I asked a number of “can I do this” questions and the answer is yes.
The key will be someone understanding the system, the risks, what alerts should be displayed and what actions they should drive. It seems very possible that an operator could monitor the ASM with instructions to connect certain security or subject matter experts if various alerts occur at all or if others exceed a threshold.
The big question is what does ASM provide that similar IT products do not? And second, how important are the deficiencies, such as no security configuration or patch deployment?
Industrial Defender does offer agents for ICS components so they can get data that their IT competitors cannot. Similarly their partnerships with ABB, GE and others should make adding ICS specific intelligence and features easier than the IT product counterparts. Still I would say from a product standpoint alone the differences may not be enough, and the IT product counterparts have man-decades or man-centuries more engineering time in the product today and in the future that lead to a more full featured product outside of the ICS specifics.
Industrial Defender’s experience and domain knowledge may be more important in deploying and supporting the systems. They speak the SCADA and DCS language. They know what is critical in the network. They understand how operators and engineers in the field work. This is important in any sector, but perhaps even more important in the very conservative ICS sector. The ICS-specific access may be more important than the ICS product features.
Asset owners who have handled the SCADASEC 101 and are looking to improve their security posture further should take a look at this product, particularly if they have ICS products that ID has specific agent or other modules for.
Image by Industrial Defender