Release 4.5.7...i Release 4.5.7.5 This controlled document is the property of Radiflow Ltd. This document contains proprietary information. Any duplication, reproduction or transmission

i

Release 4.5.7.5

This controlled document is the property of Radiflow Ltd. This document contains proprietary

information. Any duplication, reproduction or transmission to unauthorized parties without

prior permission of Radiflow is strictly prohibited. All rights are protected by Radiflow Ltd.

REVISION HISTORY

RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 i

REVISION HISTORY

Date Rev’ Description

1/1/2017 1 Initial release of 4.0

1/2/2017 2 Interfaces management update

7/3/2017 3 Probes management update

3/4/2017 4 1. Browser based management update

2. Section 2.4.5 removed - not supported in version 4.4.3.X and above

19/4/2017 5 Installation guide update

29/4/2017 6 General editing

11/5/2017 7 General editing

1/7/2018 8 Update to 4.5.7.5

CONTENTS

RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 ii

CONTENTS

CONTENTS ......................................................................................................... II

1 OVERVIEW .................................................................................................... 1

1.1 THE ISID SOLUTION .................................................................................. 1

1.2 MODES OF OPERATION .............................................................................. 2

1.2.1 CREATING THE NETWORK TOPOLOGY (LEARNING STAGE) ................................. 2

1.2.2 TRAFFIC MONITORING (DETECTION STAGE) ................................................. 4

1.3 ISID ENGINES ............................................................................................. 5

2 GETTING STARTED ........................................................................................ 6

2.1 ISID INSTALLATION ................................................................................... 6

2.1.1 MINIMAL HARDWARE REQUIREMENTS ......................................................... 6

2.1.2 PRE-INSTALLATION .............................................................................. 6

2.1.3 INSTALLING ISID ................................................................................ 6

2.2 LOGGING IN TO THE ISID WEB APPLICATION ......................................................... 8

2.3 BASIC CONFIGURATION ........................................................................... 10

2.3.1 GENERAL CONFIGURATION ................................................................... 10

2.3.2 EDITING PROTOCOLS.......................................................................... 19

2.3.3 DEFINING PROCEDURES ...................................................................... 21

2.3.4 DEFINING INTERFACES ........................................................................ 22

2.4 LEARNING MODE PHASE ................................................................................ 27

2.5 USING ISID .............................................................................................. 28

2.5.1 THE ISID GUI ................................................................................ 28

2.5.2 ISID BASIC FEATURES ....................................................................... 29

2.5.3 THE NETWORK MAP ........................................................................... 31

2.5.4 MANAGING EVENTS ........................................................................... 35

2.5.5 MANAGING REPORTS .......................................................................... 38

3 THE NETWORK VISIBILITY ENGINE ............................................................ 41

3.1 ENGINE SETTINGS ....................................................................................... 41

3.2 MANAGING THE NETWORK ELEMENTS ................................................................. 42

3.2.1 MANAGING LINKS ............................................................................. 42

3.2.2 MANAGING DEVICES .......................................................................... 43

3.2.3 MONITORING TRAFFIC TRACES .............................................................. 48

4 THE ASSET MANAGEMENT ENGINE .............................................................. 50

CONTENTS

RADIFLOW ISID INDUSTRIAL INTRUSION DETECTION USER GUIDE 4.5.7.5 iii

4.1.1 MANAGING DEVICES .......................................................................... 50

4.2 OPERATIONS LOG........................................................................................ 51

4.2.1 ASSET MANAGEMENT - CONFIGURATION ................................................... 52

5 THE CYBER ATTACK ENGINE ........................................................................ 53

5.1 MANAGING CYBER ATTACK RULES .................................................................... 53

5.1.1 ADDING A CYBER ATTACK RULE ............................................................. 54

6 THE POLICY MONITORING ENGINE ............................................................. 57

6.1 OVERVIEW ................................................................................................ 57

6.1.1 METHOD OF OPERATION ...................................................................... 57

6.1.2 FEATURES AND ADVANTAGES ................................................................ 58

6.1.3 LABELS .......................................................................................... 58

6.2 MANAGING POLICY RULES .............................................................................. 59

6.2.1 VIEWING POLICIES ............................................................................ 60

6.2.2 EDITING POLICIES ............................................................................. 61

6.2.3 CREATING NEW POLICIES .................................................................... 62

6.3 MANAGING LEARNED POLICIES (SUGGESTED RULES) ............................................... 64

6.3.1 VIEWING SUGGESTED RULES ................................................................ 66

6.3.2 EDITING AND APPROVING SUGGESTED RULES ............................................. 67

6.3.3 DUPLICATING A SUGGESTED RULE .......................................................... 67

6.4 POLICY MONITOR ENGINE STATUS .................................................................... 69

7 THE OPERATIONAL ROUTINE ENGINE ......................................................... 70

7.1 SCHEDULES............................................................................................... 70

7.1.1 ADDING A USER-DEFINED SCHEDULE ...................................................... 73

7.1.2 EDITING SCHEDULES .......................................................................... 74

7.1.3 VIEWING SCHEDULES ......................................................................... 75

7.2 PROFILES ................................................................................................. 75

7.2.1 MANAGING PROFILES ......................................................................... 76

7.3 OPERATIONAL ROUTINE STATUS ....................................................................... 80

8 SYSTEM MAINTENANCE ............................................................................... 81

8.1 USER ACTIVITY: MONITORING ISID ................................................................... 81

8.2 ISID MAINTENANCE ..................................................................................... 81

8.2.1 SERVER RESET ................................................................................. 82

8.2.2 PASSWORD RESET ............................................................................. 83

8.2.3 UPDATE CYBER ATTACK RULES CONFIGURATION FILE .................................... 83

OVERVIEW

RADIFLOW ISID INDUSTRIAL THREAT DETECTION USER GUIDE 4.5.7.5 1

1 OVERVIEW

Deploying the iSID (Industrial Security Intrusion Detection) system in ICS/SCADA

networks enables securing operational technology networks through the monitoring of

distributed networks and detection of topology changes, SCADA information integrity

breaches, known threats and anomalous behavior in operational networks.

iSID is a low-maintenance and low-false alarm solution, designed specifically for the

needs of ICS/SCADA network security.

1.1 THE iSID SOLUTION

The key features of iSID include:

• Automatic network topology learning

• Creation of a baseline SCADA behavioral model

• Passive network scanning

• DPI-based policies for industrial protocols

• Signature-based detection of known vulnerabilities

• Operational routines management

• Integration with third-party security systems (e.g. SIEM)

• NERC CIP-compatible reports

The iSID system combines two distinct capabilities:

• Modeling of SCADA/ICS network communications through passive network listening

and machine learning: The iSID receives mirrored streams of all network traffic

(directly or through remote RF-2120 /80 smart probes) and analyzes them to both

generate and display a network topology model, and to maintain the model as the

baseline for detecting exceptions indicating unauthorized traffic.

• Deep Packet Inspection (DPI) and machine learning-based detection of anomalies,

including known threats.

The iSID simplifies the management of detected network threat events. Its web-based

graphical user interface (GUI) is designed to display the most critical information as an

overlay over the user’s familiar network topology.

The main user interface screen includes two types of views:

• The dashboard, which displays a security event summary as well as a set of

aggregating statistics, including the number of detected security breaches.

• The network map, which provides real-time visibility of the network topology, with

indications for detected risks on the ICS/SCADA networks.

OVERVIEW


The user interface provides notifications on detected security events, as well as event

management tools. In addition, the GUI provides easy access to data and configuration

of the engines, and to overall functionality information.

Figure 1. The iSID Dashboard.

1.2 MODES OF OPERATION

iSID can operate in one of three modes:

• Idle Mode: iSID Engines remain passive, allowing the user to define configuration

parameters and review existing data.

• Learning Mode: iSID collects network information, which is used to build a complete

network and industrial communication model. The network topology is presented as a

graphical map allowing the investigation of processes and gaining an understanding

of the network’s inner workings.

• Detection Mode: at the conclusion of the learning stage you can transition the iSID

to Detection mode. In this mode, the iSID provides constant network monitoring

based on the data gathered and analyzed during the Learning mode. In Detection

mode iSID uses analytical engines to detect unauthorized traffic or cyber threats on

the SCADA network.

1.2.1 Creating The Network Topology (Learning Stage)

When initiated after first installation, iSID will start in Idle state, the user can manually

switch to Learning stage. iSID will start to passively collect information about the

network. During this stage, a copy of the network traffic is streamed with no network

intervention, i.e. – passive learning of the network.

OVERVIEW


iSID’s DPI (Deep Packet Inspection) capability is used to extract valuable data such as

MAC addresses (L2), IP Addresses (L3), Transport protocol (L4), Industrial protocol

specific information (L5-7), which are all necessary to understand the overall behavior of

the network.

All iSID engines take part in the Learning stage, as it is imperative for each engine to

define the predictable behavior of the network.

The data collected is used to build a complete network model, which in effect assigns a

virtual fingerprint to each session between any two devices on the OT network.

Depending on the configurable storage size, iSID "Traffic Capture" saves traffic

permanently in PCAP file format, which can be easily downloaded and analyzed for

further inspection.

1.2.1.1 Network Learning Stages

Network Learning consists of several stages that are performed in the background:

1. Identify network devices by: MAC address, IP Address, Unit ID / ASDU, Router’s

Vendor, device type.

2. Learn the protocol used by the device, and its role in this protocol (Master/Slave).

3. Identify network connections by: source device and destination device, protocol used,

function codes on the link, exception responses and errors in parsing.

4. Logical Graphical map is created including a table with all the types of connection.

5. Creation of rules. The information learned is generated and presented in the

"Suggested rules" including auto generated rules based on the learned network, that

will later allow the user to better control the network behavior.

6. Concluding the Learning stage. Learning is concluded when requested from the user.

OVERVIEW


Figure 2. Network Topology Learning Stage

1.2.2 Traffic Monitoring (Detection Stage)

After the Learning stage is complete, it is time to transition to the Detection stage. In this

stage iSID performs real time monitoring of the traffic based on network topology

created in the learning phase.

During this stage iSID will raise an event for every possible attack, anomaly or change in

network behavior.

1.2.2.1 Event Handling

During Detection Mode, each engine sends alerts according to its traffic analysis results.

The new events appear in the Events log.

Each event is accompanied by an indicative message with a description of the violation,

arranged in a dynamic table. When configured, the iSID will also send Syslog's with the

same data to a predefined Syslog server.

Overall there are four types of alerts:

1. Cyber alerts – for known Rules (e.g. DoS, injection, scanning)

2. Policy violations – for specific, predefined policies on each link

3. Operational – Behavior (retransmit, under-sampling, exceptions)

4. Topology changes (e.g. new devices, new sessions)

Identifying

Network

Devices

Creating

Logical Map

Learning

Communication

Finishing

Learning

Stage

Identifying

Network

Connections

Creating

Policy

Rules

OVERVIEW


Figure 3. New Events Log Table

1.3 ISID ENGINES

iSID provides six engines:

1. The Network Visibility Engine

2. The Asset Management Engine

3. The Cyber Attack Engine

4. The Policy Monitoring Engine

5. The Operational ROUTINE Engine

6. Behavior Analysis

Each engine allows the configuration of operational parameters and detection of network

intrusion, topology changes, detection of known threats and maintenance management.

For more information on each engine, please refer to the respective chapter in this

document.

GETTING STARTED


2 GETTING STARTED

This chapter provides instructions for:

• iSID Installation

• Accessing the iSID web application

• Basic Configuration

• The Learning Phase

• Using iSID

2.1 ISID INSTALLATION

2.1.1 Minimal Hardware Requirements

• CPU: Intel i7 Quad-Core

• RAM: 32GB DDR4.

• HDD: 2x1TB HDD RAID 0,1 (Additional storage may be required based on retention

needs)

• Network: 3 x Network Interface Cards (NIC)

• Operating System: CentOS 7 Minimal - build 1611 required

CentOS 7 Minimal Download

2.1.2 Pre-Installation

• The machine must have CentOS 7 minimal installation before iSID installation begins.

• Make sure that user root has admin-privileges

• Obtain RPM version installation file and place it on a USB.

2.1.3 Installing iSID

1. Move the RPM file to the machine (e.g. via WinSCP or USB)

2. Access the downloaded directory using the following command:

cd <path to downloaded TAR file>

3. Extract the files from the TAR file using the following command:

tar –xvf <TAR-file-name>

https://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-DVD-1611.iso

GETTING STARTED


4. Run the installation script using the following command: sudo python install.py

5. Type the Management IP address:

6. Select (type in) subnet address

7. Type in the management interface name from the presented list of NICs.

8. Type in the gateway address:

GETTING STARTED


9. At the end of the execution the following will appear.

Use the https://A.B.C.D/ displayed to access iSID.

2.2 LOGGING IN TO THE iSID WEB APPLICATION

iSID is operated and managed via a web browser-based Graphical User Interface (GUI).

Requirements:

• Google Chrome browser, version 55.0.2883.87 or higher

• Computer with at least one active network interface, with an assigned IP address

To access the iSID web application:

Launch Google Chrome and go to: https://A.B.C.D/, where A.B.C.D represents the

Management IPv4 Address defined during the server installation.

Note: This Management IP Address can be changed via the iSID Configuration screen.

The following login screen will appear.

• User name: radiflow

• Password: ******* (Please Contact Radiflow)

GETTING STARTED


Figure 4: iSID Login Screen

Upon successful login the main iSID screen will appear.

GETTING STARTED


2.3 BASIC CONFIGURATION

There are a few basic configuration steps that are required before running iSID:

• General configuration: Check such parameters as the syslog server configuration,

timeout interval, and SSH mode.

• Defining procedures: Define the procedure to be followed when a specified event

occurs.

• Defining interfaces: the iSID system must have a minimum of one defined

management interface and one other interface for listening to network traffic.

2.3.1 General Configuration

The Configuration window gives you access to these general system configurations.

Figure 5. Configuration Window

2.3.1.1 System Mode

Selects the system state:

• Learning: the initial system state.

• Detection: the operational system state.

