Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
i
Release 4.5.7.5
This controlled document is the property of Radiflow Ltd. This document contains proprietary
information. Any duplication, reproduction or transmission to unauthorized parties without
prior permission of Radiflow is strictly prohibited. All rights are protected by Radiflow Ltd.
REVISION HISTORY
RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 i
REVISION HISTORY
Date Rev’ Description
1/1/2017 1 Initial release of 4.0
1/2/2017 2 Interfaces management update
7/3/2017 3 Probes management update
3/4/2017 4 1. Browser based management update
2. Section 2.4.5 removed - not supported in version 4.4.3.X and above
19/4/2017 5 Installation guide update
29/4/2017 6 General editing
11/5/2017 7 General editing
1/7/2018 8 Update to 4.5.7.5
CONTENTS
RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 ii
CONTENTS
CONTENTS ......................................................................................................... II
1 OVERVIEW .................................................................................................... 1
1.1 THE ISID SOLUTION .................................................................................. 1
1.2 MODES OF OPERATION .............................................................................. 2
1.2.1 CREATING THE NETWORK TOPOLOGY (LEARNING STAGE) ................................. 2
1.2.2 TRAFFIC MONITORING (DETECTION STAGE) ................................................. 4
1.3 ISID ENGINES ............................................................................................. 5
2 GETTING STARTED ........................................................................................ 6
2.1 ISID INSTALLATION ................................................................................... 6
2.1.1 MINIMAL HARDWARE REQUIREMENTS ......................................................... 6
2.1.2 PRE-INSTALLATION .............................................................................. 6
2.1.3 INSTALLING ISID ................................................................................ 6
2.2 LOGGING IN TO THE ISID WEB APPLICATION ......................................................... 8
2.3 BASIC CONFIGURATION ........................................................................... 10
2.3.1 GENERAL CONFIGURATION ................................................................... 10
2.3.2 EDITING PROTOCOLS.......................................................................... 19
2.3.3 DEFINING PROCEDURES ...................................................................... 21
2.3.4 DEFINING INTERFACES ........................................................................ 22
2.4 LEARNING MODE PHASE ................................................................................ 27
2.5 USING ISID .............................................................................................. 28
2.5.1 THE ISID GUI ................................................................................ 28
2.5.2 ISID BASIC FEATURES ....................................................................... 29
2.5.3 THE NETWORK MAP ........................................................................... 31
2.5.4 MANAGING EVENTS ........................................................................... 35
2.5.5 MANAGING REPORTS .......................................................................... 38
3 THE NETWORK VISIBILITY ENGINE ............................................................ 41
3.1 ENGINE SETTINGS ....................................................................................... 41
3.2 MANAGING THE NETWORK ELEMENTS ................................................................. 42
3.2.1 MANAGING LINKS ............................................................................. 42
3.2.2 MANAGING DEVICES .......................................................................... 43
3.2.3 MONITORING TRAFFIC TRACES .............................................................. 48
4 THE ASSET MANAGEMENT ENGINE .............................................................. 50
CONTENTS
RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 iii
4.1.1 MANAGING DEVICES .......................................................................... 50
4.2 OPERATIONS LOG........................................................................................ 51
4.2.1 ASSET MANAGEMENT - CONFIGURATION ................................................... 52
5 THE CYBER ATTACK ENGINE ........................................................................ 53
5.1 MANAGING CYBER ATTACK RULES .................................................................... 53
5.1.1 ADDING A CYBER ATTACK RULE ............................................................. 54
6 THE POLICY MONITORING ENGINE ............................................................. 57
6.1 OVERVIEW ................................................................................................ 57
6.1.1 METHOD OF OPERATION ...................................................................... 57
6.1.2 FEATURES AND ADVANTAGES ................................................................ 58
6.1.3 LABELS .......................................................................................... 58
6.2 MANAGING POLICY RULES .............................................................................. 59
6.2.1 VIEWING POLICIES ............................................................................ 60
6.2.2 EDITING POLICIES ............................................................................. 61
6.2.3 CREATING NEW POLICIES .................................................................... 62
6.3 MANAGING LEARNED POLICIES (SUGGESTED RULES) ............................................... 64
6.3.1 VIEWING SUGGESTED RULES ................................................................ 66
6.3.2 EDITING AND APPROVING SUGGESTED RULES ............................................. 67
6.3.3 DUPLICATING A SUGGESTED RULE .......................................................... 67
6.4 POLICY MONITOR ENGINE STATUS .................................................................... 69
7 THE OPERATIONAL ROUTINE ENGINE ......................................................... 70
7.1 SCHEDULES............................................................................................... 70
7.1.1 ADDING A USER-DEFINED SCHEDULE ...................................................... 73
7.1.2 EDITING SCHEDULES .......................................................................... 74
7.1.3 VIEWING SCHEDULES ......................................................................... 75
7.2 PROFILES ................................................................................................. 75
7.2.1 MANAGING PROFILES ......................................................................... 76
7.3 OPERATIONAL ROUTINE STATUS ....................................................................... 80
8 SYSTEM MAINTENANCE ............................................................................... 81
8.1 USER ACTIVITY: MONITORING ISID ................................................................... 81
8.2 ISID MAINTENANCE ..................................................................................... 81
8.2.1 SERVER RESET ................................................................................. 82
8.2.2 PASSWORD RESET ............................................................................. 83
8.2.3 UPDATE CYBER ATTACK RULES CONFIGURATION FILE .................................... 83
OVERVIEW
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 1
1 OVERVIEW
Deploying the iSID (Industrial Security Intrusion Detection) system in ICS/SCADA
networks enables securing operational technology networks through the monitoring of
distributed networks and detection of topology changes, SCADA information integrity
breaches, known threats and anomalous behavior in operational networks.
iSID is a low-maintenance and low-false alarm solution, designed specifically for the
needs of ICS/SCADA network security.
1.1 THE iSID SOLUTION
The key features of iSID include:
• Automatic network topology learning
• Creation of a baseline SCADA behavioral model
• Passive network scanning
• DPI-based policies for industrial protocols
• Signature-based detection of known vulnerabilities
• Operational routines management
• Integration with third-party security systems (e.g. SIEM)
• NERC CIP-compatible reports
The iSID system combines two distinct capabilities:
• Modeling of SCADA/ICS network communications through passive network listening
and machine learning: The iSID receives mirrored streams of all network traffic
(directly or through remote RF-2120 /80 smart probes) and analyzes them to both
generate and display a network topology model, and to maintain the model as the
baseline for detecting exceptions indicating unauthorized traffic.
• Deep Packet Inspection (DPI) and machine learning-based detection of anomalies,
including known threats.
The iSID simplifies the management of detected network threat events. Its web-based
graphical user interface (GUI) is designed to display the most critical information as an
overlay over the user’s familiar network topology.
The main user interface screen includes two types of views:
• The dashboard, which displays a security event summary as well as a set of
aggregating statistics, including the number of detected security breaches.
• The network map, which provides real-time visibility of the network topology, with
indications for detected risks on the ICS/SCADA networks.
OVERVIEW
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 2
The user interface provides notifications on detected security events, as well as event
management tools. In addition, the GUI provides easy access to data and configuration
of the engines, and to overall functionality information.
Figure 1. The iSID Dashboard.
1.2 MODES OF OPERATION
iSID can operate in one of three modes:
• Idle Mode: iSID Engines remain passive, allowing the user to define configuration
parameters and review existing data.
• Learning Mode: iSID collects network information, which is used to build a complete
network and industrial communication model. The network topology is presented as a
graphical map allowing the investigation of processes and gaining an understanding
of the network’s inner workings.
• Detection Mode: at the conclusion of the learning stage you can transition the iSID
to Detection mode. In this mode, the iSID provides constant network monitoring
based on the data gathered and analyzed during the Learning mode. In Detection
mode iSID uses analytical engines to detect unauthorized traffic or cyber threats on
the SCADA network.
1.2.1 Creating The Network Topology (Learning Stage)
When initiated after first installation, iSID will start in Idle state, the user can manually
switch to Learning stage. iSID will start to passively collect information about the
network. During this stage, a copy of the network traffic is streamed with no network
intervention, i.e. – passive learning of the network.
OVERVIEW
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 3
iSID’s DPI (Deep Packet Inspection) capability is used to extract valuable data such as
MAC addresses (L2), IP Addresses (L3), Transport protocol (L4), Industrial protocol
specific information (L5-7), which are all necessary to understand the overall behavior of
the network.
All iSID engines take part in the Learning stage, as it is imperative for each engine to
define the predictable behavior of the network.
The data collected is used to build a complete network model, which in effect assigns a
virtual fingerprint to each session between any two devices on the OT network.
Depending on the configurable storage size, iSID "Traffic Capture" saves traffic
permanently in PCAP file format, which can be easily downloaded and analyzed for
further inspection.
1.2.1.1 Network Learning Stages
Network Learning consists of several stages that are performed in the background:
1. Identify network devices by: MAC address, IP Address, Unit ID / ASDU, Router’s
Vendor, device type.
2. Learn the protocol used by the device, and its role in this protocol (Master/Slave).
3. Identify network connections by: source device and destination device, protocol used,
function codes on the link, exception responses and errors in parsing.
4. Logical Graphical map is created including a table with all the types of connection.
5. Creation of rules. The information learned is generated and presented in the
"Suggested rules" including auto generated rules based on the learned network, that
will later allow the user to better control the network behavior.
6. Concluding the Learning stage. Learning is concluded when requested from the user.
OVERVIEW
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 4
Figure 2. Network Topology Learning Stage
1.2.2 Traffic Monitoring (Detection Stage)
After the Learning stage is complete, it is time to transition to the Detection stage. In this
stage iSID performs real time monitoring of the traffic based on network topology
created in the learning phase.
During this stage iSID will raise an event for every possible attack, anomaly or change in
network behavior.
1.2.2.1 Event Handling
During Detection Mode, each engine sends alerts according to its traffic analysis results.
The new events appear in the Events log.
Each event is accompanied by an indicative message with a description of the violation,
arranged in a dynamic table. When configured, the iSID will also send Syslog's with the
same data to a predefined Syslog server.
Overall there are four types of alerts:
1. Cyber alerts – for known Rules (e.g. DoS, injection, scanning)
2. Policy violations – for specific, predefined policies on each link
3. Operational – Behavior (retransmit, under-sampling, exceptions)
4. Topology changes (e.g. new devices, new sessions)
Identifying
Network
Devices
Creating
Logical Map
Learning
Communication
Finishing
Learning
Stage
Identifying
Network
Connections
Creating
Policy
Rules
OVERVIEW
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 5
Figure 3. New Events Log Table
1.3 ISID ENGINES
iSID provides six engines:
1. The Network Visibility Engine
2. The Asset Management Engine
3. The Cyber Attack Engine
4. The Policy Monitoring Engine
5. The Operational ROUTINE Engine
6. Behavior Analysis
Each engine allows the configuration of operational parameters and detection of network
intrusion, topology changes, detection of known threats and maintenance management.
For more information on each engine, please refer to the respective chapter in this
document.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 6
2 GETTING STARTED
This chapter provides instructions for:
• iSID Installation
• Accessing the iSID web application
• Basic Configuration
• The Learning Phase
• Using iSID
2.1 ISID INSTALLATION
2.1.1 Minimal Hardware Requirements
• CPU: Intel i7 Quad-Core
• RAM: 32GB DDR4.
• HDD: 2x1TB HDD RAID 0,1 (Additional storage may be required based on retention
needs)
• Network: 3 x Network Interface Cards (NIC)
• Operating System: CentOS 7 Minimal - build 1611 required
CentOS 7 Minimal Download
2.1.2 Pre-Installation
• The machine must have CentOS 7 minimal installation before iSID installation begins.
• Make sure that user root has admin-privileges
• Obtain RPM version installation file and place it on a USB.
2.1.3 Installing iSID
1. Move the RPM file to the machine (e.g. via WinSCP or USB)
2. Access the downloaded directory using the following command:
cd <path to downloaded TAR file>
3. Extract the files from the TAR file using the following command:
tar –xvf <TAR-file-name>
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 7
4. Run the installation script using the following command: sudo python install.py
5. Type the Management IP address:
6. Select (type in) subnet address
7. Type in the management interface name from the presented list of NICs.
8. Type in the gateway address:
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 8
9. At the end of the execution the following will appear.
Use the https://A.B.C.D/ displayed to access iSID.
2.2 LOGGING IN TO THE iSID WEB APPLICATION
iSID is operated and managed via a web browser-based Graphical User Interface (GUI).
Requirements:
• Google Chrome browser, version 55.0.2883.87 or higher
• Computer with at least one active network interface, with an assigned IP address
To access the iSID web application:
Launch Google Chrome and go to: https://A.B.C.D/, where A.B.C.D represents the
Management IPv4 Address defined during the server installation.
Note: This Management IP Address can be changed via the iSID Configuration screen.
The following login screen will appear.
• User name: radiflow
• Password: ******* (Please Contact Radiflow)
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 9
Figure 4: iSID Login Screen
Upon successful login the main iSID screen will appear.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 10
2.3 BASIC CONFIGURATION
There are a few basic configuration steps that are required before running iSID:
• General configuration: Check such parameters as the syslog server configuration,
timeout interval, and SSH mode.
• Defining procedures: Define the procedure to be followed when a specified event
occurs.
• Defining interfaces: the iSID system must have a minimum of one defined
management interface and one other interface for listening to network traffic.
2.3.1 General Configuration
The Configuration window gives you access to these general system configurations.
Figure 5. Configuration Window
2.3.1.1 System Mode
Selects the system state:
• Learning: the initial system state.
• Detection: the operational system state.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 11
1. Go to Configuration>General
Figure 6. System Mode
2. In the System State section, use the sliders to turn the desired mode On.
2.3.1.2 SSH Mode
Enable or Disable SSH connectivity to provide a secure channel over the network.
To set the SSH mode:
1. Go to Configuration>General
Figure 7. SSH Mode
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 12
2.3.1.3 Auto Logout
When Connected, users can configure the timeout interval, the specified period of
inactivity after which the user will be automatically logged out of iSID
To set the timeout interval:
1. Go to Configuration>General
Figure 8. Auto Logout
2. In the Auto Logout section, select the timeout period from the dropdown list.
2.3.1.4 Syslog Server
For each Event, iSID will send a CEF-format syslog message to the syslog server that you
specify.
Format:
<date> iSID CEF:0|radiflow|isid|<isid_version>|<event_id>|<event_message>|<event_severity>|<extenstions >
In addition, you can set the syslog server mode:
• Verbose mode ON: when a repeating abnormal behavior is detected, iSID will send a
syslog message for each instance.
• Verbose mode OFF: iSID will send a syslog message only once per abnormal
behavior.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 13
To configure the syslog server:
1. Go to Configuration>Syslog Server
Figure 9. Syslog Server
2. In the Syslog Servers Settings section, use the slider to enable or disable Verbose
Mode.
3. In the Syslog Servers section, click to add a server.
Figure 10. New Syslog Server
4. In the New Syslog Server window, enter the server name
5. Enter the syslog server IP address.
6. Click Create.1
2.3.1.5 Global Device Inactivity Interval
By default, iSID will detect silent entities - device/link that was once active and became
silent – meaning stopped transmitting any traffic. Once the entity is active again, iSID
will re-detect it and send an Event notification.
1Multiple syslog servers can be set
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 14
You can also configure specific inactivity intervals for specific links (see Managing Links).
These intervals will override the global configuration for those links so that the
device/link inactivity state will be set by the new manually set parameters.
To configure the global device inactive interval:
1. Go to Configuration>Server Actions
Figure 11. Global Device Inactive Interval
2. In the Inactive Time section, click to edit.
Figure 12. Edit Inactive Time
3. In the Edit Inactive Time window, configure the desired interval and click Apply.
2.3.1.6 Enabling Traffic Usage Threshold Events
Connected users can configure iSID to trigger an event when the device traffic, both
received and transmitted, reaches either a maximum or minimum threshold.
The traffic thresholds are configured and updated per device when in Learning Stage (see
Editing the Device Traffic Usage Settings).
To enable traffic usage threshold events:
1. Go to Configuration>Traffic Usage Detector
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 15
Figure 13. Traffic Usage Detector
2. Check the checkboxes as desired to enable minimum and/or maximum traffic events.
2.3.1.7 SCADA Servers
To Make the iSID manageable using DNP3 and/or Modbus user must define the relevant
masters.
Note: Using this feature requires an integration with the customer HMI system.
define a DPN3 master:
1. Go to Configuration>SCADA Servers
Figure 14. SCADA Servers
2. Click to add the DNP3 master.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 16
Figure 15. Add DNP3 Master
3. In the Add DNP3 Master window fill in the fields as described in the table below and
click Apply.
Table 1: Add DNP3 Master
Field Description
Master Name User-defined master name
Master IP IP of the DNP3 Master
Enabled Master Enable/Disable DNP3 Master connection
Outstation Port Set TCP port number
Master Link Number of the master link
Outstation Link Number of the outstation link
Minimum Severity Minimum event severity level
Keep Alive Interval DNP3 Master Keep alive interval –set interval(seconds) message sent by one device to another to check that the link between the two is operating
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 17
2.3.1.7.1 Modbus Master
To define a Modbus master:
1. Go to Configuration>SCADA Servers
Figure 16. SCADA Servers
2. Click to add a Modbus server.
Figure 17. Add Modbus Server
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 18
3. In the Add Modbus Server window fill in the fields as described in the table below and
click Apply.
Table 2: Add Modbus Server
Field Description
Server Name User-defined name
Server Port Port that iSID will listen to for Modbus commands (default = 502)
Activate Server Use slider to activate server
4. In the selected Modbus server card, click the to add a Modbus master from whom
we only willing to get Modbus commands
Figure 18. Modbus Server
5. In the Add Modbus Master window fill in the fields as described in the table below and
click Apply.
Figure 19.Add Modbus Master
Table 3: Add Modbus Master
Field Description
Master Name User-defined Modbus Master name
Master IP IP Address of the Modbus Master
2.3.1.8
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 19
2.3.1.9 Communicating with the iSID in Modbus protocol
From your Modbus master, which resides within the same management network of the
iSID, and has the IP Address you entered in Step 5 above in Modbus Master, you can try
to connect the iSID.
The iSID listens to Modbus connection on the management IP Address of the iSID and on
the server port you defined in in Step 5 above in Modbus Master.
By communicating with the iSID, the Modbus master will receive Syslog's of the Modbus
registers Events.
2.3.2 Editing Protocols
ISID System lists 65K TCP & 65K UDP Ports that the User can modify.
Users can modify only the following parameters:
• Protocol name - the way the protocol is presented throughout the iSID screens
• DPI type - the method/structure in which the iSID inspect the packets.
To edit protocol definitions:
1. Go to Configuration>Protocols
Figure 20. Protocols
2. In the Modify Protocol Information window fill in the fields as described in the table
below and click Apply.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 20
Figure 21. Modify Protocol Information
Modifying Protocol Information
Field Description
Name User-defined protocol name
DPI type Select the Deep Packet Inspection type.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 21
2.3.3 Defining Procedures
For each event type, the user may define a Standard Operating Procedure (SOP). Each
procedure is limited to 2,000 characters of free text.
Once an event pops up, the user can easily read and follow the SOP by clicking
Procedure in the action options for the event (see Event Action Options).
To define procedures:
1. Go to Configuration>Procedures
Figure 22. Procedures Tab
2. Click to edit the procedure text.
3. In Edit Procedure enter the procedure (up to 2,000 characters of free text) and click
Apply.
Figure 23. Edit Procedure
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 22
2.3.4 Defining Interfaces
iSID requires 2 mandatory NICs (Network Interface Cards).
Each network interface must have a unique identifier name.
The iSID utilizes interfaces for:
• Management interface - Web client management. (Modbus/DNP3 can be configured
as well)
• Monitored Interface - Direct Passive listening to network traffic.(No IP Address)
• Smart Probes interface - Listening to multiple remote networks using radiflow iSAP
devices.
The Management interface is mandatory. One other interface, either monitored or Smart
Probe, is also mandatory.
2.3.4.1 Creating a new Interface
To create a new interface:
1. Go to Configuration>Interfaces
Figure 24. Physical Interfaces
Note: the green led indicates if the interface is active and that traffic arrives.
2. In the Physical Interfaces section, click to open the interface options.
3. Select the desired interface.
4. In the Add Interface window fill in the fields as described in the relevant table below
and click Apply.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 23
5.
▪ For a management interface: see Table 4
▪ For a monitoring interface: see Table 5
▪ For a Smart Probe interface: see Table 6
Figure 25. Add Management Interface
Note: Prior to changing the management IP, the user should verify network connectivity
to the new IP address. Once entered, you will be requested to Apply & Reload;
the web page will reload using the newly-set IP address.
Table 4: Add Management Interface
Field Description
Interface Name Select physical interface name
IP Enter IP Address
Subnetwork Select the Subnet Mask (CIDR Subnet Mask- /24)
Gateway Default Gateway IP address
Figure 26. Add Monitoring Interface
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 24
Note: This port doesn’t transmit any packets, only receives traffic and doesn’t have IP
address
Table 5: Add Monitoring Interface
Field Description
Interface Name Select physical interface name
Event on traffic stop Use slider to enable/disable raising an event when traffic stops on the interface
Event on traffic start Use slider to enable/disable raising event when traffic stops on the interface
Inactive after Set the time interval of traffic absence – for the device to be recognized as inactive.
