Case Study

The main goal of the proof-of-concept project was to detect any traffic flows between the OT systems and Enterprise IT systems. Moreover, the customer wanted to uncover any industrial devices directly connected to the internet as well as document device vulnerabilities. Leveraging the extensive visibility and robust asset identification features of Cisco’s Cyber Vision, the project sought to gain valuable insights into the OT network and expedite the solution adoption process across the organization.

The project faced some challenges, primarily driven by the traditionally siloed roles of the IT and OT departments. During project initiation, Malisko did not have access to local plant controls personnel nor was OT system topology documentation available. While the proof-of-concept was to focus on north-south traffic, understanding the topology ahead of time would have aided in identifying blind spots where ICS traffic cannot be inspected. Having OT personnel involved ahead of time would have also helped gain an understanding of the application layer structure to understand the expected communication patterns.

The Cyber Vision Center application was installed remotely onto a virtual host provided at the site. It was confirmed that this machine was also hosting ICS virtual machines which were communicating with factory floor PLCs. Because of the co-location of these servers, Malisko leveraged the Cyber Vision Center DPI virtual sensor for the north-south traffic inspection. This approach passively captured and decoded industrial application flows between the servers and most of the critical industrial equipment, thus identifying assets, their characteristics, and communication patterns. Once at site, Malisko worked closely with the local control systems engineer to verify asset discovery, deciphered the OT system topology, and gained a thorough understanding of the application layer structure. At this time, it was determined that additional Cyber Vision sensors would need to be deployed to capture east-west traffic, especially in the case of PLCs with private I/O networks.

The passive inspection of the traffic accurately identified all PLCs in the environment as well as engineering workstations, standalone HMIs, and OT servers. The analysis quantified communications such as ARP requests, EtherNet/IP read and write variables, NetBIOS, SMB, ICMP, and DCE-RPC traffic. Several critical and high urgency CVEs (common vulnerabilities and exposures) were identified within the OT infrastructure. Some other notable findings included several DNS requests pointing to external IP addresses and cleartext passwords being used within the OT environment. To cover the blind spots, a preliminary design was provided to replace several in-panel switches with Cisco’s IE3400 which acts as a switch and a native Cyber Vision sensor, one of the key features of Cisco’s holistic OT security solution.

The success of the pilot project underscored the value of Cyber Vision and the role it plays in OT network analysis and vulnerability assessments. The customer also saw firsthand the importance of having a knowledgeable partner like Malisko to help them navigate the complexities of IT/OT convergence. As a result, the corporate IT team recognized the value of Cyber Vision as a critical tool in designing, monitoring, and securing their OT network, marking a significant stride towards a standardized OT cyber security solution. As a next step, Malisko began helping the customer define the rollout of Cyber Vision to the rest of the facilities as well as started the design for the Global Cyber Vision Center deployment to tie all sites together for integration into their SIEM.