Achieving ICS Network Security Monitoring and Visibility with Flow Data

  • Wednesday, 27 May 2015 3:00PM EDT (27 May 2015 19:00 UTC)
  • Speakers: Robert M. Lee, Chris Sanders

As organizations responsible for Industrial Control System (ICS) networks continue to acknowledge the current threat landscape, they are rapidly looking to instrument their networks for visibility. This visibility is key to helping identify nefarious activity and to investigate potential breaches. ICS and SCADA networks are often characterized by very rigid change control policies and diverse vendor-dependent systems. Often times installing agents on endpoint devices is not an option and the cost to implement a full packet capture solution puts it out of reach. This can put system and security administrators in a position that leaves them feeling helpless. Fortunately, there are options. In this presentation, Robert M. Lee and Chris Sanders will discuss solutions for instrumenting ICS networks for security visibility. This will begin with a high level discussion of network security monitoring (NSM) and asset identification, followed by an overview of network architecture and chokepoints relevant to capturing data. Next, we will introduce flow data and how it can be collected and analyzed to provide visibility in ICS networks with a minimal storage footprint. Finally, we will demonstrate SiLK, a flow collection and analysis suite, and FlowBAT, a graphical flow analysis tool that leverages SiLK.