PT Industrial Cybersecurity Suite (PT ICS)

PT Industrial Cybersecurity Suite (PT ICS) is a comprehensive platform to protect industry from cyber threats. It allows you to detect an attacker at all stages of an attack in industrial environments and respond to them in a timely manner. PT ICS provides comprehensive security in the industrial segment of the company, ranging from network nodes to technological devices.

Structure

As of April 2022, the PT ICS includes:

• MaxPatrol SIEM for industry. Monitors software user activity and behavior at end nodes. Detects To IT infrastructure and manages incidents throughout information security the enterprise. Supports foreign and domestic components () APCS out of the SCADA box. 
• MaxPatrol VM for industry. Automates work with assets, makes it possible to correctly assess information security events and prioritize them. MaxPatrol VM integrates closely with MaxPatrol SIEM and allows you to build a vulnerability management process in a single interface. Supports foreign and domestic ASU TP components (SCADA). 
• PT ISIM. Performs in-depth traffic analysis of process systems. Provides tools for proactive threat hunting, automatically builds an attack vector, and provides retrospective traffic analysis. Supports more than 100 network protocols. 
• PT Sandbox for industry. Detects in files and links an unknown HPE aimed at APCS (SCADA) components from foreign and domestic manufacturers. Performs static and dynamic analysis of objects from both nodes and other sources. Allows you to customize the emulation environment, "decoys" and software composition, taking into account the specifics of the company. 
• PT XDR for industry. PT XDR EDR agents collect and analyze data from end nodes, help you proactively search for threats (threat hunting) and block cyber threats. Supports popular operating systems out of the box. Agents are adapted to work in enterprises.

2024

Add Threat Detection Package in AstraRegul Process Automation Suite

An expertise package has been added to the MaxPatrol SIEM information security event monitoring and incident management system, which is part of the PT Industrial Cybersecurity Suite (PT ICS) solution. It includes rules for detecting threats in the AstraRegul process automation software suite. Positive Technologies (Positive Technologies) was informed about this on July 5, 2024.

The AstraRegul software and hardware complex uses industrial enterprises to create distributed process control systems. Now PT ICS identifies actions that can threaten the operation of APCS under the control of AstraRegul, in particular, password selection, file spoofing, suspicious actions with configurations and mnemonic diagrams of technological processes, launch and stop critical services and applications. PT ICS also registers information security events for the REGUL RX00 PLC, such as user login and exit, change of their rights, dangerous manipulations with the PLC firmware, correction of the protection system parameters.

According to our research, Russian industrial and energy companies remain an attractive target for targeted attacks. To keep production safety at a high level, we are developing cooperation with automation vendors and regularly adding new expertise packages to the PT ICS platform, "said Andrey Kuderov, Head of Technology Partner Department at Positive Technologies. - The implementation of a secure system allows companies to avoid cyber incidents at work and undergo inspections for compliance with FSTEC requirements.

The examination package is already available for installation through technical support in the latest version of the MaxPatrol SIEM system.

Alfa Platform APCS Cyber Attack Detection Examination Package

An expertise package has been added to PT ICS to identify cyber attacks on APCS based on the Alpha Platform. Positive Technologies reported this on June 17, 2024.

Users will be able to detect the shutdown of critical services, unauthorized changes and file spoofs.

ON The company's Alpha Platform Atomik Soft is used in, to power, transport industries fertilizer production oil and gas industries , and other areas. The rules are designed for a system MaxPatrol SIEM that is part of the PT Industrial Cybersecurity Suite (PT ICS) solution to protect industry from cyber threats.

Cyber ​ ​ attacks are increasingly becoming the cause of violations of industrial facilities and accidents on them. Attackers can penetrate production systems from the outside, such as the Internet or the corporate network. A serious threat here is also an internal violator who has legal access to critical infrastructure. Therefore, it is crucial for businesses to have cybersecurity threat detection and prevention solutions such as PT ICS in their arsenal. They take into account the specifics of industrial systems and increase expertise. This allows us to most effectively combat cyber threats in industrial infrastructures, - said Andrey Kuderov, head of the department for work with technological partners of Positive Technologies.

In 2023, industrial enterprises entered the top 6 most attacked targets. In 95% of cases, attacks were aimed at a specific enterprise, and every second led to a violation of the company's activities.

