Claroty Platform in an agrochemical plant

Chemical Cyber Threat Landscape – Overview

The cyber threat landscape for OT networks is changing rapidly. The classic nation state threat actors, targeting critical infrastructure, are now joined by multiple groups that are leveraging newly disclosed attack tools (such as the ones leaked from the NSA trove by the ShadowBrokers group). New threats include both cyber criminals executing impactful ransomware campaigns as well as the rising potential for jihadists or other terrorists to leverage widely available, and very sophisticated tools and techniques to cause harm. Unmonitored remote connections, combined with the production sites internal connectivity create additional security blind spots that often go unnoticed and unattended due to lack of a working culture between the process control and the IT networking teams, and the lack of technology providing visibility into OT network conguration and trac. The resulting lack of coordination and visibility exposes chemical plants to an expanded attack surface area and makes plants increasingly vulnerable to attack.

Cyber Threat

The plant’s security team expressed the following concerns:

• Non-targeted attack

Description: non-OT malware shutting down or slowing performance of OT Windows machines (HMI, batch server, Historian etc.) Vector: internal\3rd party using an infected computer to perform maintenance activities. Impact: Dysfunctional HMI: loss of view would probably lead to initiated shutdown until HMI becomes functional again, through either malware removal or machine reimaging. Dysfunctional batch server: Compromise of data and system integrity. Various regulations require detailed documentation of all process stages. Failing to comply with these requirements could result in disqualifying the entire batch. Here also production would be halted until the batch server is restored to operational routine. Compromise of data and system integrity

• Targeted attack

Description: purpose-built attack on the plant’s OT network, leveraging its built-in security weaknesses. Threat actors would aim at causing high-profile physical damage to equipment, environment or in extreme cases, even human lives . Vector:  physical - the site’s large size, enables attackers (insider or external) to approach the controllers in stealth and perform a logic change through a USB drive. Network: the OT network architecture introduces various attack surfaces for both initial compromise and prolonged stay. As explained before, the standard routine in the plant is that configuration downloads are carried through the EWS in central control room, while minor parameter adjustments are owned by each site’s control team which use Online Edits from a single Windows machine that contains both HMI and EWS software. An attacker that successfully compromises one of these local site machined could easily leverage its EWS software to download a rouge configuration code, changing the process values. Impact: Release of toxic materials in the plant: endangering of human lives. Site shutdown until all the plant is cleaned. Release of toxic materials to the environment: considerable environmental damage. Heavy costs of cleaning and restoration activities, as well as exposure to legal claims. Presumably, this is much less likely.

Deployment Plan

Claroty provides a fully integrated cybersecurity platform purpose-built for OT:

1. Continuous Threat Detection: passive monitoring\DPI product for real-time detection of malicious presence\activitySecure
2. Remote Access: access policy enforcement and control product to safeguard networks from the threats introduced by unmonitored 3rd party and employees’ network access.
3. Enterprise Management Console: centralized management interface that aggregates the data from Claroty products from multiple sites, and displays a unified view of their assets, activities, alerts and access control.

1. Continuous Threat Detection gathers and analyzes network data–basically listening to all the communications to discover control and other assets (e.g., controller, HMI, remote I\O, engineering stations and networking gear) and to build a detailed “baseline” model of the normal network operations. Different assets generate network traffic in varying time intervals, depending on the specific function of the asset and the environment. The common timeframe required for the entire set of OT assets to generate their routine traffic is approximately 2-3 weeks. Once training mode is complete, Continuous Threat Detection shifts to operational mode, where the system provides real-time monitoring and raises an alert upon detection of deviations from the baseline. The entire OT network is now visible and monitored through a single console, enabling the customer to track changes and to rapidly detect, investigate and respond to security incidents and potential operational issues. 2. Claroty Secure Remote.Access is software designed to minimize the risk remote users, including employees and contractors, introduce to industrial networks. The system provides a single, manageable interface through which all remote users connect and authenticate, prior to performing software upgrades, periodic maintenance, and other system support activities.Network administrators employ the system to control which users are granted access to industrial control assets and for what purpose. The system enforces password management and access control policies, governs remote connections, and monitors and records remote access sessions:

• Proactively – through granular user and asset policies governing which assets authorized users can see and access, when they can log into each asset and the authentication-level required for access.
• In real time – by using manual access permissions and “over-the-shoulder” real-time video visibility into all the user’s activity–including a “red button” ability to terminate an ongoing session.
• Retroactively – by generating activity reports filtered by user, asset or session and providing video recordings of all remote sessions. Secure Remote Access

3. Enterprise Management Console is a centralized management interface that aggregates the data from Claroty products from multiple sites, and displays a unified view of their assets, activities, alerts and access control.SRA\CTD integration.