BluArmour For ICS / AirGapped Networks

Page Archived

Malicious Attacks on Industrial Control Systems and Supervisory Control and Data Acquisition Systems are on the rise. Enterprises are struggling to protect the critical infrastructure environments as traditional defense strategies that rely on critical infrastructure being isolated or air-gapped is no longer feasible.

BLUARMOUR FEATURES

§ STOP ZERO-DAY MALWARE & RANSOMWARE from executing on the systems and prevent them from ever gaining a foothold.

§ PREVENT ADVANCED THREATS such as Memory injection, Memory hollowing, Doppel ganging, Malicious Document and Environment Aware attacks.

§ PROTECT LEGACY SYSTEMS using one install package for all windows versions.

§ NO PRE-REQUISITES or dependencies, resulting in quick deployment without restart. Zero interference with any legitimate application.

§ ZERO MAINTENANCE overhead as there are NO updates needed.

INTRODUCTION

Critical Infrastructure networks have increasingly started to adopt Industrial IOT. They have started to interact with IP networks and equipment that allows them to be easily managed reducing cost and improving efficiencies.

This trend has not come without its perils. They have increasingly become the target of malicious threats which are aimed at affecting these critical and vulnerable resources. These threats are no longer just theoretical possibilities. Attacks on Ukraine power grid, Mirai botnet and malware(s) such as BlackEnergy and Energetic Bear/ Dragonfly have showcased to the world how malicious actors target ICS/SCADA networks. These malware campaigns have shown that the world around us is changing and is ready for a paradigm shift in ICS/SCADA security.

Traditional Endpoint Security Tools have failed us.

TRADITIONAL ENDPOINT DEFENSES

Advanced threat actors targeting critical infrastructure are able to bypass existing security controls like traditional AV and Endpoint Security Tools including the next-gen EDR and AV tools that rely on known indicators, signatures and machine learning patterns. According to researchers there are hundreds and thousands of evasive techniques available to attackers, which enable them to bypass these tools with relative ease.

The risk of an attacker being detected is very small and in almost all cases too late. This could be devastating to ICS/SCADA infrastructure.

NETWORK LAYER DEFENSES

Most ICS/SCADA networks rely on network layer defenses to detect an attack. There are challenges with network layer detection as most of these devices use serial communication methods to control and signal communications which will be undetected at the network layer. At best, network layer security tools in ICS/SCADA network detect malicious IPs used to communicate, based on threat intel. This is akin to signature-based detection in the traditional AV world.

At best, these tools may detect malicious communication after the ICS/SCADA network has been compromised. And fail miserably in proactively protecting against compromise.

INFRASTRUCTURE CHALLENGES

Many ICS/SCADA systems run on a limited number of legacy operating system (OS) versions only. These environments often do not support patches security or otherwise. This poses a challenge to both Traditional and Next-Gen AV/EDR solutions that are very resource intensive in terms of CPU and memory and cannot be used on these ICS/SCADA systems. Additionally, Traditional or Next-Gen security tools usually have many 3rd party dependencies like .NET versions, C++, Redist etc., These dependencies often cannot be met on the ICS/SCADA systems rendering these tools useless.

A NEW APPROACH TO ENDPOINT SECURITY

BluSapphire Endpoint Agent - BLUARMOUR is a lightweight agent for windows endpoints that is independent of the AV engine installed. Its unique design philosophy allows it work on air-gapped network, ICS control system networks and traditional IT environments.

Given that today’s modern attacks specialize in evading basic defense and are targeted, BluArmour arms security teams with the tool needed to not just defend but protect against these advanced threats.

Apart from Behavior Monitoring BluArmour also provides:

- Process Blocking

- Intelligent Process Behavior Tracking and Blocking

- Exploit Prevention

- In-Memory only Process Execution Blocking

- File-less Malware Prevention

- Ransomware Prevention

- Malware Prevention

- Inoculation™

Inoculation™

Inoculation pro-actively protects your endpoints against malware and ransomware execution by creating a virtual armor that prevents active exploitation.

Borrowing from the worlds of virtual patching and real-world sleuths BluArmour alters the attackers’ perception of reality thereby inhibiting the attacker’s capability to carry out a successful attack on his victim.

Unique

The best part, BluArmour does not need any updates or patches and can still continue to protect endpoints. BluArmour also manages to be very lightweight (about 100KB in memory), quick to deploy without requiring a restart and has no management overhead.

Our patented behavior design system enables BluArmour to protect endpoints against current and future advanced threats, malware and ransomware without any constant updates.

With its unique ~100kb footprint, it easily scales to thousands of systems with zero performance impact

BLUARMOUR OPERATING ADVANTAGES

No Signature updates neede

No internet connectivity required

Endpoints are protected whether they are connected to organization network or not

No installation pre-requisites (.NET, C++, Redist, etc.,)

No reboot required during installation, uninstallation or upgrade

Very Lightweight on resources

Less than 100kb in memory

Less than <1% CPU utilization

Rapid installation with MSI packages for 32/64 bit Windows Desktop or Server

Supports legacy versions including older XP versions

BLUARMOUR USE CASE

A major defense organization wants to protect their air-gapped networks. They use a big-name AV vendor product to protect their air-gapped networks. But this presents a problem. Being air-gapped, none of their endpoints can connect to internet, hence they have not been updated in months, if not years. Neither have the Operating Systems been updated or patched in months/years.

This obviously represents a huge risk and the organization is aware of the problem but is helpless given the current state of the market. Additionally, the organization is also struggling with visibility across these systems. They are not aware if they have compromised systems on the network. Big Red Flag.

BluSapphires’ BluArmour is an ideal solution for these kinds of organizations. BluArmour does not need regular updates unlike the competition. It also means BluArmour can protect these air-gapped networks though the operating systems are vulnerable and not patched. This dramatically reduces the risk burden on the organizations security teams and improves their risk profile. Furthermore, it protects systems in air-gapped networks, without a need for any internet connection.

This provides a major differentiator and shall be game changing for the organizations’ air-gapped infrastructure. The CISO now has assurance of protection instead of an assumption of protection.