The tests confirmed that the examination package is fully compatible with all Alpha Platform components. Now the products in PT ICS can be used to monitor security events in systems implemented on the basis of the Alpha Platform, "commented Kirill Silkin, Technical Director of Atomik Soft.

The added examination package detects manipulations data with - SCADA systems or attempts to compromise the main files of the control system by both an external and hacker internal intruder. The rules in the examination package are aimed at detecting such intruder techniques as:

• Changing information on the screen. Attackers can try to falsify data that the system transfers to operators, for example, by changing HMI project files. This is done in the expectation that operators will not notice problems in the operation of the equipment or will act based on incorrect information.
• Unauthorized modification of servers ASU TC parameters. Attackers can try to edit the Alpha.Server configuration file, which contains process plan and data exchange parameters. Thus, hackers can intervene in the production process, which will lead to serious consequences for the enterprise.
• Service shutdown. Hackers may try to interrupt the Alpha.Server data server. It can also lead to accidents, including environmental hazards.

Masking malicious activity. Attackers can try to spoof information about the location, object name, or its metadata to pass off their actions as allowed. In the case of Alpha Platform, the event is associated with file spoofing by other files modified by attackers or older versions containing vulnerabilities or errors.

The expertise package is already available for installation through technical support in the latest version of the MaxPatrol SIEM system, which is part of the PT ICS platform.

Add a package to detect attacks on industrial automation systems

PT Industrial Cybersecurity Suite (PT ICS) received an additional examination package. The platform developer announced this on March 7, 2024. Now MaxPatrol VM as part of PT ICS identifies vulnerabilities in industrial automation systems manufactured by Yokogawa Electric Corporation, AVEVA and Siemens, which are common in the technology segments of companies.

Yokogawa Electric Corporation's CENTUM VP distributed management system is used by more than 10,000 enterprises, chemical,, and power oil and gas food other industries industries. AVEVA InTouch HMI is used in every third plant in the world. Monitoring and management system Siemens Simatic PC S7 and Siemens Simatic WinCC are also in demand in various areas of industrial production. Building a vulnerability management process is important to ensure production cyber resilience by protecting industrial systems that have vendor-proven vulnerabilities and publicly available exploits.

Positive Technologies has supplemented the MaxPatrol VM vulnerability management system, which is part of the PT ICS, with an examination package. With the help of the introduced rules, you can now quickly identify known security flaws in industrial automation systems Yokogawa, AVEVA and Siemens, as well as quickly point out potential attack scenarios. The update will help information security specialists to timely detect vulnerabilities in APCS components, plan measures to eliminate them or take compensating measures against them. This minimizes the possibility of exploiting gaps by attackers and reduces the risk of unacceptable events in production.

It is important for industrial organizations to regularly scan APCS components for vulnerabilities and fix them before attackers use them and can disrupt the technological process. Updates and security patches for some foreign APCS systems have become unavailable to Russian companies, so it is necessary to have a complete picture of the software versions used at the enterprise and their vulnerabilities. Building a full-fledged vulnerability management process is also useful from the point of view of inventory of technological network assets in order to store up-to-date information about all nodes in a single database and not scan the network every time after vendors report new vulnerabilities, "said Yevgeny Orlov, head of information security at industrial systems, Positive Technologies. - We will continue to supplement PT ICS with expertise to identify threats in industrial automation systems, PLCs and network equipment of Russian and foreign manufacturers.

To install the expertise package, you need to update the MaxPatrol VM as part of PT ICS to the latest version and contact technical support.

2023

Compatibility with the Arbiter complex

Positive Technologies and SPIK SZMA have tested the compatibility of the PT Industrial Cybersecurity Suite platform to protect industry from cyber threats with the ARBITER integrated management and security system. Positive Technologies announced this on December 7, 2023.

Developed by SPIK SZMA, the ARBITER software and hardware complex is designed to build distributed process control systems and emergency protection systems for power, chemical and petrochemical industries, oil and gas production, oil refining, pulp and paper production.

Based on the results of the tests, experts from Positive Technologies and SPIK SZMA confirmed the correctness of the joint operation of systems for building a secure technological process at industrial enterprises.