GETTING STARTED


1. Go to Configuration>General

Figure 6. System Mode

2. In the System State section, use the sliders to turn the desired mode On.

2.3.1.2 SSH Mode

Enable or Disable SSH connectivity to provide a secure channel over the network.

To set the SSH mode:


Figure 7. SSH Mode

GETTING STARTED


2.3.1.3 Auto Logout

When Connected, users can configure the timeout interval, the specified period of

inactivity after which the user will be automatically logged out of iSID

To set the timeout interval:


Figure 8. Auto Logout

2. In the Auto Logout section, select the timeout period from the dropdown list.

2.3.1.4 Syslog Server

For each Event, iSID will send a CEF-format syslog message to the syslog server that you

specify.

Format:

<date> iSID CEF:0|radiflow|isid|<isid_version>|<event_id>|<event_message>|<event_severity>|<extenstions >

In addition, you can set the syslog server mode:

• Verbose mode ON: when a repeating abnormal behavior is detected, iSID will send a

syslog message for each instance.

• Verbose mode OFF: iSID will send a syslog message only once per abnormal

behavior.

GETTING STARTED


To configure the syslog server:

1. Go to Configuration>Syslog Server

Figure 9. Syslog Server

2. In the Syslog Servers Settings section, use the slider to enable or disable Verbose

Mode.

3. In the Syslog Servers section, click to add a server.

Figure 10. New Syslog Server

4. In the New Syslog Server window, enter the server name

5. Enter the syslog server IP address.

6. Click Create.1

2.3.1.5 Global Device Inactivity Interval

By default, iSID will detect silent entities - device/link that was once active and became

silent – meaning stopped transmitting any traffic. Once the entity is active again, iSID

will re-detect it and send an Event notification.

1Multiple syslog servers can be set

GETTING STARTED


You can also configure specific inactivity intervals for specific links (see Managing Links).

These intervals will override the global configuration for those links so that the

device/link inactivity state will be set by the new manually set parameters.

To configure the global device inactive interval:

1. Go to Configuration>Server Actions

Figure 11. Global Device Inactive Interval

2. In the Inactive Time section, click to edit.

Figure 12. Edit Inactive Time

3. In the Edit Inactive Time window, configure the desired interval and click Apply.

2.3.1.6 Enabling Traffic Usage Threshold Events

Connected users can configure iSID to trigger an event when the device traffic, both

received and transmitted, reaches either a maximum or minimum threshold.

The traffic thresholds are configured and updated per device when in Learning Stage (see

Editing the Device Traffic Usage Settings).

To enable traffic usage threshold events:

1. Go to Configuration>Traffic Usage Detector

GETTING STARTED


Figure 13. Traffic Usage Detector

2. Check the checkboxes as desired to enable minimum and/or maximum traffic events.

2.3.1.7 SCADA Servers

To Make the iSID manageable using DNP3 and/or Modbus user must define the relevant

masters.

Note: Using this feature requires an integration with the customer HMI system.

define a DPN3 master:

1. Go to Configuration>SCADA Servers

Figure 14. SCADA Servers

2. Click to add the DNP3 master.

GETTING STARTED


Figure 15. Add DNP3 Master

3. In the Add DNP3 Master window fill in the fields as described in the table below and

click Apply.

Table 1: Add DNP3 Master

Field Description

Master Name User-defined master name

Master IP IP of the DNP3 Master

Enabled Master Enable/Disable DNP3 Master connection

Outstation Port Set TCP port number

Master Link Number of the master link

Outstation Link Number of the outstation link

Minimum Severity Minimum event severity level

Keep Alive Interval DNP3 Master Keep alive interval –set interval(seconds) message sent by one device to another to check that the link between the two is operating

GETTING STARTED


2.3.1.7.1 Modbus Master

To define a Modbus master:

1. Go to Configuration>SCADA Servers

Figure 16. SCADA Servers

2. Click to add a Modbus server.

Figure 17. Add Modbus Server

GETTING STARTED


3. In the Add Modbus Server window fill in the fields as described in the table below and

click Apply.

Table 2: Add Modbus Server

Field Description

Server Name User-defined name

Server Port Port that iSID will listen to for Modbus commands (default = 502)

Activate Server Use slider to activate server

4. In the selected Modbus server card, click the to add a Modbus master from whom

we only willing to get Modbus commands

Figure 18. Modbus Server

5. In the Add Modbus Master window fill in the fields as described in the table below and

click Apply.

Figure 19.Add Modbus Master

Table 3: Add Modbus Master

Field Description

Master Name User-defined Modbus Master name

Master IP IP Address of the Modbus Master

2.3.1.8

GETTING STARTED


2.3.1.9 Communicating with the iSID in Modbus protocol

From your Modbus master, which resides within the same management network of the

iSID, and has the IP Address you entered in Step 5 above in Modbus Master, you can try

to connect the iSID.

The iSID listens to Modbus connection on the management IP Address of the iSID and on

the server port you defined in in Step 5 above in Modbus Master.

By communicating with the iSID, the Modbus master will receive Syslog's of the Modbus

registers Events.

2.3.2 Editing Protocols

ISID System lists 65K TCP & 65K UDP Ports that the User can modify.

Users can modify only the following parameters:

• Protocol name - the way the protocol is presented throughout the iSID screens

• DPI type - the method/structure in which the iSID inspect the packets.

To edit protocol definitions:

1. Go to Configuration>Protocols

Figure 20. Protocols

2. In the Modify Protocol Information window fill in the fields as described in the table

below and click Apply.

GETTING STARTED


Figure 21. Modify Protocol Information

Modifying Protocol Information

Field Description

Name User-defined protocol name

DPI type Select the Deep Packet Inspection type.

GETTING STARTED


2.3.3 Defining Procedures

For each event type, the user may define a Standard Operating Procedure (SOP). Each

procedure is limited to 2,000 characters of free text.

Once an event pops up, the user can easily read and follow the SOP by clicking

Procedure in the action options for the event (see Event Action Options).

To define procedures:

1. Go to Configuration>Procedures

Figure 22. Procedures Tab

2. Click to edit the procedure text.

3. In Edit Procedure enter the procedure (up to 2,000 characters of free text) and click

Apply.

Figure 23. Edit Procedure

GETTING STARTED


2.3.4 Defining Interfaces

iSID requires 2 mandatory NICs (Network Interface Cards).

Each network interface must have a unique identifier name.

The iSID utilizes interfaces for:

• Management interface - Web client management. (Modbus/DNP3 can be configured

as well)

• Monitored Interface - Direct Passive listening to network traffic.(No IP Address)

• Smart Probes interface - Listening to multiple remote networks using radiflow iSAP

devices.

The Management interface is mandatory. One other interface, either monitored or Smart

Probe, is also mandatory.

2.3.4.1 Creating a new Interface

To create a new interface:

1. Go to Configuration>Interfaces

Figure 24. Physical Interfaces

Note: the green led indicates if the interface is active and that traffic arrives.

2. In the Physical Interfaces section, click to open the interface options.

3. Select the desired interface.

4. In the Add Interface window fill in the fields as described in the relevant table below

and click Apply.

GETTING STARTED


5.

