Data Sheet
o DPI SCADA protocols
o Network behavior learning
o Model-based analytics for M2M sessions
o Signature-based detection of known vulnerabilities
o Passive & active network scanning
o Privileges management for each user
o NERC CIP compatible reports
o Intuitive GUI
SCADA Intrusion
Detection
iSID SCADA Intrusion Detection
Data Sheet
Deep Packet Inspection Firewall for SCADA Networks
SCADA Intrusion Detection
Data Sheet
SYNOPSIS
Radiflow’s IDS (Intrusion Detection System)
is a server-based software that analyzes the
OT network traffic in order to protect against
cyber threats. The IDS system combines two
distinct competences: SCADA/ICS modeling
and Anomaly detection. The IDS receives a
parallel (mirrored) stream of all network
traffic and analyzes it to both generate and
display a network topology model, and serve
as a baseline for detecting exceptions
indicating unauthorized traffic.
General SCADA systems are used for controlling
and monitoring remote operations in a
variety of industries and infrastructures,
including power utilities, oil and gas
production and many more.
Cyber threats to SCADA systems, originating
from both external sources and internal
activity, have in recent years been on the
rise. Terrorists and criminals have set their
sights on critical infrastructure facilities that
utilize SCADA systems due to their inherent
vulnerabilities and the huge potential to
disrupt civilian life.
Deploying an IDS in the SCADA network
enables the operator to monitor its
distributed network for any changes in the
behavior of the application without disrupting
the normal operation.
NETWORK VISIBILITY PACKAGE
The IDS is able to learn automatically the
traffic within the OT network by using
network passive scanning or the optional
active scanning.
With passive scanning, the IDS receives
data from all devices across the entire
network. During the learning stage the data
is used to construct a network model for all
devices, protocols and links, which is
displayed on a GUI at the end of the learning
stage.
The visual network model helps to
understand the processes taking place
across the OT network, including security
events. The visual network model is also
used to manually edit the map, for example
add a client PC at one of the remote sites
that was not detected in the learning phase.
Radiflow’s optional Active Scanning tool
allows the IDS to collect even more
information about the network, such as
“dormant” devices (devices that do not issue
any traffic during the learning period) or open
but unused IP ports on the devices that can
be later used for attacks.
After the learning phase any change in the
network topology, such as new devices or
new sessions, is raising an alert so the
operator further evaluate such events.
MAINTENANACE PACKAGE
Maintenance operations pose complexity
and risk since the operator is required to
grant network access to the maintenance
technician, thus exposing the network during
maintenance. The situation in most SCADA-
based systems is that once the technician is
granted access, there is no way for the
operator to know what’s happening on the
network, unless a problem arises.
Radiflow’s IDS offers a special Maintenance
Package to handle maintenance processes.
The maintenance package provides the
option to easily create work orders for
specific devices through a centralized tool.
The IDS closely monitors the maintenance
process and alerts on each unauthorized
command. In addition, at the end of the
maintenance operation, a complete activity
log is generated indicating all activities
relating to the work order.
CYBER ATTACK PACKAGE
The Cyber Attack package handles known
Deep Packet Inspection Firewall for SCADA Networks
Data Sheet
SCADA Intrusion Detection
Data Sheet
threats designed to exploit vulnerabilities in
the SCADA network, including threats to
PLCs, RTUs, industrial protocols and more.
Radiflow’s IDS software is loaded with
safeguards against such attacks.
ANOMALY DETECTION PACKAGE
Once the network topology model is created
at the end of the learning stage, the anomaly
detection package will detect any abnormal
behavior such as unauthorized commands,
changes in the operational sequence
unauthorized firmware upgrades and many
more. The detection occurs in after a
comparison between the monitored packet
stream and the passive machine profile that
learned.
VIRTUAL FIREWALL PACKAGE
The Virtual Firewall security package allows
defining firewall rules for each link on the
SCADA network. In case of violation these
rules will not block the traffic but will
generate an alert at the control center.
The Virtual Firewall allows editing the firewall
rules that were suggested by the IDS
following the learning period, and/or
manually creating rules from scratch.
