ICS Security Suite

Resilient and Scalable Industrial Control System Security Appliance

Power Conversion provides a comprehensive cybersecurity management suite that can be deployed on a virtual environment or on its cybersecurity appliance built with a CIS Compliant Windows 10 installation.

This enables customers to meet industry standards and regulations to ISA/IEC 62443 security level 3 or other regional regulations such as US DODI 8510-01 risk management framework or the French Gov ANSSI.

General Electric

This comprehensive security list might include:

Standard Power Conversion Security software

ICSArmor - A dedicated Security Appliance, enabling defence-in-depth across the Power Conversion control system. Enabling system compliance with IEC 62443 4-2 and IEC 62351-8, ICSArmor gives owners and operators easy access to Power Conversion’s security toolchain. ICSArmor provides an intuitive and secure interface to host and utilize Power Conversion’s security toolchain and optional, embedded third party software.

ICS Security Management Suite with SYSLOG - ICS Security Management Suite provides a central system authentication server to manage users across the Power Conversion OT network, in accordance with IEC 62351-8. ICS Security Management Suite deploys and manages system trust certificates using a PKI with a customer-provided root CA. ICS SYSLOG, in accordance with RFC 5424, collates and stores OT network SYSLOGs with the ability to integrate with a third party SIEM.

ICSGuard - ICSGuard is a unique patented and integrated health and security monitor for your controller, equipped with machine learning capabilities. ICSGuard serves as a Host Intrusion Detection System (HIDS) Controller when NIST 800 94 is required. ICSGuard utilizes the various HPCi diagnostic pointers and virtual sensors for monitoring controller behavior during operation. For HMI workstations the MITRE ATT&CK framework is used in combination with Windows OS security event logs to detect threats and anomalies. Upon detection of abnormal events, ICSGuard will then alert the operators.

Customer challenges

Secure host platform for both GE Vernova and non-GE Vernova security tools. ICSArmor provides a consolidated dashboard with optional RAID 1 or VM hosting for resiliency to quickly assess OT network health and provision user accounts as a system SecAdmin.

System security orchestrator, enabling user account provisioning in accordance with RBAC, ensuring no single username or password is re-used. Provisioning and management of PKI and facilitating machine to machine trust with embedded SYSLOG.

What is the customer value-added?

Control system compliance to IEC 62443 3-3 and asset compliance to IEC 62443 4-2.

Contributes to defence-in-depth adding protection on the user and machine communication layers, featuring security monitoring of HPCI and HMI devices.

Features

ICSArmor is a secure host that can be deployed either on a GE Vernova industrialized RXi2 controller with optional RAID 1 disk configuration. Alternatively, it can be deployed in a virtual machine. During installation ICSArmor is hardening using the CIS Benchmark L1 or L2 plus high STIG compliance, with Windows Defender activated by default. ICS Security Management Suite with SYSLOG and ICSGuard are hosted within the ICSArmor container.

Benefits

ICSArmor

  • Host for Power Conversion’s security toolchain
  • Hardware-agnostic, able to be deployed on virtual machine
  • Multiple deployment architectures including RAID 1 for data resilience and backup
  • Simple setup process with optional CIS benchmark compliant OS configuration
  • Optional High Windows STIG compliance during installation
  • Secure host for third party applications supporting full control system security compliance
  • Patching options available, including WSUS
  • Optional firewall to provide network segmentation
  • Full service and support package available

ICS Security Management Suite

  • Role-based access control
  • Account profile administration
  • Password strength definition
  • FIPS 140-2 compliant encryption algorithms
  • Windows HMI credential management
  • Option to integrate other applications and devices
  • 2-Factor authentication
  • Microsoft Active Directory LDAP proxy

ICS SYSLOG

  • User log-in events to control system devices
  • Incorrect password or failed login attempts
  • User profile creation/ updates
  • Device configuration or re-configuration logs
  • Device security status
  • Windows event log import/ extraction (security events only)
  • ICSGuard security events
  • Integration with third party SIEM

ICSGuard

  • A network-based intrusion detection system (NIDS) detects malicious traffic on a network. 
  • As per the MITRE ATT&CK framework shown above, several tactics and techniques are used to attack a control system. 
  • Typically, NIDS are able to detect attacks early in the attack chain. Once the attacker has reached the "inhibit response state" it is almost impossible for a NIDS to detect them. 
  • ICSGuard is designed to fill this gap in the detection chain. ICSGuard is an important part of a defense in-depth architecture, protecting the heart of the control system. 
  • ICSGuard performs prediction and detection of attacks and faults based on behavioural analysis of the controllers and workstations by using patented machine learning algorithm

Technical data

  • Meets the seven foundational requirements of ISA/IEC 62443
  • Developed following ISA/IEC 62443-4-1 SDLC/ SDLA
  • RBAC to IEC 62351-8
  • Built on CIS Benchmark or High STIG compliance
  • Assists with NIS2 & NERC CIP compliance
  • SYSLOG in accordance with RFC 5424
  • HIDS in accordance with NIST 800-94 using Sigma rules and MITRE ATT&CK framework along with patented machine learning