Gravwell Blog

Gravwell in the ICS Village and announcing Nozomi Integration

Written by Corey Thuen | Jun 8, 2018 1:11:20 AM

We're excited to join with Nozomi Networks in announcing our integration partnership which was piloted in the ICS Village at the RSA Sandbox in San Francisco earlier this year. Attendees at RSA were also able to see the first glimpse of the newly unveiled ICS Village. For those unfamiliar with conference villages, the idea is to create a hands-on learning environment for security professionals to learn, hack, or break equipment and software that they may not experience on a day-to-day basis. The Gravwell founders have a long history in the ICS space and we believe in the village mission as we think that ICS/SCADA (more so than most industries) could benefit from some disruption and fresh ideas. The ICS Village can be found at many events this year including DEFCON and EnergySec (full event schedule can be found at https://www.icsvillage.com/events).

 

 The first ever ICS Village at DEFCON. It featured robotic arms, water treatment buildouts, and homebrew home brewing automation.

 

Understanding the overall goal of the ICS Village, now let's talk about what an attendee can expect and where Gravwell fits into all of this. From the ICS Village website:

High profile Industrial Controls Systems Security issues have grabbed headlines and sparked changes throughout the global supply chain. The ICS Village allows defenders of any experience level to understand unique failure modes of these systems and how to better prepare and respond to the changing threat landscape. Interactive simulated ICS environments, such as Hack the Plan(e)t and Howdy Neighbor, provide safe yet realistic environment to preserve safe, secure, and reliable operations. The ICS Village brings a compelling experience for all experience levels and types, with IT and industrial equipment.
Our interactive learning approach invites you to get hands on with the equipment to build your skills. We bring you real components such as Programmable Logic Controllers (PLC), Human Machine Interfaces (HMI), Remote Telemetry Units (RTU), actuators, miniature robotic arms, to simulate a realistic environment by using commonly components throughout different industrial sectors. You will be able to connect your machine towards the different industrial components and networks and try to assess these ICS devices with common security scanners, network sniffers to sniff the industrial traffic, and more!
 

Putting together the ICS Village takes a village! Kudos to all these great people for making this years village awesome. 

 

Taking a quick tour of the equipment and systems present in the village we see Siemens, ABB, Phoenix Contact, Windows, Linux, IoT devices, firewalls, routers, and more!

 

With all these disparate technologies, how do we have any visibility into what the &@*! is happening on the network? Have no fear, Gravwell is here.

 

Gravwell allows for ingesting, searching, and analyzing logs, network traffic, process events -- we support data of every type. This is of particular importance when dealing with ICS equipment. It's very rare for embedded systems to log data in a consumable way which often means pulling information off of the wire or actively querying a device (which is generally a no-no). Because Gravwell supports binary data, ingesting the control protocols means that a complete "ground truth" record is made searchable. If an attacker targets the process and manages to fool the HMI (a technique seen in the wild), hunting within the ground truth data reveals the treachery.

Anyone who has spent time in the ICS space is aware that control system equipment speaks all manner of protocols, some of which are proprietary and not well documented. Gravwell is an extremely powerful analytics engine but we are not an exclusively ICS tool. What I mean is, identifying the make and model of a particular PLC isn't a problem we are attempting to solve. Understanding what a given Modbus coil address on a VFD does isn't our bag. For that, we turn to the experts.

Our first integration in the ICS space is with one such expert in this area, Nozomi Networks. The SCADAGuardian tool performs asset inventory, vulnerability assessment, dashboards and reporting, and threat and anomaly detection for ICS by watching network traffic. With this new Gravwell integration, customers of both products can create an OT SOC that provides unparalleled visibility into what's happening on their network AND the process. SCADAGuardian provides the specialized insights for the ICS system which Gravwell ingests alongside the underlying "ground truth" records. Users can then fuse and correlate that data with other system logs such as Windows events, firewall output, or IT information such as phishing alerts.

 

The combined power of Gravwell and SCADAGuardian made it easy to detect and respond to Crossbow attacks launched against the process.

 

Our vision for ICS is to enable a unified SOC that provides COMPLETE visibility into the threats and problems facing an organization. This is on display in the new ICS Village. If you're going to be at one of the events, stop by and hack on some ICS gear to see the setup in action. According to a recent report published by Honeywell, only 37% of organizations continuously monitor plant systems and network activity. Optimistically however, 25% claim they intend to do so within the next year. If you're part of that progressive 25% contact us to learn more about deploying Gravwell in ICS environments.