▪ For a management interface: see Table 4

▪ For a monitoring interface: see Table 5

▪ For a Smart Probe interface: see Table 6

Figure 25. Add Management Interface

Note: Prior to changing the management IP, the user should verify network connectivity

to the new IP address. Once entered, you will be requested to Apply & Reload;

the web page will reload using the newly-set IP address.

Table 4: Add Management Interface

Field Description

Interface Name Select physical interface name

IP Enter IP Address

Subnetwork Select the Subnet Mask (CIDR Subnet Mask- /24)

Gateway Default Gateway IP address

Figure 26. Add Monitoring Interface

GETTING STARTED


Note: This port doesn’t transmit any packets, only receives traffic and doesn’t have IP

address

Table 5: Add Monitoring Interface

Field Description


Event on traffic stop Use slider to enable/disable raising an event when traffic stops on the interface

Event on traffic start Use slider to enable/disable raising event when traffic stops on the interface

Inactive after Set the time interval of traffic absence – for the device to be recognized as inactive.

Figure 27. Add Smart Probe Interface

Table 6: Add Smart Probe Interface

Field Description


IP IP Address

Subnetwork Select the Subnet Mask

Event on traffic stop Use slider to enable/disable raising an event when traffic stops on the interface

Event on traffic start Use slider to enable/disable raising event when traffic starts on the interface

Inactive after Set the time interval of traffic absence– for the device to be recognized as inactive.

GETTING STARTED


2.3.4.2 Creating Smart Probe Connections

In addition to analysis of the traffic received from the Monitored Network Interface, iSID

can receive and analyze traffic coming from Multiple remote sites and network segments.

To do this, the RF-2180 iSAP is installed at each remote site as the destination of a port

mirroring. iSAP compresses the received traffic and transfers it to the iSID using a GRE

tunnel.

In order for the iSID to communicate with the Smart Probe, you must:

1. Define the Smart Probe Physical interface.

2. For each Remote site, define the remote iSAP properties:

User Defined Name, GRE Key and iSAP IP Address.

To create Smart Probe connection:

1. Go to Configuration>Interfaces

Figure 28. Smart Probe Connections

2. In the Smart Probe Connections section, click to open the interface options.

3. In the Add Smart Probe Connection window, fill in the fields as described in the table

below and click Apply.

GETTING STARTED


Figure 29. New Smart Probe Connection

Table 7: Add Smart Probe Connection

Field Description

Connection Name User-defined name to identify the connection

Remote IP IP address of the iSAP device

Key Enter the GRE Key to be used by the iSAP Device

Event on traffic stop Raise an event when traffic received from iSAP device Stops/Starts (for the Inactivity Time interval that was set)

Event on traffic start

Inactive after Time interval for receiving traffic, meaning: after X time the device will be recognized as inactive

Note: iSID can communicate with multiple Smart Probes; each should be added separately to the

Smart Probe list.

GETTING STARTED


2.4 LEARNING MODE PHASE

As soon as all physical connections are set and basic configurations defined, iSID is ready

to start learning the network behavior. You should set the system mode to "Learning"

(see System Mode).

After few moments of processing, iSID will start displaying the learned network behavior

in its various screens:

• The Dashboard screen offers A quick visual and graphical indication representing the

learned network.

• The network map dynamically updates and shows a visual indication of the devices

and the logical connections between them.

• Textual and Visual indications of the learned data collected from the various engines

is displayed in the corresponding engine windows of the web application.

The extent of network Learning Phase will provide a good and comprehensive knowledge

which will lead for better results and analysis of the network.

Radiflow recommends allocating one full week for Learning Phase.

Once you are confident that all entities have been learned by the system, it is

recommended to transition iSID to Detection state (see System Mode). iSID will now

begin looking for suspicious behaviors.

GETTING STARTED


2.5 USING ISID

2.5.1 THE ISID GUI

Figure 30. iSID Dashboard

Table 8: Dashboard Components

# Name Description

1 Title Bar Quick navigation icons

2 Navigation Panel Navigation to all Engine windows, plus Events and Reports

3 Main Window Display area

GETTING STARTED


2.5.2 iSID Basic Features

The following basic features are available on most windows of the application.

• Title bar:

▪ Navigation icons

▪ Hide navigation panel

• Main window, engine windows

▪ Date Range

▪ Filter

▪ Toggle list/card view

▪ Download to csv file

▪ Reload

▪ Add new item

• Listings

▪ Select columns

▪ Sorting the list

2.5.2.1 Title Bar Tools

• You can jump to several locations using the icons at the right of the title bar.

• You can hide the navigation panel

Figure 31. Title Bar Navigation Icons

Table 9: Title Bar Navigation Icons

# Icon What it does

1

Hover: Shows the current system mode

Click: Link to the System mode configuration

2

Link to the main dashboard page

3

Link to the map

GETTING STARTED


4

Link to Reports

5

Hides/shows the navigation panel

2.5.2.2 Main Window Tools

Figure 32. Main Window Tools

Table 10: Main Window Tools

# Icon What it does

1 Date Range Selects a range of dates to Filter By

2 Filter Multiple choice of Filters the data can be displayed

3

Download the content of the web page to a CSV file

4

Reload page

5

Show listing view

6

Show cards view

2.5.2.3 Listing Tools

In listing displays you can:

• Select columns to be displayed

• Sort columns in ascending/descending order

GETTING STARTED


Figure 33. Listing Tools

Table 11: Main Window Tools

# Icon What it does

1

Column selection. Opens the Select columns to display window.

2

Column sort indicator. Click on the column heading to sort.

Icon indicates whether it is sorted in ascending or descending order and the order of the sorted columns.

2.5.3 The Network Map

The network map is a graphical representation of the network that lets you easily see the

relationships between various devices and various subnets. The network map Is

Dynamically updated as additional entities (devices, links) are detected. The network

topology map allows you to understand the inner workings of the network.

The Network Map is built according to several rules:

• Structural view of the network – the iSID passively detects all network devices.

▪ Logical Connections view of the network does not include passive networking

devices such as switches, routers, etc.

▪ Inactive devices will be shown, as well as devices that never transmitted (shown

with transparency).

▪ The map is a powerful tool; you can zoom in and out of the network map, search

for a device, re-arrange the map with different layouts and filter by device,

vendor, link and many other options.

You can also edit the following device information via the map:

▪ Device Name

▪ Device Type

GETTING STARTED


Device Severity

In the Device Summary for each device (see #7 in Figure 35) a “Severity” value is

assigned, which represents the highest risk among all new events related to that device

or its links. If the device has no New/Open events the Severity value will revert to

Normal state (value = 1).

Figure 34. Network Map

GETTING STARTED


2.5.3.1 Working with the Network Map

Figure 35. Working with the Network Map

Table 12: Working with the Network Map

# What it does

1 Search: IP address/Device Name search. Matching Searches are displayed in green.

2 Layout:

• Click to save and name your current map layout.

• Click to select a layout from your list of saved layouts.

3 Mini Map: Enable/Disable small navigational map display.

4 Zoom control: In, Out, and Zoom to fit

5 Screenshot: Download a screenshot of the map in .PNG format.

6 Filters: Opens the Filter options (see

Filtering the Network Map),

7 • Hover over device to see device summary.

• One Click on Device will highlight all the neighbor devices with a link to the chosen device.

