Policy-based Detection

For policy-based detection, you can configure specific conditions to specify which events in the system can trigger event notifications. OT Security triggers policy-based events only when they meet the precise policy conditions. This ensures zero false positives because the system sends alerts for actual events in the ICS network, while providing information about the ‘who’, ‘what’, ‘when’, ‘where’ and ‘how’. The policies are based on various event types and descriptors.

The following are examples of possible policy configurations:

• Anomalous or unauthorized ICS control-plane activity (engineering): A Human Machine Interface (HMI) should not query the firmware version of a controller (may indicate reconnaissance), and a controller should not run during non-working hours, which may indicate unauthorized or potentially malicious activity.

• Change to controller’s code: Identified a change to the controller logic (Snapshot mismatch).

• Anomalous or unauthorized network communications: Use of a blocked communication protocol was used between two network assets or a communication took place between two assets that never communicated before.

• Anomalous or unauthorized changes to the asset inventory: Discovered a new asset or an asset stopped communicating in the network.

• Anomalous or unauthorized changes in asset properties: The asset firmware or state has changed.

• Abnormal writes of set points: Generated events for changes made to specific parameters. You can define the allowed range for a parameter and generate events for deviations from that range.