There is also an option to create scheduled
virtual firewall rules. For example, a
maintenance work order can be defined to
allow access to a specific device only
between 8:00AM and 10:00AM on a specific
day. Outside this time period, any command
would be unauthorized. In addition, the
optional integration with Radiflow’s secure
gateways allows enforcing these firewall
rules.
OPERATIONAL BEHAVIOR Too much traffic, or noise can desegregate
the performance of your network, and
influence the operator's control on the
process. To help operators with monitor their
network, the IDS operational behavioral.
Package is monitoring the health of the
communication links, and there influence on
the process. With this package, the operator
is capable to detect operational problems,
such as large amount of retransmit or
missed commands. In addition, it provides
information about the accurate sampling time
of devices. As it seen in the network.
Implementation While the implementation of devices -
especially security devices - on SCADA
networks is typically far from simple,
installing Radiflow’s IDS is very easy and
quick, and does not require making changes
to the OT network traffic.
LEARNING STAGE As mentioned, once installed the IDS enters
a learning stage in which it collects
information about the network. During this
stage, a copy of the network traffic is
streamed to the IDS with no network
intervention. The IDS’s DPI (Deep Packet
Inspection) capability is used to extract
valuable data such as device ID, links, time,
protocol, rules, and sample time, which are
all necessary to understand overall network
behavior. The data collected is used to build
a complete network model, which in effect
assigns a virtual fingerprint to each session
between any two devices on the OT network.
The network model is then translated to a
privileges list which acts as a virtual firewall
for the industrial protocols. Besides
assigning a unique identifier for each
session, the IDS graphically lays out the
network topology on the IDS GUI which
allows investigating processes and gaining
an understanding of the network’s inner
workings.
OPERARION STAGE At the end of the learning stage the IDS
switches to the detection phase. In this
phase the IDS provides constant network
monitoring and uses its six engines to detect
various cyber threats at the SCADA network.
The IDS’s dashboard displays a log of the
security events and a set of aggregating
statistics including the number of security
breaches detected by each engine and the
cyber-health of each sub-network on the
network. Alongside the statistics, by drilling
down to specific devices the operator is able
to edit its virtual firewall rules. This editing
capability provides great flexibility to
operators in managing each device.
Use cases Functions and Alerts
New device Unfamiliar device is recognized by the IDS. The operator is prompted to approve it or check whether it is
authorized.
Topology changes Changes in the topology of the entire network, such as a broken network links or changes to the protocols
used, are detected and notified at the control center.
Detection of known
attacks The IDS contains a library of known attacks (e.g. Shellshock)
Detection of abnormal
process behavior
Exceptions to normal process behaviors (such as significant deviations from permitted parameters) are
detected and alerted at the control center.
Out of sequence Once the network is mapped by the IDS and the topology created, any command to unknown destinations,
and even to unknown registers within devices, is detected and alerted at the control center.
Network scanning The IDS constantly monitors the network to detect the sources of unauthorized device queries within the
network.
Data Sheet
Deep Packet Inspection Firewall for SCADA Networks
SCADA Intrusion Detection
Data Sheet
In addition, the various reports generated by
the IDS help the operator improve the
compliance with regulatory requirements
such as NERC CIP.
IDS MAINTENANCE To keep up with known vulnerabilities and to
add features and functionality, the IDS
periodically updates to the latest software
version.
The upgrade process is very simple, and
most importantly, the learned data, including
network topology, network model and all
reports, will stay intact during and after the
process.
Cyber security solution for substation automation
Ordering Information
RF–SEC-SERVER/100 – Standard package for 100 devices
RF–SEC-SERVER/500 – Standard package for 500 devices
RF–SEC-SERVER/1000 – Standard package for 1000 devices
RF–SEC-A-SERVER/100 – Premium package for 100 devices
RF–SEC-A-SERVER/500 – Premium package for 500 devices
RF–SEC-A-SERVER/1000 – Premium package for 1000 devices
Headquarters: 31 HaBarzel Tel Aviv, 6971045 E-mail [email protected]
www.radiflow.com
North America: 900 Corporate Dr Mahwah, NJ 07430