Israeli startup Indegy monitors devices on industrial control networks to detect when their configurations have changed as a way to know when the machines are compromised, an attack vector exploited by the Stuxnet worm that took down Iranian nuclear centrifuges.
The company makes an appliance that attaches to span ports on the switches that industrial control devices are connected to. It monitors the control layers of the devices and traffic they send over the network in order to discover changes.
These changes to the underlying programmable logic controllers (PLC) could be to the controller logic, device configurations, firmware downloads and variations in state. Violations of policies about these parameters trigger alerts.
A key element of the platform is that it addresses the problem that the four major makers of industrial control devices – GE, Honeywell, Rockwell and Siemens – have implemented different flavors of a communications protocol, says Christian Renaud, an analyst with 451 Research. The Indegy platform can understand them all.
These protocols can be used to alter configurations of the controllers, so it is important to understand the commands they are receiving in order to determine whether malicious activity is going on, says Barak Perelman, a company founder and CEO. Without visibility into these parameters network security pros can’t tell whether malicious changes have been made.
These types of device are used to control valves, sensors and other in manufacturing and public utility networks known supervisory control and data acquisition (SCADA) systems.
In the Stuxnet case, alterations to industrial controllers gave false readouts about the speed at which centrifuges were spinning, indicating they were going slower than they actually were and they burned out. Without a way to monitor them, the attack went undetected until damage was done.
The Indegy appliances replicate the traffic and can replicate proper configurations, and the platform includes applications for asset management, configuration control, backup and recovery, he says. Data gathered by the appliances can be exported to SIEMs or other security dashboards.
The company, with offices in Tel Aviv and Dallas, is a year and a half old and has raised $6 million. Shlomo Kramer, a founder of Check Point and Imperva sits on its board.
Perelman and his cofounder Milles Gandelsman have backgrounds in cybersecurity in the Israeli military and intelligence forces.