OT Security Technologies

The OT Security comprehensive solution comprises two core collection technologies:

  • Network DetectionOT Security network detection technology is a passive deep-packet inspection engine specifically designed to address the unique characteristics and requirements of industrial control systems. Network Detection provides in depth, real time visibility into all activities performed over the operational network, with a unique focus on engineering activities. This includes firmware downloads/uploads, code updates and configuration changes performed over proprietary, vendor specific communication protocols. Network detection alerts in real-time for suspicious/unauthorized activities and produces a comprehensive event log with forensic data. Network Detection generates three types of alerts:

    • Policy Based – You can activate predefined policies or create custom policies which whitelist and/or blacklist specific granular activities indicative of cyber threats or operational mistakes to trigger alerts. Policies can also be set to trigger Active Query checks for predefined situations.

    • Behavioral Anomalies – The system detects deviations from a network traffic baseline, which was established based on traffic patterns during a specified time range. It also detects suspicious scans that are indicative of malware and reconnaissance behaviors.

    • Signature Detection Policies – these policies use signature-based OT and IT threat detection to identify network traffic that is indicative of intrusion threats. The detection is based on rules that have been catalogued in Suricata's Threats engine.

  • Active QueryOT Security’s patented querying technology monitors devices that are on the network by periodically surveying the metadata of control devices in the ICS network. This capability enhances OT Security’s ability to automatically discover and classify all the ICS assets, including lower-level devices such as PLCs and RTUs, even when they aren't active in the network. It also identifies locally implemented changes in the device’s metadata (e.g. firmware version, configuration details and state) as well as changes in each code/function block of the device’s logic. Since it uses read only queries in the native controller communication protocols, it is completely safe and has no impact on the devices. Queries can be run periodically based on a predefined schedule or on-demand by the user.