Reliability and speed are critical for industrial enterprises. Tests have shown that the performance and operability of the ARBITER system and PT ICS platforms are not impaired when operating together. A successful test result allows using PT ICS to ensure the safety of significant critical infrastructure facilities of the Russian Federation on which the ARBITER system will be installed, "said Yuri Indyk, Technical Director of SPIK SZMA.

The joint use of the ARBITER system and PT ICS allows you to ensure a high level of security and cyber resistance of APCS systems at critical industrial enterprises, as well as compliance with the requirements of legislation for the protection of critical information infrastructure facilities in the country, - said Andrey Kuderov, Head of Technology Partners Department Positive Technologies.

Identification of cyber threats in industrial automation systems created by MPS software

The examination package for the integrated PT ICS platform allows you to identify cyber threats industrial in automation systems created by IPU. software The upgrade is compatible with a full-featured 4D platform MasterSCADA designed to develop automation and process dispatch tools technological and supports MasterSCADA 3.X. They are also detected on attacks OPCs, servers which are assembled data from controllers and transmitted to systems, Modbus Universal MasterOPC Server and Multi-Protocol MasterOPC. This was announced Server on July 7, 2023 in the company. Positive Technologies

Illustration: YouTube

With the help of the examination package, suspicious actions can be detected that can negatively affect the technological process. For example, PT ICS will inform the operator if the MasterOPC configuration file changes and prevent unauthorized disabling of security mechanisms or selection of incorrect operating parameters. In addition, the platform now detects illegitimate spoofing of executable files, stopping processes and services important for the production cycle (such as MasterOPC Server), manipulating MasterSCADA files, erasing logs and other dangerous actions.

The MasterSCADA system is included in the register of Russian software and has over 100,000 installations, is implemented in more than 30 industries and is designed for industrial automation projects of any scale and complexity - from small production sites to large, geographically distributed complexes.

In 2022, almost every tenth attack on organizations occurred in industrial enterprises, and the number of incidents in a year increased by 7%. In these conditions, it is necessary to increase the level of security of SCADA systems and other software for automation of technological processes - especially since many institutions quickly switch to other domestic products. PT ICS examination packages summarize the data obtained during penetration tests and the experience of the Security Expert Center (PT ESC), allow you to detect an attacker at all stages of an attack in industrial environments and make timely management decisions. noted Evgeny Orlov, Head of Information Security of Industrial Systems at Positive Technologies.

The expertise package is available for installation with the latest version of MaxPatrol SIEM, which is part of the PT ICS platform. Earlier, Positive Technologies released examination packages to identify cyber attacks on Yokogawa and TRACE MODE systems.

Add an expertise package to identify cyber attacks on Yokogawa systems

Positive Technologies on May 23, 2023 announced that it had developed an expertise package for the PT ICS integrated platform that supports Yokogawa Electric Corporation systems. Platform users will be able to detect attacks on the distributed control system (DCS) CENTUM VP (which is used by 10 thousand enterprises of the chemical, energy, oil and gas, food, water treatment and pharmaceutical industries and other industries), as well as on the ProSafe-RS emergency protection system used in more than 2400 projects.

In 2022, almost every tenth attack on organizations occurred in industrial enterprises. Together with government agencies, they have become the main target of ransomware viruses. The components of Yokogawa APCS are common at Russian enterprises, so it is important to regularly update their systems involved in ensuring the technological process and its protection.

This examination package allows you to determine the most popular attack vectors on the DCS: network malfunctions and anomalies (changing the node address to an existing one or difficulties with) reservation, attempts to unauthorized access (manipulations passwords and anomalies of the system), authentications the use of standard passwords.

