OpShield

Purpose-built security solution for industrial and process control environments

If it’s connected, it needs to be protected.

Traditional industry, as we know it, has become digital industry. More devices are connected than ever before—PLCs, RTUs, and a wide variety of embedded devices all underpin critical infrastructure. These connections are driving new levels of productivity and value.

But, these connections also introduce cyber risk.

In fact, with all these connections in operational technology (OT) environments, any vestige of an air gap has faded. Industrial control system (ICS) environments, including SCADA and DCS, have become easy targets for attackers and other adversaries. The threat landscape continues to evolve and expand.

This has left us with a new reality: if it’s connected, it needs to be protected.

OpShield is designed to help protect your critical infrastructure and controls network by defending the processes, communications, and assets that underpin your control strategy. Simply stated, OpShield:

  • Inspects OT network communications
  • Creates and enforces policy for OT-based processes
  • Alerts on (or blocks) unauthorized traffic

This is not a firewall, or a next-gen firewall.

Although OpShield provides NAT, routing, IPS and other firewall features, OpShield is designed to see what firewalls can’t: commands on a process control network.

Next-generation firewalls are designed to defend traditional IT traffic at the enterprise edge, but not in the OT environment itself. OpShield is different. It defends north/south (vertical) traffic and east/west (lateral) traffic within the process control environment, all the way down to the application command and parameter level. Although some firewalls can recognize OT protocols, they lack the command and parameter inspection capabilities required to secure critical infrastructure.

Gain visibility through deep protocol inspection

You can’t protect what you can’t see.

In OT, a deep protocol inspection engine is critical. Because unless you can see and validate each OT command and parameter in the intended context, there is simply too much risk for error or misuse.

That’s why OpShield offers an optimized protocol inspection engine, which can parse and inspect OT packets and data flows, resulting in more control and confidence for operational availability.

IPS/IDS systems don’t go far enough

Traditional IPS/IDS systems are signature- and rule-based only, which means they are limited to black listing of known threats. OpShield inspection begins with identifying basic header information—typically found in an IPS/IDS solution—but then reaches into the protocol syntax and grammatical structure to parse and inspect the commands in context of the impact the commands will have on the protected device. This provides a unique view into:

  • Which source and destination IP addresses (and devices) are communicating
  • What protocols they are using
  • What commands are executed within the protocols
  • The impact on the protected device

With OpShield, you can protect your system from potentially harmful commands to keep your operations running, which helps keep your people, operations, and physical assets safe. The OpShield Protocol Inspection Engine enables OpShield’s next innovative defense system: network communications whitelisting.

Reduce your OT attack surface

Baseline network communications

Upon installation, OpShield observes and records all OT communications to establish traffic patterns, allowing you to establish “what’s normal.” This becomes the baseline for network communications whitelisting, the strongest form of cyber security policy creation. Asset owners or system integrators then review and edit the policies, knowing that the majority of the work is already done by OpShield.

These baseline and automated policy creation capabilities allow system operators to make informed decisions about the communications that transpire across their controls networks.

Network communications whitelist

Building on the baseline, network communications whitelisting allows operators to block, allow, or simply alert on all traffic that doesn’t match an established policy. Operators gain more control and reduce complexity associated with unnecessary traffic.

This approach to network communication control prevents attackers from misusing protocol commands, such as “shutdown,” “scan,” and “factory reset,” as well as parameters, such as “set point.” These commands and parameters exist in industrial protocols for good reason. But they can be dangerous when executed outside of the intended context.

Whether for power generation, manufacturing, clinical healthcare or other critical infrastructure sectors, OpShield helps ensure that only the right commands for the right devices are executed.

Easy OT Network Segmentation

Segmentation further helps reduce the attack surface.

Unlike traditional IT VLANS or other segmentation techniques, OpShield’s drag-and-drop interface allows an operator to quickly segment an OT network, without the need to reconfigure or reengineer.

It takes just a few minutes, yet can save hours, days or weeks in otherwise trying to contain malware or halt suspicious activity. Zone-specific whitelist policies also help minimize unexpected downtime by preventing lateral movement of ICS infections.

Operators can easily apply fine-grain controls by associating whitelist policy with specific zones, or even zones within zones (nested zones).

Defend against ICS vulnerabilities

OpShield is fortified with an extensive set of ICS-specific vulnerability protection packs that are designed to thwart exploits that target OT vulnerabilities.

Wurldtech’s OT threat research targets root vulnerabilities, not just exploit symptoms. Wurldtech researchers write vulnerability signatures that are long-lasting and can defend against exploit variants. This nuance is critically important. Traditional threat signatures are short-lived due to variants easily bypassing signatures. But vulnerability signatures can defend against new attacks--including zero-day attacks--that leverage the same root vulnerability.

Combining this capability with well-researched OT protocol and device vulnerabilities delivers greater accuracy and broader protection.