industry unlocked
PROTECTING WIND FARMS USING THE DRAGOS PLATFORM
A wind farm operator has successfully implemented the Dragos Platform . Here we consider the specific challenges faced by renewable energies – specifically wind – and examine how the Dragos Platform provides visibility and facilitates triage , detection and response across the operator ’ s network .
ragos focuses on
D arming organisations with the resources required for comprehensive network security . Threat behavioural analytics and playbooks are deployed and routinely updated , along with a built-in case management system , to help organisations optimise resources and operate as though each had a senior , dedicated network security team .
The operator implemented the Dragos platform which consisted of nodes at each wind farm and a central monitoring node at its corporate headquarters . The Dragos Platform now monitors all wind farm networks and Energy Management System ( EMS ) networks .
Challenges and solutions
Industrial Control System ( ICS ) networks are unique in topology , design and workflow . Each ICS sector has specific requirements producing unique security implications . Visibility of the network and host behaviours are critical to identifying what protections are required and detecting intrusions . These challenges are not unique to renewable energy , or even ICS networks , and deserve consideration by others looking to improve their security posture .
Large geographical footprint
The wind farm operator , like other ICS organisations , has subnets across multiple geographic locations , potentially hundreds of miles from one another . This physical footprint makes continuous monitoring a direct challenge , as data needs centralised aggregation for analysis .
The operator deployed the Dragos Platform to each US subnet , including all EMS , wind farm ( SCADA ) and production networks . Traffic from each subnet was aggregated to a centralised data store . This data store facilitates data correlation for analysis between sites , as well as triage and incident response , if the Dragos Platform detects a compromise . Analysts can now review traffic across the operator ’ s ICS and business enterprises through a single platform .
Sparse monitoring timeframes
Some subnets do not have sustained connections and may only generate network traffic periodically . Triage and analysis of these networks is time- consuming , due to collection of samples over a longer period .
This challenge is mitigated through continuous monitoring at strategic capture points across the operator ’ s domain . While comparing baselines can be an effective way to isolate changes within the environment , there is a risk of the baseline including existing adversary communications and data .
The Dragos Platform enables the analyst to combine changes to baseline with threat behaviour analytics , ensuring that even ‘ low and slow ’ attacks are detected .
Management of vendor devices
Vendor devices , specifically those used for wind assets , are used to monitor and perform actions ( such as turbine resets ). These devices interact with company assets in the ICS network as a part of their warranty services . This workflow presents two significant challenges :
1 . The endpoints are poorly managed for user authentication and verification ( generic logins , repudiation or non-attributable actions by individuals who have access ). This vulnerability results in
52 www . intelligentciso . com