Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/13/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Startup Focuses On Real-Time Security Monitoring Of Plant Networks

With $32 million in venture capital funding and co-founders from Siemens and Israeli Defense Force research teams, Claroty emerges from stealth.

An industrial control systems (ICS) security startup with roots in the renowned Team8 incubator emerged today from stealth with executives from Siemens, FireEye iSIGHT Partners, and key players in the ICS/SCADA realm - as well as $32 million in venture capital.

Claroty - which has venture backing from Bessemer Venture Partners, Eric Schmidt’s Innovation Endeavors, Marker LLC, ICV, Red Dot Capital Partners, and Mitsui & Co. Ltd. - also officially rolled out a network security monitoring platform for ICS networks, a method of continuously monitoring activity in an ICS/SCADA environment in real-time.

ICS/SCADA security experts long have been calling for network security monitoring as a best practice, but its use remains rare in industrial networks. In the case of the Ukraine power grid attack in late 2015, experts say if the power companies in Ukraine had employed network security monitoring, they would have spotted the attackers before they shut off power. "If they had used network security monitoring practices, they could identify any reconnaissance ... and multiple VPN connections at times that were not normal,” Robert Lee, a SANS instructor and an ICS/SCADA expert, concluded after an in-depth postmortem study of the Ukraine blackout.

Anomalies in data flows are actually relatively easy to detect in ICS networks, which tend to have predictable and static data flows, according to Lee's assessment earlier this year.

ICS operators traditionally have been gun shy about adding security layers to their networks: operations, physical safety, and uptime are priority one in power plants, manufacturing floors, and other industrial sites. But the post-Stuxnet era has served as a wakeup call for the industrial world, serving as a stark example of how hackers can do harm to seemingly isolated industrial networks and operations.

Galina Antova, co-founder and chief business developer of Claroty, is the former global head of industrial security services at Siemens. Antova says during her tenure at Siemens' services business, it was difficult to find security products for ICS/SCADA networks: they were either a point product or not quite a fit for the industrial network. Traditional IT security products often aren't useful in industrial environment because they aren't built for the performance demands of the plant floor, and ICS security startups weren't as well-versed in the industrial space. "We needed more of a platform approach," she says.

Meantime, there's a security shift under way in the ICS sector, she says. "The majority of CISOs at large companies with industrial site components have been tasked with … responsibility for industrial cybersecurity" as well, she says. "We're seeing this push from Boards [of Directors], who are asking, what are you doing about production facilities? How are you securing those?"

According to an executive at a Fortune 100 consumer products company running Claroty's platform and who requested anonymity, network security monitoring is more of "an insurance policy" right now, in advance of threats on the horizon.

"I'm worried about everything" threat-wise, this C-level executive says, but mostly the "inadvertent" threat from an internal users just doing his or her job. "I'm mostly worried about the inadvertent [event], a guy walks onto the plant floor … and helps with equipment, plugs in a USB" and accidentally infects the network with malware that shuts down the network, the executive says.

Network security monitoring also is helping the organization map out its ICS network, including the devices and firmware versions, for example, the Fortune 100 exec says.

Claroty Platform, which includes deep-packet inspection and anomaly detection engines in a virtual machine or virtual appliance format, has actually been in quiet production for about 10 months, at oil & gas, manufacturing, chemical, and food & beverage sites.

The monitoring system stops short of blocking a threat or responding to one: that's up to the plant network security operations team. It employs passive monitoring so it doesn't disrupt plant operations, and includes an enterprise console.

"You can think of it as an IDS [intrusion detection system] for OT, but that's underplaying" its features, says Patrick McBride, CMO at Claroty, and a former vice president at iSIGHT Partners.

It monitors several proprietary and open ICS protocols and products, including Siemens, Rockwell Automation/Allen Bradley, Yokogawa, Emerson, GE, Schneider Electric, Mitsubishi, ABB, and Honeywell.

Claroty was co-founded by former Israeli Defense Force researcher and developer Amir Zilberstein, who also co-founded ICS firewall firm Waterfall Security Solutions; Antova; and Benny Porat, former Israeli Defense Force researcher and researcher at NorthBit.

“We have been keenly interested in the critical infrastructure security sector for the last few years,” David Cowan, partner at Bessemer Venture Partners, said in a statement. “We looked at several companies in the space and were not impressed until we found Claroty. They have the best vision for addressing this unique sector, a very impressive management team and serious depth in both OT and cybersecurity.”

Claroty isn't the first ICS network security monitoring vendor. There's also SecurityMatters' SilentDefense, for example, as well as multiple open-source tools.  

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.