Emerson Exchange 365

I’m the DeltaV Product Marketing Manager responsible for cybersecurity and networking at Emerson Automation Solutions, and recently I had the opportunity to participate in McAfee’s FOCUS’16 conference held in Las Vegas. It was a great show with several technical discussions about the current status of cybersecurity (including its relevance to industrial control systems), new McAfee solutions and concepts for the future.

Together is Power. ™ - McAfee’s call for action against the cyber warfare

It is known that there is a taskforce dedicated to release malware, including ways to exploit systems. The cybersecurity concerned companies should also engage to defeat the threats in a timely fashion by working collaboratively. McAfee really demonstrated strong interest to become the #1 security partner, and the “Together is Power” message should really be translated as two-way communication, where users/partners/vendors can utilize enhanced functions within their own environments to detect and share insights or protection methodologies with a much broader audience.

The Industrial Automation and Control System (IACS) environment still struggles to deal with the necessary connections to the Enterprise. Such connections are specifically limited to data sharing, patch management or remote access to control systems today, and the discussions about how to implement these connections are often very intense and convoluted. I can certainly see potential for new solutions to address such challenges that should target the simplicity of security solution implementations, and yet allowing to match both IT and OT requirements.

I believe the whole discussion about antivirus being dead is no longer appropriate. Cybersecurity defenses are evolving, including antivirus, and it is still part of a cybersecurity ecosystem – processes that start to perform differently can be quarantined even if their process signature does not yet match a known malware or vulnerability, hence allowing users to determine if such processes should be really allowed to run.

Layered Approach

It was definitely good to see the improvements McAfee is working on for the endpoint security area which addresses many questions about the future of antivirus protection based on the amount of zero-day threats that are discovered (5,000 new malware signatures issued per day and growing). Add to that the new ways hackers are finding to hide malware using multi-layer crypto algorithms, remote launchers, and other mechanisms which further complicate the cyber protection landscape dramatically. Antivirus is evolving to monitor system heuristics – has the system’s behavior suddenly changed, or a new executed run unexpectedly.

Antivirus and whitelisting are still very important protection mechanisms for endpoints, and McAfee’s roadmap includes the use of new technologies to enhance the protections and increase the ability to detect and mitigate zero-day threats more effectively:

• McAfee Threat Intelligence Exchange (TIE) is a collaborative solution where the threats detection is also based on information gathered from multiple interconnected systems.

• Dynamic Application Containment (DAC) is an enhancement for whitelisting which can allow execution of files based on TIE, Global Threat Intelligence or even dynamic sandboxes.

• Behavioral risk monitoring (Real Protect enables zero-day malware detection in near real time. This solution is signature-less and based on a small client footprint which uses machine learning to automate the classification of files within a given endpoint.

McAfee® Endpoint Security 10 Threat Prevention

During FOCUS’16, McAfee has also released support for the public version of their Data Exchange Layer (DXL) protocol. The newly called Open DXL is a messaging protocol for interoperability and monitoring that now allows everyone (users, vendors, partners, solution providers, etc.) to create custom applications to interface with McAfee security products for monitoring or integration capabilities in a more straightforward manner.

Open DXL will enable ways to better integrate security related information from control systems, possibly including the DeltaV DCS, into the broader McAfee’s solution portfolio using the now open messaging protocol. Users will also be able to collaborate by developing specific functions within their own systems to customize their applications if needed be. As a rough example, a specific control system network behavior could trigger McAfee ePO to perform an on-demand malware scan on targeted endpoints and an automated custom report could be generated on the fly, and all based on an Open DXL script.

IIoT Relevance

It was clear to me that main area of focus for future security products McAfee is working on will address the challenges of the Internet-of-Things, which can also be helpful for customers interconnecting control systems to the Enterprise.

The new version of the McAfee ePolicy Orchestrator (ePO) has been designed for cloud use, and it embeds data center services provided by McAfee out of Denver, Miami for the Americas region and soon in Germany for EMEA. With ePO Cloud, users can enable two-factor authentication (based on one-time passwords), run Open DXL scripts to wake up agents, integrate authentication mechanisms with local Active Directories, and provide single sign-on capabilities. McAfee’s ePO Cloud is also targeting big data for events and therefore moving away from simple and local databases. That would apply for new cloud-based IIoT solutions, however, today’s control system user will still want the local ePO solution we offer – and McAfee continues to develop, enhance, and support.

The Layered Approach described above will be fundamental to improve the endpoint security mechanisms we currently consider for DeltaV systems, and the good news is that most of the new enhancements are still aligned with the current Industrial Automation and Control System’s deployment scheme. In other words: the Behavioral Risk Monitoring using Real Protect, or the Dynamic Application Containment / Threat Intelligence Exchange will be able to be shared within a process control system environment that is segmented from the open internet by means of firewalls and other protections (updates can be loaded to these systems as patches).

The great challenge ahead of us now is to make sure most of the released security features and functions that pertain to our industry are somehow customized to address our needs and provide additional answers for the problems our users are facing (or will be presented to in the near future).

I welcome thoughts from others on these important topics…

Alexandre Peixoto