• Double Click on device to open the Device Details window (see Viewing Device Details).

GETTING STARTED


2.5.3.2 Filtering the Network Map

• Checked elements are displayed

• Unchecked elements are not displayed

• Click to display the filters of all individual elements sorted by category

• Click to display the Map Display Options.

Figure 36. Map Filter Options

2.5.3.3 Map Display Options

Check desired options.

GETTING STARTED


Figure 37. Map Display Options

2.5.4 Managing Events

In Detection mode, whenever iSID identifies a threat or a risk, it will be registered as an

event in the Event Bar. In addition, a Syslog message will be sent to the pre-defined

syslog servers.

Note: that since the iSID detection engines are independent from one another, each may

trigger events separately.

Figure 38. The Events Listing

Table 13: Managing Events

# What it does

1 Displays the number of events per engine.

Click the engine button to display only the events from that engine.

Click the engine again to display events from all engines.

2 Bulk action selection.

Select the desired events (see #5) and click the desired action button to apply to all selected events.

Action options:

• Learn and Archive

• Archive

• Delete

GETTING STARTED


3 Cause

Click to reveal the root cause of the Event (will display in the relevant engine screen).

4 Action selection.

Click to display the action options. Action will be applied to the specific event only,

See Event Action Options.

5 Bulk selection

Check all the events to which you want to apply a selected action from #2.

Check/uncheck the checkbox in the heading to select/unselect all events.

6 Archive selector

Move button to right to display only archived events.

2.5.4.1 Event Action Options

For each event, there are several available actions:

• Learn and Archive: Acknowledge the threat and order the iSID to learn this threat

as a normal behavior and not to issue future notifications, as if it was detected during

the Learning phase.

• Archive: Acknowledge the threat. Whenever the threat is repeated, iSID will pop

up the same Event and increase the count of same detected events in column

“Count”.

To do this, iSID removes the newly-learned threat from its understanding of the

network together with any dependent entity.

Example:

When a new device is detected, normally it starts communicating with some other

device; therefore, a new Link is also detected. The new Device and new Link appear

on the map in red, indicating that new events were issued for each.

Since the newly-connected device was not a user-approved device, you can identify

the device, disconnect it physically from the network and archive the “New Device

Detected” event.

The new device is then removed from the map together with any link it may have. In

addition, every New event on this device or any of its links will be moved

automatically to Archive.

• Display the exact timestamp (In Epoch Format) of the suspicious packet within

the downloaded PCAP file

• View the pre-defined procedure for this Event Type

• Add a comment

• Delete the event

GETTING STARTED


• Download a PCAP file of the traffic before and after surrounding the root cause

packet, for investigation purposes

• Display the root cause of the Event (will display in the relevant engine screen).

GETTING STARTED


2.5.5 Managing Reports

iSID provides 2 types of reports:

• iSID Security Report

This report summarizes the findings of all the iSID engines. The report is an excel file

containing information about the system (devices, links, protocols, IPs, etc.) and

events.

Figure 39. Security Report

The report is created upon request and can be downloaded. Only the current report is

available; previous reports are not saved.

• User-defined Reports

You can also manually create a report with specified information. The report is

created and displayed immediately and can be saved for future display. Individual

pages of the report can be saved as csv files.

Figure 40. User-defined Report (Example)

GETTING STARTED


Figure 41. Reports Window

Table 14: Managing Reports

# What it does

1 Open Reports listing

Double-click on a report to display it.

2 Hover over the report name to display the Close icon.

Click to close the selected report.

3 All reports listing. Lists all the user-defined reports,

Double-click on a report to display it.

4 Hover over the report name to display the Delete icon.

Click to delete the selected report.

5 Click to prepare an iSID Security Report.

When the report is ready the 'Ready for Download' message appears.

6 Click to download the iSID Security Report excel file.

7 Add Report

Click to create a new User-Defined report.

GETTING STARTED


2.5.5.1 Working with User-Defined Reports

Figure 42. User Reports Window (Tab)

Table 15: Managing User Reports (Tab)

# What it does

1 Report tabs

Click on a tab to display the page.

2 Add Report

Click to create a new report.

3 Click to download the page to a .csv file.

THE NETWORK VISIBILITY ENGINE


3 THE NETWORK VISIBILITY ENGINE

The iSID Network Visibility engine is a passive, self-learning SCADA network utility used

to automatically construct the OT network topology model during the learning stage.

iSID is able to automatically learn the traffic within the Operational Technology (OT)

network by using network Passive Learning.

To learn the network structure, iSID receives a copy of traffic from the entire network,

using port mirroring.

During the learning stage the data is used to construct a network model for all devices,

protocols and sessions, which is displayed in the main screen at the learning stage. The

network model is represented both Visually (map) and Textually (Network Visibility

screen) which helps users to understand the processes that take place across the OT

network.

Figure 43: The Network Visibility Engine

3.1 ENGINE SETTINGS

There are two global settings for the network visibility engine:

• Layer 2 Security

• Device Inactivity



Figure 44: The Network Visibility Engine Settings

Table 16: Managing Network Visibility Engine Settings

# What it does

1 Layer 2 Security

Provides an alert if a change between the IP address and the corresponding MAC address of a network entity is detected (as a sign for ARP Positioning Attack).

2 Device Inactivity

Enable/Disable the device inactivity alert.(see Device inactivity)

3.2 MANAGING THE NETWORK ELEMENTS

The Network Visibility engine provides a detailed listing of the following network

elements:

• Links

• Devices

• Traffic Trace

Click on a tab to display the page.

3.2.1 Managing Links

The Links listing are unidirectional meaning A→B will be listed separately from B→A, each

line in Links Table lets you view the state of the link, the end devices, port and protocol,

etc.

In addition to the usual application window features, the Links listing lets you configure a

specific inactive interval for a selected link. This interval overrides the global inactive

interval for the selected link.

Figure 45: Network Visibility: Links



Table 17: Managing Links

# What it does

1 Edit link

Click to display "Edit Inactive Time" message

2 Edit Inactive Time

Click to open the Edit Link Inactive Time window.

Set the Day/Hour/Minute/Second fields and click Apply.

3.2.2 Managing Devices

The Devices listing lets you view device details, events, links and traffic usage

configuration. You can also edit device name and type.

You can also display only a selected device type. Device types are listed in the following

table.

Table 18: Device Types

Icon Device Type

PLC

Server

HMI

Engineering Station

Broadcast

Multicast

Router



Figure 46: Network Visibility: Devices (List View)

Figure 47: Network Visibility: Devices (Card View)



Table 19: Managing Devices

# What it does

1 Device Type Selector

Click on a device type icon to display only devices of the selected type.

2 Display action options.

3 Click to select an action.

View device details

Edit device

3.2.2.1 Editing a Device

To edit the device information:

1. Enter a device name (maximum 30 characters).

2. Select the device type.

3. Click Apply.

Figure 48: Network Visibility: Edit Device

3.2.2.2 Viewing Device Details

To view device details:

1. Click on a tab to view the page:

▪ Details: Displays a summary of the device: name, type, IP, state and MAC

address.

▪ New Events: New events on the selected device



▪ Units: Links to other IP addresses

▪ Traffic Usage: Current minimum and maximum traffic thresholds.

You can also edit the traffic usage thresholds for this device (see Editing the

Device Traffic Usage Settings).

2. Click to open the action options.

▪ Edit Device (see Editing a Device)

▪ L2 Security: Edit the L2 security setting for this device. This setting will override

the global L2 Security setting for this specific device.

If L2 Security is ON, an alert is provided if a change between the IP address and

the corresponding MAC address of a network entity is detected.

Figure 49: Network Visibility: View Device



Figure 50: Network Visibility: View Device Action Options

3.2.2.3 Editing the Device Traffic Usage Settings

You can edit the traffic usage setting for this device. This setting will only raise an event

if traffic usage threshold events are enabled (see Enabling Traffic Usage Threshold

Events).

To edit the device Traffic Usage settings:

1. In the Device Details, click the Traffic Usage tab.

2. In the Traffic Usage tab, click Edit .

3. In the Edit Traffic Usage Restrictions window, set the maximum and minimum traffic

threshold margin (Set in %) and click Save.



Figure 51: Network Visibility: Editing the Device Traffic Usage Settings

3.2.3 Monitoring Traffic Traces

The Traffic Trace listing allows you to see the network traffic in a chronological order, in a

similar way a normal sniffer does (i.e. Wireshark).

Figure 52: Network Visibility: Traffic Trace



Table 20: Managing Traffic Traces

# What it does

1 Action options

Click to display action (View)

2 View details

Click to open the Packet Info window.

Figure 53: Viewing Packet Info

THE ASSET MANAGEMENT ENGINE


4 THE ASSET MANAGEMENT ENGINE

The iSID Asset Management engine lets you manage the operations of all devices in the

monitored network.

This engine monitors dedicated SCADA device operations such as read/write, download,

or CPU start/stop. A complete log of these operations is available. In addition, you can

configure the action to be carried out in response to each operation.

Figure 54: Assets Management Engine

4.1.1 Managing Devices

The Devices listing lets you view device details, events, links and traffic usage

configuration. You can also edit device name and type.

You can also display only a selected device type. Device types are listed in the following

table. (See Device Management)



4.2 OPERATIONS LOG

The Operations Log Tab provides a tabular representation of all the operational actions

between the configured SCADA Devices on the network (see Asset

Management/Configuration for list of supported devices)

Figure 55: Assets Management: Operations Log

Table 21: Managing Operations

# What it does

1 Action options

Click to display action (View)

2 View details

Click to open the Dates Info window.



Figure 56: Dates Info Window

4.2.1 Asset Management - Configuration

Asset Management engine lists several chosen vendors (e.g. Schneider Electric, Siemens,

Allen Bradley) with all possible operations for each. The user can choose what iSID will

do when a specific operation is identified.

The action operations are:

• None: No action will be triggered by iSID.

• Log: Send a syslog message in CEF format, but do not trigger an Event.

• Alert and Log: Send syslog message in CEF format and trigger an Event in the

system.

Figure 57: Assets Management: Operation Configuration

Table 22: Managing Operations

# What it does

1 Display operations

Click to expand to display all management operations for the selected vendor.

2 Actions

Click to display action options.

3 Action options

Select the desired Action to be triggered upon identifying such a management operation.

THE CYBER ATTACK ENGINE


5 THE CYBER ATTACK ENGINE

The Cyber Attack engine monitors for known threats designed to exploit vulnerabilities in

the SCADA network, including threats to PLCs, RTUs, and industrial protocols. The

signature database update's Periodically and is available to respond to emerging threats.

The database is a comprehensive collection of the most up-to-date publicly available

cyber-attack rules as well as rules developed by Radiflow, specifically for SCADA

networks.

Users may also create rules which must be written using SNORT rule syntax.

By default, when in learning mode, the cyber attack engine is not active. It is activated

during the detection phase.

Figure 58: Cyber Attack Engine

5.1 MANAGING CYBER ATTACK RULES

The Cyber Attack engine lets you manage cyber attack rules. You can:

• Add new rules

• Delete rules

• Edit the message that will appear in the Events Bar once the event is triggered.

• Activate and Deactivate a rule.

https://paginas.fe.up.pt/~mgi98020/pgr/writing_snort_rules.htm



Figure 59: Cyber Attack: Rules

Table 23: Managing Cyber Attack Rules

# What it does

1 Bulk selection

Check all the rules to which you want to apply a selected action.

• Check or uncheck the checkbox in the heading to select or unselect all rules.


Select the desired rules and click the desired action button to apply to all selected rules.

Action options:

• Enable

• Disable

• Delete

3 Activate / Deactivate Cyber Attack rule.

4 Actions

Click to display the action options.

5 Action options

Select the desired action. Action will be applied to the specific rule only.

5.1.1 Adding a Cyber Attack Rule

To create a new cyber attack rule:

1. In the Cyber Attack rules listing click .



Figure 60. Cyber Attack: New Rules

2. Enter the SID - a unique ID of the rule.

3. Enter the rule. Use SNORT rule syntax.

4. Enable or Disable the rule.

5. (Optional) Click to create additional rules in one form.

6. (Optional) Click to delete a rule from the form.

7. Click Create.

5.1.1.1 Editing a Rule Message

1. The user can add a textual description representing the message that will be shown if

the rule is activated.

Figure 61. Cyber Attack: Edit Rule Message



2. Click Update.

5.1.1.2 Viewing Cyber Attack Rules

In the Cyber Attack rules listing, select View for the desired rule.

The complete rule definition is displayed.

Figure 62. Cyber Attack: View Rule

THE POLICY MONITORING ENGINE


6 THE POLICY MONITORING ENGINE

6.1 OVERVIEW

The Policy Monitoring engine allows rules definition for a variety of behaviors, that can be

enforced and generate a set of possible actions.

This engine is using Deep Packet Inspection (DPI) capabilities when a match between the

defined Rule and the inspected traffic accrues the system will generate an alert.

A Rule may combine a variety of parameters from various Ethernet L2-L7 fields.

In addition to User-defined Rules, Policy monitor engine generates Rules automatically

from the incoming traffic, these rules can be edited and adjusted, so they can be

enforced too.

Figure 63. Policy Monitoring Engine

6.1.1 Method of Operation

During the learning stage, the Policy Monitor engine analyzes the traffic within the OT

network and creates policies based on the network behavior on each link.

These polices can be separated into "Black/White Lists" like behavior, where the user

define what kind of network activity is should be alerted.

Note: It is important to understand that the Policy Monitor package is passive. It

provides alerts for violated rules, but does not block or actively prevent actions. The

barrier between the trusted, secure SCADA network and other outside networks,

therefore, is merely virtual. Policy enforcement is possible through Integration with

Radiflow’s Security Gateway.



6.1.2 Features and Advantages

• Definition of policies on each link

• Upon violation, an alert will be generated, however the Policy Monitor packages will

not block the network traffic

• Users can edit Policies suggested by the iSID

• Labels creation make it to easier to manage the rules enforced

• Suggested Rules automatically created with traffic flow

• Option to create scheduled Policy Monitor rules for specific time periods (e.g. from

8AM, November 3th to 10AM, November 3th). (See The Operational Routine Engine)

• Optional policy enforcement via integration with Radiflow’s secure gateways.

6.1.3 Labels

Labels provide a convenient method for delineating categories of policies.

A label can be used as a keyword for filtering and tagging policies and profiles.

6.1.3.1 There are four Pre-defined system labels:

• Learning – represent the Suggested rules created in the Learning Phase.

• Detection – represent the Suggested rules created in the Detection Phase.

• Enforce in Learning - rules tagged with this label will be enforced in the Learning

Phase.

• Enforce in Detection – rules tagged with this label will be enforced in the Detection

Phase.

iSID Pre- defined Labels



6.1.3.2 User-Defined Labels

A User can create his own labels to categorize policy rules, these labels can be filtered

and be associated with User Defined Profiles for easy management of policies in the

system.

To add a user-defined label:

When a user creates a new policy (see Creating New Policies), you can enter a new label

name, the label will be saved and assigned to the policy.

6.2 MANAGING POLICY RULES

The Policy Manager window allows the user to manage the policy rules. The user can

perform actions on a selected rule or a group of rules filtered by selected parameters.

Some Definitions:

• Approve: A suggested rule becomes part of the active rule set.

• Enable/ON | Disable/OFF: A rule can be Enabled/Disabled which determines if the rule

will be enforced or not, when Disabled iSID will not alert on the underlying event.

• Delete: The rule definition no longer exists in the system.

When a policy is deleted, iSID will not alert on the underlying event. To restore a

deleted policy, the user can either instruct iSID to relearn the network, or enter the

policy manually.

Figure 64. Policy Monitor: Rules

Table 24: Managing Policy Rules

# What it does

1 Tabs



Click on tab to display page.


Select the desired rules (see #3) and click the desired action button to apply to all selected policy rules.

Rule action options:

• Delete

• Disable

• Enable

• Edit Labels

• Change Action

3 Bulk selection

Check all the rules to which you want to apply a selected action from #2.

Check or uncheck the checkbox in the heading to select or unselect all rules.

4 Actions


5 Select the desired action:

Action options:

• View

• Delete

• Edit

• Clone

6.2.1 Viewing Policies

To view a policy definition:

In the Policy Monitor rules listing select View for the desired rule.

The complete policy definition is displayed including meta data as well as all Networking

L2-L7 configuration.

See Table 25: Policy Rules Fields (View, Edit, Create) for a description of the fields.



Figure 65. Viewing Policy Monitor: View Rule

6.2.2 Editing Policies

To edit a policy definition:

1. In the Policy Monitor rules listing select Edit for the desired rule.

Figure 66. Policy Monitor: Edit Rule

2. Expand each relevant section to display the parameters in that section.



3. Fill the parameters needed, fields that are left empty will be disregarded by the

engine.


4. Click Apply.

6.2.3 Creating New Policies

There are two methods for creating a new policy:

• Create a completely new policy

• Duplicate and edit an existing policy

To create a new policy rule:

1. In the Policy Monitor rules listing click .

Figure 67. Policy Monitor: Create Rule


3. Edit the parameters as needed for all sections.


4. Click Apply.

To create a policy by duplicating and editing an existing policy:

1. In the Policy Monitor rules listing select Clone for the desired rule.



The Create Rule window opens with all relevant fields filled in (similar to Edit Rule,

but it will be saved as a new rule rather than editing existing)

Figure 68. Policy Monitor: Create Rule (Clone)




4. Click Apply.

Table 25: Policy Rules Fields (View, Edit, Create)

Field Description

Basic Parameters

Severity Severity level of the event created when rule is violated (1-5)

(See Managing Events).

Enabled Disable or enable the policy.

Action Select the desired action when rule conditions are detected:

• Ignore: the system will not take any action and ignore the packet.

• Alert: add a new event to the Event listing.

• Log: Sends a Syslog message to a pre-defined syslog server. (See configuration→syslog)

Labels Select the labels that apply to the rule (see Labels).

Message Define the message that would be displayed in case of an event.

Procedure Define the procedure to be followed in case of an event.

Layer 2



VLAN Enter the VLAN ID number in the Range of 1-4096.

EtherType Select the EtherType:

• 0x0800

• 0x8100

• 0x0806

• 0x86DD

Source MAC Enter MAC address of the source device.

(AA:BB:CC:DD:EE:FF)

Destination MAC Enter MAC address of the destination device.

(AA:BB:CC:DD:EE:FF)

Layer 3

Transport Select transport type:

• TCP

• UDP

• ICMP

Source IP Enter the source IP (A.B.C.D)

Destination IP Enter the destination IP (A.B.C.D)

Layer 4

Protocol Ports Enter the protocol ports either by port number or protocol

Layer 7

DPI Select the DPI type matching the unique industrial protocol.

Function code Select the function code.

DPI-dependent

parameters

Other parameters may appear, depending on the DPI type

selected.

6.3 MANAGING LEARNED POLICIES (SUGGESTED RULES)

In the course of the learning stage, iSID creates policies based on the learned traffic.

These policies can be based on regular IT protocols as well as industrial protocols such as

Modbus, CIP, DNP3 and IEC 104.

Policies created and suggested by iSID are not enabled until you approve them.

As with accepted rules, you can view, delete, and clone suggested rules. You can also

Edit and Approve them. When you Edit and Approve, you have a chance to edit the rule

before approval. Once A suggested rule is approved, it is removed from the Suggested

Rules and is added to the Rules listing.



Figure 69. Policy Monitor: Suggested Rules

Table 26: Managing Policy Rules

# What it does

1 Bulk selection

Check all the rules to which you want to apply a selected action.

Check or uncheck the checkbox in the heading to select or unselect all rules.


Select the desired rules and click the desired action button to apply to all selected

suggested rules.

Rule action options:

• Approve

• Delete

3 Actions


4 Select the desired action:

Action options:

• View

• Delete

• Edit & Approve

• Clone



6.3.1 Viewing Suggested Rules

To view a suggested rule definition:

In the Policy Monitor suggested rules listing select View for the desired rule.

The complete rule definition is displayed including meta data as well as all layer

configuration.


Figure 70. Viewing Suggested Rules



6.3.2 Editing and Approving Suggested Rules

To edit and approve a suggested rule:

1. In the Policy Monitor rules listing select Edit & Approve for the desired rule.

Figure 71. Policy Monitor: Edit Rule




Click Approve - The rule is removed from the Suggested Rules and appears in the Rules listing.

6.3.3 Duplicating a Suggested Rule

You can clone a suggested rule just as you can clone an approved rule. The clone

appears in the listing of the suggested rules and can be edited and approved just like any

suggested rule.

To create a rule by duplicating and editing an existing suggested rule:

1. In the Policy Monitor rules listing select Clone for the desired rule.

The Create Rule window opens with all relevant fields filled in (similar to Edit Rule,

but it will be saved as a new rule rather than editing existing)



Figure 72. Policy Monitor: Create Rule (Clone)




Click Apply.



6.4 POLICY MONITOR ENGINE STATUS

You can see the overall status of the Policy Monitor engine in the Status tab.

The status settings are determined by the Profile that is currently active.

