Solution Brief

SIEM Advanced ICS Indegy is certified as

Threat Detection
Visibility, Security and Control Across
Your IT and OT Environment

Indegy and McAfee together help identify and

Solution Components
protect against sophisticated attacks that
• Indegy Industrial Cyber Security impact both the Information Technology (IT)
Suite v2.5
and Operation Technology (OT) environments
• RSA NetWitness Platform 11.2 in Industrial Organizations.
Challenges
The Challenge
• Single “pane of glass” visibility of
potential threats in and across the Industrial Control Systems (ICS) quite literally control our
IT and OT environments
lives. While it was once isolated from any other part of the
• Detection and mitigation of organization or network and considered static systems,
threats to the safety, reliability and
this is no longer the case. ICS devices which are on the OT
continuity of industrial processes
network are connected to enterprise and IT systems which
• Snapshotting of network device are vulnerable to malware, cyber-attacks, insider threats,
elements for ease of backup and
misconfigurations and even failed maintenance.
recover to last known “good state”

• Full and instant inventory Today’s attacks are significantly more sophisticated and include
management down to firmware zero-day and targeted attacks, social engineering, and spear
and patch level on each and
phishing—all designed to establish a beachhead and modify
every device
or destroy critical industrial operations. The key to a successful
• Audit and papertrail as to whom breach is to keep the nefarious activity undetected for as long
made what changes when
as possible.
• Full forensic capabilities that
provides context when an
incident occurs

1
Unlike IT networks, Industrial Control Systems lack a proper foundation of visibility and security
controls. Most devices don’t require authentication, making it difficult to prevent unauthorized
access or changes to critical devices. In addition, there are no event logs or historical data to
help with event detection and response. Without this proper foundation of visibility and control,
added challenges emerge in managing assets, detecting threats, and managing systems
configurations in OT environments.

RSA and Indegy Joint Solution

Some of the most effective tools for fighting these attacks involve security information and
event management (SIEM) solutions. SIEM solutions monitor both real-time events and a
mountain of long-term data to find anomalous patterns of usage, qualify possible security
and compliance threats to reduce false positives, and alert organizations when needed. The
interoperability between Indegy and RSA NetWitness provides customers with a seamless
solution to collect, analyze and report on all activity helping to reduce the time it takes to
identify security related issues within the IT and OT network infrastructure including Industrial
Controller and device activity, who is accessing files, what privileged user activity is taking
place, and what potential threats exist on devices and in the network.

SCADA Workstation Historian DB Mail Server

Indegy Security Platform

Switch Indegy Switch Sensor Switch Indegy

Sensor Sensor

PLC PLC Panel RTU PLC

HMI

The RSA NetWitness Platform provides pervasive visibility across a modern IT infrastructure,
enabling better and faster detection of security incidents, with full automation and orchestration
capabilities to investigate and respond efficiently. RSA NetWitness Platform takes security
“beyond SIEM,” extending the traditional log-centric, compliance-focused approach to security
to include state-of-the-art threat analytics, including user and entity behavior analytics (UEBA),
and visibility into cloud, network and endpoints. Organizations are experiencing a rapidly
changing threat environment, and they need tools and services that can keep up with the
changes. RSA NetWitness Platform is designed to offer the maximum amount of visibility, with
automated analysis and prioritization, and in context of the real business risk of a threat.

2
Indegy provides situational awareness and real-time security for industrial control networks to
ensure operational continuity and reliability. The Indegy Security Suite delivers comprehensive
visibility and oversight into all OT activities, whether they are network based, device based or
industrial controllers. These include changes to controller logic, configuration and state across
all vendor devices, network communication patterns, rouge devices, malware propagation, and
more. This is done by utilizing both the Deep Packet Inspection engine of proprietary control
communications, and Device Integrity technology that is able to query devices safely in their
native communication protocols without ever affecting them. This allows for validation of PLC and
PCs firmware/OS, code/software and configuration. Indegy provides a critical feed into RSA’s
NetWitness Platform and delivers visibility, security and control for your operational environment.
This, combined with the native capabilities of the NetWitness Platform delivers the intelligence
required across both the OT and IT environments.

Results
The interoperability between Indegy®
• Improved security automation, sensing
and RSA NetWitness solution offers and visibility

visibility, security and control for • Increased control over distributed

operations
industrial networks, enabling security
• Better compliance with regulatory
professionals to effectively detect requirements and tracking

and mitigate threats to the safety, • Higher responsiveness when incidents

occur and improved organizational
reliability and continuity of industrial performance

processes. As part of the joint solution,
monitoring occurs across the IT and
OT environments to ensure early and
• Better decision making based on more
detailed information
• Proactive maintenance and reduced
response times to unforeseen disruptions

comprehensive threat detection and • Improved flow of information to

stakeholders
mitigation that other point products can
easily miss.

Available Policies With The Interoperability

Indegy enables ICS engineering and security professionals to configure their own Policies
to alert for specific unauthorized/important activities as well as for various anomalies in the
ICS network. The system offers the ability to edit pre-defined policies or define new custom
policies. Each policy includes the conditions by which an alert will be triggered as well as the
actions taken following such alert. The policies are organized by the following categories:

3
Activity Policies relate to the activities in the network (i.e. the engineering commands that impact
controllers’ state and configuration). It is possible to define specific activities that always generate
alerts or to designate a set of criteria for generating alerts. For example, if certain activities are
performed at certain times and/or on certain controllers. Both black listing and white listing of
assets, activities and schedules are supported.

Controller Policies relate to changes that take place in the controllers in the network. This can
involve changes in the state of a controller as well as changes to the firmware, asset properties,
hardware/module change or code blocks (done over the network or locally on the device). The
policies can be limited to specific schedules (i.e. firmware upgrade during a work day), and/or
specific controller/s.

Network Policies relate to the network assets and the communication streams between
assets. This includes assets that were added to or removed from the network and includes traffic
patterns that are anomalous for the network or that have been flagged as a cause for concern.
For example, if an engineering station communicates with a controller using a protocol that is not
part of a pre-configured set of protocols. These policies can be limited to specific schedules and/
or specific assets.

Data Plane Policies detect changes in set-point values which can harm the industrial process.
These changes may result from a cyber attack or human error.

About Indegy
Indegy, a leader in industrial cyber security, protects industrial control system (ICS) networks
from cyber threats, malicious insiders and human error. The Indegy Industrial Cyber Security
Suite arms security and operations teams with full visibility, security and control of ICS activity
and threats by combining hybrid, policy-based monitoring and network anomaly detection with
unique device integrity checks. Indegy solutions are installed in manufacturing, pharmaceutical,
energy, water and other industrial organizations around the world.

Like this solution brief?

Visit us at Indegy.com for more content like this.

Follow us: