Positive Technologies has released a new version of the PT Industrial Security Incident Manager (PT ISIM) deep analysis system for industrial traffic. Among the main changes are the automated construction of the incident graph (attack development chain), the ability to manage built—in rules and fine-tuning of the product for the company’s infrastructure, as well as increased productivity.
According to Positive Technologies, industrial enterprises continue to be one of the main targets of hacker groups. At the same time, according to the results of security analysis projects, in 91% of industrial organizations, an external attacker can penetrate the corporate network, and in 56% of cases — get to process control systems. It is not easy to stop and neutralize hackers in a timely manner due to the lack of qualified specialists who understand the specifics of protecting technological networks, as well as due to the low speed of implementation of modern measures at enterprises. In these conditions, deep monitoring systems of technological traffic (industrial NTA and NDR systems) come to the fore, which can be quickly deployed to increase the security of the technological network.
“PT ISIM 4 allows you to identify the sequence of actions of intruders in the network and record the attack at each stage, and not just track individual notifications, as, for example, ordinary IDS do. Thus, the product enables information security specialists to answer the questions faster: is there an attacker in the automated control system network now? Where did he get to? So, to solve the main problem: how to stop it”, — tells Ilya Kosynkin, Product Manager of PT ISIM, Positive Technologies.
PT ISIM 4 includes an incident management mechanism based on the ranking of technological network assets according to their degree of criticality, which a particular company determines for itself. In combination with the automated construction of the incident graph, this makes it possible to quickly determine the direction and stage of the attack and proactively assess its consequences.
In addition, the new version of PT ISIM has expanded the possibilities of configuring and adapting the product to the infrastructure.
“The introduction of a traffic analysis product is always associated with fine-tuning, which should take into account the security policies of the enterprise, as well as the technological features of the systems whose traffic it analyzes. Despite the extensive possibilities for automatic learning, there is always a possibility of false positives in the technological environment that need to be handled correctly without reducing the level of security. PT ISIM 4 has additional features for managing built-in rules that allow you to quickly and granularly make such a setup. As a result, an information security specialist receives only the necessary information about what is happening on the network, as much as possible cleared of “noise”, and can focus on finding the real traces of the attacker”, — comments Roman Krasnov, Head of Information Security at Positive Technologies Industrial Enterprises.
The new version of the product also includes a major update of the PT ISTI industrial threat indicator database and added support for new industrial protocols, including Alpha.Server Configurator, ANSL (B&R), Bachmann RPCTCP, DICOM, FINS (Omron), INA2 (B&R), INA2000 (B&R), Phoenix, Siemens DIGSI 4, SLMP (Mitsubishi Electric), “DC Course-2” and “ELNA.” The analysis of the ADS, CIP, OPC UA protocols has also been finalized.
The PT ISIM 4 passive monitoring architecture, as in previous versions, eliminates any undesirable impact on the technological process. The product ensures full compliance with legal requirements (Federal Law No. 187-FZ, FSTEC Orders No. 31 and 239, GosSOPKA requirements).