Figure 73. Policy Monitor Status

Note: the status screen is for expert/administrator users, for additional information please contact

Radiflow support team – [email protected]

mailto:[email protected]

THE OPERATIONAL ROUTINE ENGINE


7 THE OPERATIONAL ROUTINE ENGINE

The Operational Routine engine allows you to define special schedules for dedicated

operations; for example, a visit from an authorized technician to perform scheduled

maintenance and PLC firmware upgrade. You can use this engine to configure iSID to

recognize the technician's activities during a pre-defined operations time window for

specific devices. No false alarms will then raise due to the activity of the technician.

Note: You must first create a profile with the desired rule behavior and then assign that

profile to a schedule.

Figure 74. Operational Routine Engine

7.1 SCHEDULES

Schedules let you apply a selected profile to a specific time period.

The time period frequency can be defined as follows:



Note: The user must first define a profile that determines the rule set, and then define

the schedule and attach the profile.

There are two types of schedules:

• User-defined schedules

• Default iSID schedules: there are 3 Pre-defined schedules, one for each system

mode:

▪ Learning schedule

▪ Idle schedule

▪ Detection schedule

Default schedules only show which schedule is currently active and cannot be edited or

deleted.

Figure 75. Operational Routine: User Defined Schedules



Figure 76. Operational Routine: Default Schedules

Table 27: Managing Schedules

# What it does



• View

• Edit (User defined schedules only)

• Delete (User defined schedules only)



7.1.1 Adding a User-Defined Schedule

To create a new schedule:

1. In the User-Defined Schedules listing click .

Figure 77. Operational Routine: Add Schedule (When)

Figure 78. Operational Routine: Add Schedule (Action)



2. Enter a name for the schedule


4. Enter the parameters as needed for all sections.

See the table below for a description of the fields.

5. Click Apply.

Table 28: Schedule Fields (View, Edit, Add)

Field Description

Enable Use slider to enable/disable this scheduled Time window.

When

Frequency Set the time window for the desired action to be active in. (See Schedules)

Action.

Profile Select the profile to attach to the schedule

Merge Behavior When Enabled, the Schedule will override all other schedules, defines the current schedule as top priority.

7.1.2 Editing Schedules

To edit a selected schedule:


Figure 79. Operational Routine: Edit Schedule




See Table 28 for a description of the fields.

3. Click Apply.

7.1.3 Viewing Schedules

To view a schedule:

In the Schedule listing, select View for the desired schedule.

The complete profile definition is displayed.


Figure 80. Operational Routine: View Schedule

7.2 PROFILES

A profile lets you define specific behavior of the system for special cases, such as

holidays or system maintenance.

There are two types of profiles:

• User-defined profiles

• Default iSID profiles: there are 3 default profiles, one for each system mode:

▪ Learning profile

▪ Idle profile



▪ Detection profile

Default profiles can be edited, but not deleted.

7.2.1 Managing Profiles

Figure 81. Operational Routine: User Defined Profiles

Table 29: Managing Profiles

# What it does



• View

• Edit

• Delete (User defined profiles only)

7.2.1.1 Adding a User-Defined Profile

To create a new profile:

1. In the User-Defined Profiles listing click .



Figure 90. Operational Routine: Add User-Defined Profile (Policy Monitor Configuration)


3. Enter the parameters as needed for all sections.

4. See the table below for a description of the fields.

5. Click Apply.

Table 30: Profile Fields (View, Edit, Add)

Field Description

Policy Monitor Configuration Fields

Enable Use slider to enable/disable policy monitor enforcement of user rules.

Send alert on unknown traffic Use slider to enable/disable sending an alert on unknown traffic.

Active Labels Select the labels that the profile applies to. (see Labels).

Rule Manager

Configure automatic policy monitor rule generation

Check to display:

Rule Generation Configuration

Enable to display Rule Generation Options

Configure Policy Monitor rules enforcement

Check to display:

Policy Monitor Configuration

• Enable to configure Active Labels



• Use slider to enable/disable sending an alert on unknown traffic

Rule Generation Options

Rule Action Select action to take.

Severity Select rule severity.

Rule Message Enter message to appear in log.

Label Select label or enter new label name.

Cyber Attack

Configure Cyber Attack rules Check to display:

Cyber Attack rules Configuration

Use slider to enable/disable enforcing Cyber Attack rules.

Parser

Configure Parser Check to display:

Parser Configuration

Use slider to enable/disable parsing network traffic.

7.2.1.2 Editing Profiles

To edit a selected profile:


Figure 82. Operational Routine: Edit Profile



3. Click Apply.



7.2.1.3 Viewing Profiles

To view a profile:

In the Profiles listing, select View for the desired profile.

The complete profile definition is displayed.


Figure 83. Operational Routine: View Profile



7.3 OPERATIONAL ROUTINE STATUS

You can see the overall status of the Operational Routine engine in the Status tab.

The status settings are determined by the profile that is currently active.

Figure 84. Operational Routine Status

SYSTEM MAINTENANCE


8 SYSTEM MAINTENANCE

Use the following tools to manage and monitor the iSID system itself.

8.1 USER ACTIVITY: MONITORING ISID

Any action made to the iSID GUI by a user, is logged to the User Activity screen with the

Action Time, Username and User IP Address and the action description.

This is used to track the configuration changes and their source, when needed.

Figure 85. User Activity

8.2 iSID MAINTENANCE

iSID system supports the following maintenance procedures:

• Server Reset – complete reset of all the engines in the system.

• Password Reset - It is recommended to change the password every specific period.

• Update cyber attack rules config file.

In addition, see the configuration tasks explained in General Configuration.

SYSTEM MAINTENANCE


8.2.1 Server Reset

To perform a server reset:

1. Go to Configuration>Server Actions

Figure 86. Server Reset

2. In the Server Reset section, select reset type:

▪ Clear Data: Completely Deletes the data records that were collected by the

system while preserving the user's configuration.

▪ Factory Reset: Total reset to factory defaults. All user configuration will be lost

while maintaining the User Activity and the System's Management IP Address.

SYSTEM MAINTENANCE


8.2.2 Password Reset

To change your iSID logon password:

1. Go to Configuration>Server Actions.

Figure 87. Password Reset

Click Change Password.

2. Enter the Old password.

3. Enter New Password .

4. Retype the New Password to Confirm.

5. Click Change.

8.2.3 Update Cyber Attack Rules Configuration File

Radiflow provides an updated Cyber Attack rules configuration file from time to time as

required. When Provided, it updates the rule configuration with new cyber-attack rules.

Note: The file is encrypted and signed by Radiflow, so that any other update-file is not

accepted by the system.

To update the Cyber Attack rules configuration file:

1. Load the file to the Client PC you are connected from to the iSID:

SYSTEM MAINTENANCE


2. Go to Configuration>Cyber Attack Rules

Figure 88. Cyber Attack Rules Configuration File

3. Click Update Configuration.

4. Browse to the file Path and click on it.

5. The system will start rule-update process – while saving any rules that were changed

by the user.

Documents

Release 4.5.7...i Release 4.5.7.5 This controlled document is the property of Radiflow Ltd. This document contains proprietary information. Any duplication, reproduction or transmission