Working on the addition of an examination package, Denis Alimov, an expert at Positive Technologies, found a vulnerability in CVE-2023-26593 (BDU: 2022-05068), which received a rating of 6.5 on the CVSS v3 scale. It affected DCS of different generations, for example CENTUM CS 1000, produced since the 90s. The list of vulnerable also lists CENTUM CS 3000 and CENTUM VP R4 to R6. The vulnerabilities were also affected by servers OPC-Exaopc, designed to APCS connect the production of Yokogawa Electric Corporation ON with third-party vendors. The manufacturer was notified of vulnerabilities the latest versions ON and took risk mitigation measures by offering users an alternative method. authentications

With the help of the vulnerability, an attacker could gain access rights to APCS with a high level of privileges. This would allow, for example, to control a process plan, enable or disable its interlocks, and load and run process configurations. It would also be possible to create an emergency stop of PLC operation and change the thresholds of equipment parameters and development environment settings (alarms, sound indicators, etc.). In addition, a hacker could block users from accessing the development environment and, accordingly, process control. Such an attack belongs to the denial of control type according to the MITRE [2] classification and can lead to serious consequences, - said Denis Alimov, senior specialist of the information security group of industrial control systems Positive Technologies.

It should be noted that some DCS (e.g. CENTUM CS 1000, CENTUM CS 3000, CENTUM VP R4 - R5) are no longer supported by the manufacturer, no updates are issued for them, and any open vulnerabilities like CVE-2023-26593 (BDU: 2022-05068) can reduce the security of the industrial facility.

PT ICS with an updated package to eliminate the risk of exploiting such vulnerabilities controls the introduction of changes to the project, determining the loading into it, abnormal launch options, blocking components and working with specialized software in dangerous modes. With the added PT package, ICS automatically checks the integrity of critical files (for example, firmware) and makes a verdict on the presence or absence of influence on them by cybercriminals. Elements of physical security violations are also recorded in the platform, for example, attempts to hack special industrial keyboards in which the access level is controlled by a mechanical key. All this allows us to implement comprehensive protection of infrastructure built on the basis of systems manufactured by Yokogawa Electric Corporation.

2022

Download the third expert review package to identify attacks on the comprehensive Aveva System Platform

On December 19, 2022, Positive Technologies announced the release of a third examination package for the PT Industrial Cybersecurity Suite (PT ICS), a platform to protect industry from cyber threats.

Illustration: d-russia.ru/

It allows you to identify attacks on the integrated Aveva System Platform and determine the unauthorized launch of the integrated TRACE MODE development environment to control the SCADA system, violating the regulations of information security of industrial enterprises. The "decoys" added to PT Sandbox help PT ICS detect malware targeting Honeywell's Expert PKS distributed management system and the Arbiter and KingIOServer SCADA systems.

Honeywell solutions are used in enterprises oilgas industry and are used as part of BMS-class systems for automation and management of engineering infrastructure of buildings: in, airports shopping centers,, data centers in sports arenas. The Arbiter SCADA system is considered by industrial enterprises as a solution that should replace similar foreign-made systems.

The PT ICS platform includes Positive Technologies products: MaxPatrol SIEM, MaxPatrol VM, PT ISIM, PT Sandbox, and PT XDR agents. They regularly receive expertise to identify cyber threats aimed at equipment and software in the industrial segment of the company.

The expert package includes correlation rules for the MaxPatrol information security event monitoring system, SIEM which allow detecting suspicious actions of an attacker in the AVEVA System Platform software complex and its components - ArchestrA IDE and InTouch HMI. A comprehensive industrial platform for dispatch control, SCADA, operator panels and applications industrial internet of things is used in various industries around the industries world (from to fuel and energy complex). food production

"One of the main threats to any SCADA system is the manipulation of project files. It gives attackers the opportunity to confuse the operator or reorient his commands into illegitimate and dangerous actions. PT ICS allows you to track the launch of the IDE and configurator at various levels, as well as changes in project files or screen forms, - comments Andrey Petrikov, head of the industrial systems research group at Positive Technologies. - The integrity of the data sources is monitored by monitoring the running of the debug software and restarting the data servers. Unauthorized login is checked at the level of access to the running system and during copying of project files. And monitoring the integrity of log files will not allow cybercriminals to hide traces of malicious influence. "

TRACE MODE support for the domestic developer AdAstra has been expanded. Now the MaxPatrol VM vulnerability management system as part of the PT ICS platform detects the launch of illegitimate programs for this SCADA system on nodes in APCS networks. This allows the operator to monitor the installation of the real-time monitor and the TRACE MODE IDE. Cybercriminals and internal violators, that is, employees who use the company's resources for their own benefit, can use such software to edit PLC projects. This can lead to an accident, damage to property or a shutdown of the company's business. Therefore, information security departments need to identify cases of its use before a cyber incident occurs.

PT Industrial Security Incident Manager (PT ISIM), which is part of PT ICS, has been supplemented with a third examination package. The update provides enhanced support for the Mitsubishi Electric family of protocols.

Loading the second examination package to identify attacks on Scada Trace Mode

protection industries cyber threats    The second examination package has been loaded into the platform for PT Industrial Cybersecurity Suite (PT ICS) to identify attacks SCADA TRACE MODE a SCADA system common in the industrial segment (has the largest number of installations in) Russia of the developer. AdAstra This was announced Positive Technologies by the company on October 3, 2022. Using PT detection rules, ICS finds file SCADA project substitution, attempts to manipulate PLC access, and illegitimate actions in applications tracked by SCADA TRACE MODE. This helps to prevent the development of attacks on APCS  and emergency protection systems at an early stage.

Illustration: udeyraj.com

17 correlation rules have been added to the PT ICS update package MaxPatrol SIEM for - a system for monitoring events and detecting incidents INFORMATION SECURITY in real. time MaxPatrol SIEM is part of PT ICS, and now using correlation rules, the platform will be able to detect suspicious network activity software in SCADA TRACE MODE installed in or. Windows Linux

The updated PT ICS examination package will be useful for domestic companies to fulfill the requirements of regulators: since 2025, state-owned organizations and state-owned companies are obliged to use only domestic software at critical information infrastructure (CII) facilities.

According to a study by Positive Technologies, the number of attacks on industry in the second quarter of 2022 increased by 53%, and the attackers' goal is not only extortion, but also disruption of enterprises, up to the physical destruction of production. In order to prevent possible attacks, enterprises need to monitor suspicious network activity and destructive user activity in production technological systems. MaxPatrol SIEM, which is part of the PT ICS platform, allows you to detect security events in specialized software that cannot be detected by other information security tools. noted Dmitry Darensky, Head of Industrial Cybersecurity Products Development at Positive Technologies.

Using these PT rules, ICS detects information security events that can disrupt the operation of the SCADA system, built-in APCS applications (this leads to the loss of process control) and emergency protection systems at an industrial enterprise. In addition, the platform detects illegitimate actions that may indicate attempts by attackers:

• Bypass security tools and run a file with malware
• without permission to start the SCADA TRACE MODE engineering or executable environment;
• display incorrect parameters of process control on mnemonic diagrams, etc.

Add capabilities to detect attacks on Siemens PLCs and detect malware targeting APCS

industries cyber threats The PT Industrial Cybersecurity Suite (PT ICS) protection platform has received the first examination package to identify attacks automated control systems based on programmable logic controllers (PLCs) of the Siemens Simatic S7 family. The expert package also includes rules that allow you to detect Energetic Bear, Industrioyer, Triton and other malicious, ON including unknown, aimed at industrial systems. The updated package is available to product users Positive Technologies within the framework to licenses protect the industrial segment. Positive Technologies announced this on July 5, 2022.

According to a study by Positive Technologies, in the first quarter of 2022, industrial enterprises ranked third among the most attacked Russian institutions, overtaking the media, organizations from the service sector, IT, science and education. The trend has been going on for several years. In order to radically change the level of security of industrial enterprises, approaches are needed that provide comprehensive protection of the infrastructure of companies in the industrial segment, from network nodes to technological devices.

The PT ICS platform integrates Positive Technologies products (MaxPatrol SIEM, MaxPatrol VM, PT ISIM, PT Sandbox and PT XDR agents), which are complemented by the necessary expertise in identifying cyber threats specific to the technology segment: through new capabilities and agents, the platform effectively detects hacker actions and provides comprehensive protection for the entire enterprise.

24 rules help identify malicious activity in the software development environment for automation systems Totally Integrated Automation Portal (TIA Portal), in the software for creating and maintaining automation systems Simatic Step 7 and in the software for creating a human-machine interface Simatic WinCC (SCADA system). For example, rules detect:

• Change network settings in the PLC. With this, an attacker is able to interrupt the connection of controllers with devices and workstations in the network, which, in turn, can disrupt the technological process and lead to false operation of emergency protection tools or an emergency.
• Changes to the TIA Portal system directory. In this way, an attacker can disrupt the software or inject malicious code into it, which will be transmitted to the PLC when the hardware configuration is loaded. Because of this, the technological process may be disrupted, and an accident will occur.
• Remote management of workstation or engineering station (server). This information security event, as a rule, indicates the activity of attackers in the APCS infrastructure.