Figure 27. Add Smart Probe Interface
Table 6: Add Smart Probe Interface
Field Description
Interface Name Select physical interface name
IP IP Address
Subnetwork Select the Subnet Mask
Event on traffic stop Use slider to enable/disable raising an event when traffic stops on the interface
Event on traffic start Use slider to enable/disable raising event when traffic starts on the interface
Inactive after Set the time interval of traffic absence– for the device to be recognized as inactive.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 25
2.3.4.2 Creating Smart Probe Connections
In addition to analysis of the traffic received from the Monitored Network Interface, iSID
can receive and analyze traffic coming from Multiple remote sites and network segments.
To do this, the RF-2180 iSAP is installed at each remote site as the destination of a port
mirroring. iSAP compresses the received traffic and transfers it to the iSID using a GRE
tunnel.
In order for the iSID to communicate with the Smart Probe, you must:
1. Define the Smart Probe Physical interface.
2. For each Remote site, define the remote iSAP properties:
User Defined Name, GRE Key and iSAP IP Address.
To create Smart Probe connection:
1. Go to Configuration>Interfaces
Figure 28. Smart Probe Connections
2. In the Smart Probe Connections section, click to open the interface options.
3. In the Add Smart Probe Connection window, fill in the fields as described in the table
below and click Apply.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 26
Figure 29. New Smart Probe Connection
Table 7: Add Smart Probe Connection
Field Description
Connection Name User-defined name to identify the connection
Remote IP IP address of the iSAP device
Key Enter the GRE Key to be used by the iSAP Device
Event on traffic stop Raise an event when traffic received from iSAP device Stops/Starts (for the Inactivity Time interval that was set)
Event on traffic start
Inactive after Time interval for receiving traffic, meaning: after X time the device will be recognized as inactive
Note: iSID can communicate with multiple Smart Probes; each should be added separately to the
Smart Probe list.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 27
2.4 LEARNING MODE PHASE
As soon as all physical connections are set and basic configurations defined, iSID is ready
to start learning the network behavior. You should set the system mode to "Learning"
(see System Mode).
After few moments of processing, iSID will start displaying the learned network behavior
in its various screens:
• The Dashboard screen offers A quick visual and graphical indication representing the
learned network.
• The network map dynamically updates and shows a visual indication of the devices
and the logical connections between them.
• Textual and Visual indications of the learned data collected from the various engines
is displayed in the corresponding engine windows of the web application.
The extent of network Learning Phase will provide a good and comprehensive knowledge
which will lead for better results and analysis of the network.
Radiflow recommends allocating one full week for Learning Phase.
Once you are confident that all entities have been learned by the system, it is
recommended to transition iSID to Detection state (see System Mode). iSID will now
begin looking for suspicious behaviors.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 28
2.5 USING ISID
2.5.1 THE ISID GUI
Figure 30. iSID Dashboard
Table 8: Dashboard Components
# Name Description
1 Title Bar Quick navigation icons
2 Navigation Panel Navigation to all Engine windows, plus Events and Reports
3 Main Window Display area
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 29
2.5.2 iSID Basic Features
The following basic features are available on most windows of the application.
• Title bar:
▪ Navigation icons
▪ Hide navigation panel
• Main window, engine windows
▪ Date Range
▪ Filter
▪ Toggle list/card view
▪ Download to csv file
▪ Reload
▪ Add new item
• Listings
▪ Select columns
▪ Sorting the list
2.5.2.1 Title Bar Tools
• You can jump to several locations using the icons at the right of the title bar.
• You can hide the navigation panel
Figure 31. Title Bar Navigation Icons
Table 9: Title Bar Navigation Icons
# Icon What it does
1
Hover: Shows the current system mode
Click: Link to the System mode configuration
2
Link to the main dashboard page
3
Link to the map
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 30
4
Link to Reports
5
Hides/shows the navigation panel
2.5.2.2 Main Window Tools
Figure 32. Main Window Tools
Table 10: Main Window Tools
# Icon What it does
1 Date Range Selects a range of dates to Filter By
2 Filter Multiple choice of Filters the data can be displayed
3
Download the content of the web page to a CSV file
4
Reload page
5
Show listing view
6
Show cards view
2.5.2.3 Listing Tools
In listing displays you can:
• Select columns to be displayed
• Sort columns in ascending/descending order
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 31
Figure 33. Listing Tools
Table 11: Main Window Tools
# Icon What it does
1
Column selection. Opens the Select columns to display window.
2
Column sort indicator. Click on the column heading to sort.
Icon indicates whether it is sorted in ascending or descending order and the order of the sorted columns.
2.5.3 The Network Map
The network map is a graphical representation of the network that lets you easily see the
relationships between various devices and various subnets. The network map Is
Dynamically updated as additional entities (devices, links) are detected. The network
topology map allows you to understand the inner workings of the network.
The Network Map is built according to several rules:
• Structural view of the network – the iSID passively detects all network devices.
▪ Logical Connections view of the network does not include passive networking
devices such as switches, routers, etc.
▪ Inactive devices will be shown, as well as devices that never transmitted (shown
with transparency).
▪ The map is a powerful tool; you can zoom in and out of the network map, search
for a device, re-arrange the map with different layouts and filter by device,
vendor, link and many other options.
You can also edit the following device information via the map:
▪ Device Name
▪ Device Type
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 32
Device Severity
In the Device Summary for each device (see #7 in Figure 35) a “Severity” value is
assigned, which represents the highest risk among all new events related to that device
or its links. If the device has no New/Open events the Severity value will revert to
Normal state (value = 1).
Figure 34. Network Map
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 33
2.5.3.1 Working with the Network Map
Figure 35. Working with the Network Map
Table 12: Working with the Network Map
# What it does
1 Search: IP address/Device Name search. Matching Searches are displayed in green.
2 Layout:
• Click to save and name your current map layout.
• Click to select a layout from your list of saved layouts.
3 Mini Map: Enable/Disable small navigational map display.
4 Zoom control: In, Out, and Zoom to fit
5 Screenshot: Download a screenshot of the map in .PNG format.
6 Filters: Opens the Filter options (see
Filtering the Network Map),
7 • Hover over device to see device summary.
• One Click on Device will highlight all the neighbor devices with a link to the chosen device.
• Double Click on device to open the Device Details window (see Viewing Device Details).
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 34
2.5.3.2 Filtering the Network Map
• Checked elements are displayed
• Unchecked elements are not displayed
• Click to display the filters of all individual elements sorted by category
• Click to display the Map Display Options.
Figure 36. Map Filter Options
2.5.3.3 Map Display Options
Check desired options.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 35
Figure 37. Map Display Options
2.5.4 Managing Events
In Detection mode, whenever iSID identifies a threat or a risk, it will be registered as an
event in the Event Bar. In addition, a Syslog message will be sent to the pre-defined
syslog servers.
Note: that since the iSID detection engines are independent from one another, each may
trigger events separately.
Figure 38. The Events Listing
Table 13: Managing Events
# What it does
1 Displays the number of events per engine.
Click the engine button to display only the events from that engine.
Click the engine again to display events from all engines.
2 Bulk action selection.
Select the desired events (see #5) and click the desired action button to apply to all selected events.
Action options:
• Learn and Archive
• Archive
• Delete
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 36
3 Cause
Click to reveal the root cause of the Event (will display in the relevant engine screen).
4 Action selection.
Click to display the action options. Action will be applied to the specific event only,
See Event Action Options.
5 Bulk selection
Check all the events to which you want to apply a selected action from #2.
Check/uncheck the checkbox in the heading to select/unselect all events.
6 Archive selector
Move button to right to display only archived events.
2.5.4.1 Event Action Options
For each event, there are several available actions:
• Learn and Archive: Acknowledge the threat and order the iSID to learn this threat
as a normal behavior and not to issue future notifications, as if it was detected during
the Learning phase.
• Archive: Acknowledge the threat. Whenever the threat is repeated, iSID will pop
up the same Event and increase the count of same detected events in column
“Count”.
To do this, iSID removes the newly-learned threat from its understanding of the
network together with any dependent entity.
Example:
When a new device is detected, normally it starts communicating with some other
device; therefore, a new Link is also detected. The new Device and new Link appear
on the map in red, indicating that new events were issued for each.
Since the newly-connected device was not a user-approved device, you can identify
the device, disconnect it physically from the network and archive the “New Device
Detected” event.
The new device is then removed from the map together with any link it may have. In
addition, every New event on this device or any of its links will be moved
automatically to Archive.
• Display the exact timestamp (In Epoch Format) of the suspicious packet within
the downloaded PCAP file
• View the pre-defined procedure for this Event Type
• Add a comment
• Delete the event
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 37
• Download a PCAP file of the traffic before and after surrounding the root cause
packet, for investigation purposes
• Display the root cause of the Event (will display in the relevant engine screen).
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 38
2.5.5 Managing Reports
iSID provides 2 types of reports:
• iSID Security Report
This report summarizes the findings of all the iSID engines. The report is an excel file
containing information about the system (devices, links, protocols, IPs, etc.) and
events.
Figure 39. Security Report
The report is created upon request and can be downloaded. Only the current report is
available; previous reports are not saved.
• User-defined Reports
You can also manually create a report with specified information. The report is
created and displayed immediately and can be saved for future display. Individual
pages of the report can be saved as csv files.
Figure 40. User-defined Report (Example)
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 39
Figure 41. Reports Window
Table 14: Managing Reports
# What it does
1 Open Reports listing
Double-click on a report to display it.
2 Hover over the report name to display the Close icon.
Click to close the selected report.
3 All reports listing. Lists all the user-defined reports,
Double-click on a report to display it.
4 Hover over the report name to display the Delete icon.
Click to delete the selected report.
5 Click to prepare an iSID Security Report.
When the report is ready the 'Ready for Download' message appears.
6 Click to download the iSID Security Report excel file.
7 Add Report
Click to create a new User-Defined report.
GETTING STARTED
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 40
2.5.5.1 Working with User-Defined Reports
Figure 42. User Reports Window (Tab)
Table 15: Managing User Reports (Tab)
# What it does
1 Report tabs
Click on a tab to display the page.
2 Add Report
Click to create a new report.
3 Click to download the page to a .csv file.
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 41
3 THE NETWORK VISIBILITY ENGINE
The iSID Network Visibility engine is a passive, self-learning SCADA network utility used
to automatically construct the OT network topology model during the learning stage.
iSID is able to automatically learn the traffic within the Operational Technology (OT)
network by using network Passive Learning.
To learn the network structure, iSID receives a copy of traffic from the entire network,
using port mirroring.
During the learning stage the data is used to construct a network model for all devices,
protocols and sessions, which is displayed in the main screen at the learning stage. The
network model is represented both Visually (map) and Textually (Network Visibility
screen) which helps users to understand the processes that take place across the OT
network.
Figure 43: The Network Visibility Engine
3.1 ENGINE SETTINGS
There are two global settings for the network visibility engine:
• Layer 2 Security
• Device Inactivity
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 42
Figure 44: The Network Visibility Engine Settings
Table 16: Managing Network Visibility Engine Settings
# What it does
1 Layer 2 Security
Provides an alert if a change between the IP address and the corresponding MAC address of a network entity is detected (as a sign for ARP Positioning Attack).
2 Device Inactivity
Enable/Disable the device inactivity alert.(see Device inactivity)
3.2 MANAGING THE NETWORK ELEMENTS
The Network Visibility engine provides a detailed listing of the following network
elements:
• Links
• Devices
• Traffic Trace
Click on a tab to display the page.
3.2.1 Managing Links
The Links listing are unidirectional meaning A→B will be listed separately from B→A, each
line in Links Table lets you view the state of the link, the end devices, port and protocol,
etc.
In addition to the usual application window features, the Links listing lets you configure a
specific inactive interval for a selected link. This interval overrides the global inactive
interval for the selected link.
Figure 45: Network Visibility: Links
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 43
Table 17: Managing Links
# What it does
1 Edit link
Click to display "Edit Inactive Time" message
2 Edit Inactive Time
Click to open the Edit Link Inactive Time window.
Set the Day/Hour/Minute/Second fields and click Apply.
3.2.2 Managing Devices
The Devices listing lets you view device details, events, links and traffic usage
configuration. You can also edit device name and type.
You can also display only a selected device type. Device types are listed in the following
table.
Table 18: Device Types
Icon Device Type
PLC
Server
HMI
Engineering Station
Broadcast
Multicast
Router
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 44
Figure 46: Network Visibility: Devices (List View)
Figure 47: Network Visibility: Devices (Card View)
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 45
Table 19: Managing Devices
# What it does
1 Device Type Selector
Click on a device type icon to display only devices of the selected type.
2 Display action options.
3 Click to select an action.
View device details
Edit device
3.2.2.1 Editing a Device
To edit the device information:
1. Enter a device name (maximum 30 characters).
2. Select the device type.
3. Click Apply.
Figure 48: Network Visibility: Edit Device
3.2.2.2 Viewing Device Details
To view device details:
1. Click on a tab to view the page:
▪ Details: Displays a summary of the device: name, type, IP, state and MAC
address.
▪ New Events: New events on the selected device
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 46
▪ Units: Links to other IP addresses
▪ Traffic Usage: Current minimum and maximum traffic thresholds.
You can also edit the traffic usage thresholds for this device (see Editing the
Device Traffic Usage Settings).
2. Click to open the action options.
▪ Edit Device (see Editing a Device)
▪ L2 Security: Edit the L2 security setting for this device. This setting will override
the global L2 Security setting for this specific device.
If L2 Security is ON, an alert is provided if a change between the IP address and
the corresponding MAC address of a network entity is detected.
Figure 49: Network Visibility: View Device
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 47
Figure 50: Network Visibility: View Device Action Options
3.2.2.3 Editing the Device Traffic Usage Settings
You can edit the traffic usage setting for this device. This setting will only raise an event
if traffic usage threshold events are enabled (see Enabling Traffic Usage Threshold
Events).
To edit the device Traffic Usage settings:
1. In the Device Details, click the Traffic Usage tab.
2. In the Traffic Usage tab, click Edit .
3. In the Edit Traffic Usage Restrictions window, set the maximum and minimum traffic
threshold margin (Set in %) and click Save.
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 48
Figure 51: Network Visibility: Editing the Device Traffic Usage Settings
3.2.3 Monitoring Traffic Traces
The Traffic Trace listing allows you to see the network traffic in a chronological order, in a
similar way a normal sniffer does (i.e. Wireshark).
Figure 52: Network Visibility: Traffic Trace
THE NETWORK VISIBILITY ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 49
Table 20: Managing Traffic Traces
# What it does
1 Action options
Click to display action (View)
2 View details
Click to open the Packet Info window.
Figure 53: Viewing Packet Info
THE ASSET MANAGEMENT ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 50
4 THE ASSET MANAGEMENT ENGINE
The iSID Asset Management engine lets you manage the operations of all devices in the
monitored network.
This engine monitors dedicated SCADA device operations such as read/write, download,
or CPU start/stop. A complete log of these operations is available. In addition, you can
configure the action to be carried out in response to each operation.
Figure 54: Assets Management Engine
4.1.1 Managing Devices
The Devices listing lets you view device details, events, links and traffic usage
configuration. You can also edit device name and type.
You can also display only a selected device type. Device types are listed in the following
table. (See Device Management)
THE ASSET MANAGEMENT ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 51
4.2 OPERATIONS LOG
The Operations Log Tab provides a tabular representation of all the operational actions
between the configured SCADA Devices on the network (see Asset
Management/Configuration for list of supported devices)
Figure 55: Assets Management: Operations Log
Table 21: Managing Operations
# What it does
1 Action options
Click to display action (View)
2 View details
Click to open the Dates Info window.
THE ASSET MANAGEMENT ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 52
Figure 56: Dates Info Window
4.2.1 Asset Management - Configuration
Asset Management engine lists several chosen vendors (e.g. Schneider Electric, Siemens,
Allen Bradley) with all possible operations for each. The user can choose what iSID will
do when a specific operation is identified.
The action operations are:
• None: No action will be triggered by iSID.
• Log: Send a syslog message in CEF format, but do not trigger an Event.
• Alert and Log: Send syslog message in CEF format and trigger an Event in the
system.
Figure 57: Assets Management: Operation Configuration
Table 22: Managing Operations
# What it does
1 Display operations
Click to expand to display all management operations for the selected vendor.
2 Actions
Click to display action options.
3 Action options
Select the desired Action to be triggered upon identifying such a management operation.
THE CYBER ATTACK ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 53
5 THE CYBER ATTACK ENGINE
The Cyber Attack engine monitors for known threats designed to exploit vulnerabilities in
the SCADA network, including threats to PLCs, RTUs, and industrial protocols. The
signature database update's Periodically and is available to respond to emerging threats.
The database is a comprehensive collection of the most up-to-date publicly available
cyber-attack rules as well as rules developed by Radiflow, specifically for SCADA
networks.
Users may also create rules which must be written using SNORT rule syntax.
By default, when in learning mode, the cyber attack engine is not active. It is activated
during the detection phase.
Figure 58: Cyber Attack Engine
5.1 MANAGING CYBER ATTACK RULES
The Cyber Attack engine lets you manage cyber attack rules. You can:
• Add new rules
• Delete rules
• Edit the message that will appear in the Events Bar once the event is triggered.
• Activate and Deactivate a rule.
THE CYBER ATTACK ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 54
Figure 59: Cyber Attack: Rules
Table 23: Managing Cyber Attack Rules
# What it does
1 Bulk selection
Check all the rules to which you want to apply a selected action.
• Check or uncheck the checkbox in the heading to select or unselect all rules.
2 Bulk action selection.
Select the desired rules and click the desired action button to apply to all selected rules.
Action options:
• Enable
• Disable
• Delete
3 Activate / Deactivate Cyber Attack rule.
4 Actions
Click to display the action options.
5 Action options
Select the desired action. Action will be applied to the specific rule only.
5.1.1 Adding a Cyber Attack Rule
To create a new cyber attack rule:
1. In the Cyber Attack rules listing click .
THE CYBER ATTACK ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 55
Figure 60. Cyber Attack: New Rules
2. Enter the SID - a unique ID of the rule.
3. Enter the rule. Use SNORT rule syntax.
4. Enable or Disable the rule.
5. (Optional) Click to create additional rules in one form.
6. (Optional) Click to delete a rule from the form.
7. Click Create.
5.1.1.1 Editing a Rule Message
1. The user can add a textual description representing the message that will be shown if
the rule is activated.
Figure 61. Cyber Attack: Edit Rule Message
THE CYBER ATTACK ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 56
2. Click Update.
5.1.1.2 Viewing Cyber Attack Rules
In the Cyber Attack rules listing, select View for the desired rule.
The complete rule definition is displayed.
Figure 62. Cyber Attack: View Rule
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 57
6 THE POLICY MONITORING ENGINE
6.1 OVERVIEW
The Policy Monitoring engine allows rules definition for a variety of behaviors, that can be
enforced and generate a set of possible actions.
This engine is using Deep Packet Inspection (DPI) capabilities when a match between the
defined Rule and the inspected traffic accrues the system will generate an alert.
A Rule may combine a variety of parameters from various Ethernet L2-L7 fields.
In addition to User-defined Rules, Policy monitor engine generates Rules automatically
from the incoming traffic, these rules can be edited and adjusted, so they can be
enforced too.
Figure 63. Policy Monitoring Engine
6.1.1 Method of Operation
During the learning stage, the Policy Monitor engine analyzes the traffic within the OT
network and creates policies based on the network behavior on each link.
These polices can be separated into "Black/White Lists" like behavior, where the user
define what kind of network activity is should be alerted.
Note: It is important to understand that the Policy Monitor package is passive. It
provides alerts for violated rules, but does not block or actively prevent actions. The
barrier between the trusted, secure SCADA network and other outside networks,
therefore, is merely virtual. Policy enforcement is possible through Integration with
Radiflow’s Security Gateway.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 58
6.1.2 Features and Advantages
• Definition of policies on each link
• Upon violation, an alert will be generated, however the Policy Monitor packages will
not block the network traffic
• Users can edit Policies suggested by the iSID
• Labels creation make it to easier to manage the rules enforced
• Suggested Rules automatically created with traffic flow
• Option to create scheduled Policy Monitor rules for specific time periods (e.g. from
8AM, November 3th to 10AM, November 3th). (See The Operational Routine Engine)
• Optional policy enforcement via integration with Radiflow’s secure gateways.
6.1.3 Labels
Labels provide a convenient method for delineating categories of policies.
A label can be used as a keyword for filtering and tagging policies and profiles.
6.1.3.1 There are four Pre-defined system labels:
• Learning – represent the Suggested rules created in the Learning Phase.
• Detection – represent the Suggested rules created in the Detection Phase.
• Enforce in Learning - rules tagged with this label will be enforced in the Learning
Phase.
• Enforce in Detection – rules tagged with this label will be enforced in the Detection
Phase.
iSID Pre- defined Labels
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 59
6.1.3.2 User-Defined Labels
A User can create his own labels to categorize policy rules, these labels can be filtered
and be associated with User Defined Profiles for easy management of policies in the
system.
To add a user-defined label:
When a user creates a new policy (see Creating New Policies), you can enter a new label
name, the label will be saved and assigned to the policy.
6.2 MANAGING POLICY RULES
The Policy Manager window allows the user to manage the policy rules. The user can
perform actions on a selected rule or a group of rules filtered by selected parameters.
Some Definitions:
• Approve: A suggested rule becomes part of the active rule set.
• Enable/ON | Disable/OFF: A rule can be Enabled/Disabled which determines if the rule
will be enforced or not, when Disabled iSID will not alert on the underlying event.
• Delete: The rule definition no longer exists in the system.
When a policy is deleted, iSID will not alert on the underlying event. To restore a
deleted policy, the user can either instruct iSID to relearn the network, or enter the
policy manually.
Figure 64. Policy Monitor: Rules
Table 24: Managing Policy Rules
# What it does
1 Tabs
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 60
Click on tab to display page.
2 Bulk action selection.
Select the desired rules (see #3) and click the desired action button to apply to all selected policy rules.
Rule action options:
• Delete
• Disable
• Enable
• Edit Labels
• Change Action
3 Bulk selection
Check all the rules to which you want to apply a selected action from #2.
Check or uncheck the checkbox in the heading to select or unselect all rules.
4 Actions
Click to display the action options.
5 Select the desired action:
Action options:
• View
• Delete
• Edit
• Clone
6.2.1 Viewing Policies
To view a policy definition:
In the Policy Monitor rules listing select View for the desired rule.
The complete policy definition is displayed including meta data as well as all Networking
L2-L7 configuration.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 61
Figure 65. Viewing Policy Monitor: View Rule
6.2.2 Editing Policies
To edit a policy definition:
1. In the Policy Monitor rules listing select Edit for the desired rule.
Figure 66. Policy Monitor: Edit Rule
2. Expand each relevant section to display the parameters in that section.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 62
3. Fill the parameters needed, fields that are left empty will be disregarded by the
engine.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
4. Click Apply.
6.2.3 Creating New Policies
There are two methods for creating a new policy:
• Create a completely new policy
• Duplicate and edit an existing policy
To create a new policy rule:
1. In the Policy Monitor rules listing click .
Figure 67. Policy Monitor: Create Rule
2. Expand each relevant section to display the parameters in that section.
3. Edit the parameters as needed for all sections.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
4. Click Apply.
To create a policy by duplicating and editing an existing policy:
1. In the Policy Monitor rules listing select Clone for the desired rule.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 63
The Create Rule window opens with all relevant fields filled in (similar to Edit Rule,
but it will be saved as a new rule rather than editing existing)
Figure 68. Policy Monitor: Create Rule (Clone)
2. Expand each relevant section to display the parameters in that section.
3. Edit the parameters as needed for all sections.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
4. Click Apply.
Table 25: Policy Rules Fields (View, Edit, Create)
Field Description
Basic Parameters
Severity Severity level of the event created when rule is violated (1-5)
(See Managing Events).
Enabled Disable or enable the policy.
Action Select the desired action when rule conditions are detected:
• Ignore: the system will not take any action and ignore the packet.
• Alert: add a new event to the Event listing.
• Log: Sends a Syslog message to a pre-defined syslog server. (See configuration→syslog)
Labels Select the labels that apply to the rule (see Labels).
Message Define the message that would be displayed in case of an event.
Procedure Define the procedure to be followed in case of an event.
Layer 2
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 64
VLAN Enter the VLAN ID number in the Range of 1-4096.
EtherType Select the EtherType:
• 0x0800
• 0x8100
• 0x0806
• 0x86DD
Source MAC Enter MAC address of the source device.
(AA:BB:CC:DD:EE:FF)
Destination MAC Enter MAC address of the destination device.
(AA:BB:CC:DD:EE:FF)
Layer 3
Transport Select transport type:
• TCP
• UDP
• ICMP
Source IP Enter the source IP (A.B.C.D)
Destination IP Enter the destination IP (A.B.C.D)
Layer 4
Protocol Ports Enter the protocol ports either by port number or protocol
Layer 7
DPI Select the DPI type matching the unique industrial protocol.
Function code Select the function code.
DPI-dependent
parameters
Other parameters may appear, depending on the DPI type
selected.
6.3 MANAGING LEARNED POLICIES (SUGGESTED RULES)
In the course of the learning stage, iSID creates policies based on the learned traffic.
These policies can be based on regular IT protocols as well as industrial protocols such as
Modbus, CIP, DNP3 and IEC 104.
Policies created and suggested by iSID are not enabled until you approve them.
As with accepted rules, you can view, delete, and clone suggested rules. You can also
Edit and Approve them. When you Edit and Approve, you have a chance to edit the rule
before approval. Once A suggested rule is approved, it is removed from the Suggested
Rules and is added to the Rules listing.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 65
Figure 69. Policy Monitor: Suggested Rules
Table 26: Managing Policy Rules
# What it does
1 Bulk selection
Check all the rules to which you want to apply a selected action.
Check or uncheck the checkbox in the heading to select or unselect all rules.
2 Bulk action selection.
Select the desired rules and click the desired action button to apply to all selected
suggested rules.
Rule action options:
• Approve
• Delete
3 Actions
Click to display the action options.
4 Select the desired action:
Action options:
• View
• Delete
• Edit & Approve
• Clone
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 66
6.3.1 Viewing Suggested Rules
To view a suggested rule definition:
In the Policy Monitor suggested rules listing select View for the desired rule.
The complete rule definition is displayed including meta data as well as all layer
configuration.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
Figure 70. Viewing Suggested Rules
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 67
6.3.2 Editing and Approving Suggested Rules
To edit and approve a suggested rule:
1. In the Policy Monitor rules listing select Edit & Approve for the desired rule.
Figure 71. Policy Monitor: Edit Rule
2. Expand each relevant section to display the parameters in that section.
3. Edit the parameters as needed for all sections.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
Click Approve - The rule is removed from the Suggested Rules and appears in the Rules listing.
6.3.3 Duplicating a Suggested Rule
You can clone a suggested rule just as you can clone an approved rule. The clone
appears in the listing of the suggested rules and can be edited and approved just like any
suggested rule.
To create a rule by duplicating and editing an existing suggested rule:
1. In the Policy Monitor rules listing select Clone for the desired rule.
The Create Rule window opens with all relevant fields filled in (similar to Edit Rule,
but it will be saved as a new rule rather than editing existing)
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 68
Figure 72. Policy Monitor: Create Rule (Clone)
2. Expand each relevant section to display the parameters in that section.
3. Edit the parameters as needed for all sections.
See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.
Click Apply.
THE POLICY MONITORING ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 69
6.4 POLICY MONITOR ENGINE STATUS
You can see the overall status of the Policy Monitor engine in the Status tab.
The status settings are determined by the Profile that is currently active.
Figure 73. Policy Monitor Status
Note: the status screen is for expert/administrator users, for additional information please contact
Radiflow support team – [email protected]
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 70
7 THE OPERATIONAL ROUTINE ENGINE
The Operational Routine engine allows you to define special schedules for dedicated
operations; for example, a visit from an authorized technician to perform scheduled
maintenance and PLC firmware upgrade. You can use this engine to configure iSID to
recognize the technician's activities during a pre-defined operations time window for
specific devices. No false alarms will then raise due to the activity of the technician.
Note: You must first create a profile with the desired rule behavior and then assign that
profile to a schedule.
Figure 74. Operational Routine Engine
7.1 SCHEDULES
Schedules let you apply a selected profile to a specific time period.
The time period frequency can be defined as follows:
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 71
Note: The user must first define a profile that determines the rule set, and then define
the schedule and attach the profile.
There are two types of schedules:
• User-defined schedules
• Default iSID schedules: there are 3 Pre-defined schedules, one for each system
mode:
▪ Learning schedule
▪ Idle schedule
▪ Detection schedule
Default schedules only show which schedule is currently active and cannot be edited or
deleted.
Figure 75. Operational Routine: User Defined Schedules
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 72
Figure 76. Operational Routine: Default Schedules
Table 27: Managing Schedules
# What it does
1 Display action options.
2 Click to select an action.
• View
• Edit (User defined schedules only)
• Delete (User defined schedules only)
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 73
7.1.1 Adding a User-Defined Schedule
To create a new schedule:
1. In the User-Defined Schedules listing click .
Figure 77. Operational Routine: Add Schedule (When)
Figure 78. Operational Routine: Add Schedule (Action)
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 74
2. Enter a name for the schedule
3. Expand each relevant section to display the parameters in that section.
4. Enter the parameters as needed for all sections.
See the table below for a description of the fields.
5. Click Apply.
Table 28: Schedule Fields (View, Edit, Add)
Field Description
Enable Use slider to enable/disable this scheduled Time window.
When
Frequency Set the time window for the desired action to be active in. (See Schedules)
Action.
Profile Select the profile to attach to the schedule
Merge Behavior When Enabled, the Schedule will override all other schedules, defines the current schedule as top priority.
7.1.2 Editing Schedules
To edit a selected schedule:
1. Expand each relevant section to display the parameters in that section.
Figure 79. Operational Routine: Edit Schedule
2. Edit the parameters as needed for all sections.
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 75
See Table 28 for a description of the fields.
3. Click Apply.
7.1.3 Viewing Schedules
To view a schedule:
In the Schedule listing, select View for the desired schedule.
The complete profile definition is displayed.
See Table 28 for a description of the fields.
Figure 80. Operational Routine: View Schedule
7.2 PROFILES
A profile lets you define specific behavior of the system for special cases, such as
holidays or system maintenance.
There are two types of profiles:
• User-defined profiles
• Default iSID profiles: there are 3 default profiles, one for each system mode:
▪ Learning profile
▪ Idle profile
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 76
▪ Detection profile
Default profiles can be edited, but not deleted.
7.2.1 Managing Profiles
Figure 81. Operational Routine: User Defined Profiles
Table 29: Managing Profiles
# What it does
1 Display action options.
2 Click to select an action.
• View
• Edit
• Delete (User defined profiles only)
7.2.1.1 Adding a User-Defined Profile
To create a new profile:
1. In the User-Defined Profiles listing click .
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 77
Figure 90. Operational Routine: Add User-Defined Profile (Policy Monitor Configuration)
2. Expand each relevant section to display the parameters in that section.
3. Enter the parameters as needed for all sections.
4. See the table below for a description of the fields.
5. Click Apply.
Table 30: Profile Fields (View, Edit, Add)
Field Description
Policy Monitor Configuration Fields
Enable Use slider to enable/disable policy monitor enforcement of user rules.
Send alert on unknown traffic Use slider to enable/disable sending an alert on unknown traffic.
Active Labels Select the labels that the profile applies to. (see Labels).
Rule Manager
Configure automatic policy monitor rule generation
Check to display:
Rule Generation Configuration
Enable to display Rule Generation Options
Configure Policy Monitor rules enforcement
Check to display:
Policy Monitor Configuration
• Enable to configure Active Labels
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 78
• Use slider to enable/disable sending an alert on unknown traffic
Rule Generation Options
Rule Action Select action to take.
Severity Select rule severity.
Rule Message Enter message to appear in log.
Label Select label or enter new label name.
Cyber Attack
Configure Cyber Attack rules Check to display:
Cyber Attack rules Configuration
Use slider to enable/disable enforcing Cyber Attack rules.
Parser
Configure Parser Check to display:
Parser Configuration
Use slider to enable/disable parsing network traffic.
7.2.1.2 Editing Profiles
To edit a selected profile:
1. Expand each relevant section to display the parameters in that section.
Figure 82. Operational Routine: Edit Profile
2. Edit the parameters as needed for all sections.
See Table 30 for a description of the fields.
3. Click Apply.
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 79
7.2.1.3 Viewing Profiles
To view a profile:
In the Profiles listing, select View for the desired profile.
The complete profile definition is displayed.
See Table 30 for a description of the fields.
Figure 83. Operational Routine: View Profile
THE OPERATIONAL ROUTINE ENGINE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 80
7.3 OPERATIONAL ROUTINE STATUS
You can see the overall status of the Operational Routine engine in the Status tab.
The status settings are determined by the profile that is currently active.
Figure 84. Operational Routine Status
SYSTEM MAINTENANCE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 81
8 SYSTEM MAINTENANCE
Use the following tools to manage and monitor the iSID system itself.
8.1 USER ACTIVITY: MONITORING ISID
Any action made to the iSID GUI by a user, is logged to the User Activity screen with the
Action Time, Username and User IP Address and the action description.
This is used to track the configuration changes and their source, when needed.
Figure 85. User Activity
8.2 iSID MAINTENANCE
iSID system supports the following maintenance procedures:
• Server Reset – complete reset of all the engines in the system.
• Password Reset - It is recommended to change the password every specific period.
• Update cyber attack rules config file.
In addition, see the configuration tasks explained in General Configuration.
SYSTEM MAINTENANCE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 82
8.2.1 Server Reset
To perform a server reset:
1. Go to Configuration>Server Actions
Figure 86. Server Reset
2. In the Server Reset section, select reset type:
▪ Clear Data: Completely Deletes the data records that were collected by the
system while preserving the user's configuration.
▪ Factory Reset: Total reset to factory defaults. All user configuration will be lost
while maintaining the User Activity and the System's Management IP Address.
SYSTEM MAINTENANCE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 83
8.2.2 Password Reset
To change your iSID logon password:
1. Go to Configuration>Server Actions.
Figure 87. Password Reset
Click Change Password.
2. Enter the Old password.
3. Enter New Password .
4. Retype the New Password to Confirm.
5. Click Change.
8.2.3 Update Cyber Attack Rules Configuration File
Radiflow provides an updated Cyber Attack rules configuration file from time to time as
required. When Provided, it updates the rule configuration with new cyber-attack rules.
Note: The file is encrypted and signed by Radiflow, so that any other update-file is not
accepted by the system.
To update the Cyber Attack rules configuration file:
1. Load the file to the Client PC you are connected from to the iSID:
SYSTEM MAINTENANCE
RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 84
2. Go to Configuration>Cyber Attack Rules
Figure 88. Cyber Attack Rules Configuration File
3. Click Update Configuration.
4. Browse to the file Path and click on it.
5. The system will start rule-update process – while saving any rules that were changed
by the user.