Purpose-built security solution for industrial and process control environments
Traditional industry, as we know it, has become digital industry. More devices are connected than ever before—PLCs, RTUs, and a wide variety of embedded devices all underpin critical infrastructure. These connections are driving new levels of productivity and value.
But, these connections also introduce cyber risk.
In fact, with all these connections in operational technology (OT) environments, any vestige of an air gap has faded. Industrial control system (ICS) environments, including SCADA and DCS, have become easy targets for attackers and other adversaries. The threat landscape continues to evolve and expand.
This has left us with a new reality: if it’s connected, it needs to be protected.
OpShield is designed to help protect your critical infrastructure and controls network by defending the processes, communications, and assets that underpin your control strategy. Simply stated, OpShield:
Although OpShield provides NAT, routing, IPS and other firewall features, OpShield is designed to see what firewalls can’t: commands on a process control network.
Next-generation firewalls are designed to defend traditional IT traffic at the enterprise edge, but not in the OT environment itself. OpShield is different. It defends north/south (vertical) traffic and east/west (lateral) traffic within the process control environment, all the way down to the application command and parameter level. Although some firewalls can recognize OT protocols, they lack the command and parameter inspection capabilities required to secure critical infrastructure.
In OT, a deep protocol inspection engine is critical. Because unless you can see and validate each OT command and parameter in the intended context, there is simply too much risk for error or misuse.
That’s why OpShield offers an optimized protocol inspection engine, which can parse and inspect OT packets and data flows, resulting in more control and confidence for operational availability.
Traditional IPS/IDS systems are signature- and rule-based only, which means they are limited to black listing of known threats. OpShield inspection begins with identifying basic header information—typically found in an IPS/IDS solution—but then reaches into the protocol syntax and grammatical structure to parse and inspect the commands in context of the impact the commands will have on the protected device. This provides a unique view into:
With OpShield, you can protect your system from potentially harmful commands to keep your operations running, which helps keep your people, operations, and physical assets safe. The OpShield Protocol Inspection Engine enables OpShield’s next innovative defense system: network communications whitelisting.
Segmentation further helps reduce the attack surface.
Unlike traditional IT VLANS or other segmentation techniques, OpShield’s drag-and-drop interface allows an operator to quickly segment an OT network, without the need to reconfigure or reengineer.
It takes just a few minutes, yet can save hours, days or weeks in otherwise trying to contain malware or halt suspicious activity. Zone-specific whitelist policies also help minimize unexpected downtime by preventing lateral movement of ICS infections.
Operators can easily apply fine-grain controls by associating whitelist policy with specific zones, or even zones within zones (nested zones).
OpShield is fortified with an extensive set of ICS-specific vulnerability protection packs that are designed to thwart exploits that target OT vulnerabilities.
Wurldtech’s OT threat research targets root vulnerabilities, not just exploit symptoms. Wurldtech researchers write vulnerability signatures that are long-lasting and can defend against exploit variants. This nuance is critically important. Traditional threat signatures are short-lived due to variants easily bypassing signatures. But vulnerability signatures can defend against new attacks--including zero-day attacks--that leverage the same root vulnerability.
Combining this capability with well-researched OT protocol and device vulnerabilities delivers greater accuracy and broader protection.