MaxPatrol SIEM correlates each malicious action with techniques from the MITRE ATT&CK matrix, which are used by attackers for initial access, impact, and command and control.

Positive Technologies has developed detection rules that help the sandbox statically detect port scanning attempts used by industrial PLCs from more than 50 foreign and domestic manufacturers (CIP, ELCOM, IOSYS, Modbus and PhoenixHW). Such activity may indicate that malware is investigating the infrastructure in order to find PLCs or SCADA systems and carry out destructive actions with them. Specialized detection rules as part of the examination package make it possible to detect, among other things, a previously unknown VET sharpened for the APCS segment.

By expanding the existing licenses to support the industrial segment, information security specialists will continue to work with familiar and understandable tools, supplemented by technological expertise. This will allow companies to reduce the cost of introducing new cybersecurity systems and integrating third-party solutions, as well as increase the efficiency of information security services, "said Roman Krasnov, head of cybersecurity at industrial enterprises at Positive Technologies. - PT ICS will regularly receive examination packages and will be enriched with new capabilities, correlation rules, transports to special devices and application software found only in the technological segments of industrial enterprises. Thus, companies have the opportunity to build a single SOC on one platform and in a single product portfolio, equivalently working with both corporate and technological infrastructure.

Анонс PT Industrial Cybersecurity Suite

On April 20, 2022, the company Positive Technologies announced a platform for protection industries against - cyber threats PT Industrial Cybersecurity Suite (PT ICS). The platform combines various security capabilities - APCS it detects targets at attacks all levels of the industrial IT infrastructures and blocks the actions of intruders at endpoints in industrial environments.

PT Industrial Cybersecurity Suite

According to the company, the IT infrastructure of a modern enterprise consists of two segments: corporate and technological. Research by Positive Technologies on the analysis of the security of industrial organizations shows that the level of security of the APCS segment for April 2022 is low. The main cyber threats for industrial companies today are attacks by APT groups and hacktivists.

Most  of the efforts of industrial enterprises to optimize their security focus on corporate infrastructures. At the same time, stories regularly appearing in the media about cyber attacks on APCS speak of the low security of technological systems, as well as the fact that it is their safety that largely determines the level of general information security of enterprises. Ensuring the safety of production facilities requires a single, end-to-end approach. It is necessary to organize protection, from the perimeter of the corporate network to the end devices of automation systems, as well as apply a single arsenal of modern means of protection and monitoring. told Roman Krasnov, Head of Industrial Cybersecurity at Positive Technologies

PT ICS platform components are located both in APCS and beyond. All of them have the necessary expertise to identify cyber threats specific to the industrial segment. PT ICS combines key Positive Technologies products and their components responsible for the safety of technological systems, in particular:

• Industrial agents MaxPatrol SIEM collect information from the nodes of the technological network, and specialized rules for normalizing and correlating events for popular APCS of various manufacturers are available out of the box;
• PT ISIM sensors, adapted for APCS, are responsible for deep analysis of traffic of technological networks, detection of anomalies in them and help to carry out proactive threat hunting;
• Industrial agents MaxPatrol VM allow you to safely scan the technological network, audit software and hardware from foreign and domestic manufacturers;
• The specialized capabilities of PT Sandbox help dynamically identify malware targeted by technology systems from various manufacturers.

With updated capabilities that take into account the peculiarities of automated control systems, Positive Technologies products, which formed the basis of the PT ICS platform, detect hacker actions in industrial segments and provide end-to-end protection of the entire technological infrastructure, including data networks, endpoints and specialized devices.

The platform helps:

• monitor the integrity of the process infrastructure;
• analyze the safety status of APCS network nodes;
• analyze traffic in APCS process networks;
• detect malware aimed at APCS components;
• respond to and block cyber threats in a timely manner.

Companies that already use Positive Technologies products such as MaxPatrol SIEM, MaxPatrol VM or PT Sandbox can extend protection to the technology segment through PT ICS.