Key Benefits of Integration
The CyberX platform uniquely combines a
deep, embedded understanding of industrial
devices, protocols, and applications with
continuous monitoring and ICS-aware
behavioral analytics, asset and network
topology discovery, risk and vulnerability
management, automated threat modeling,
and threat intelligence.
Palo Alto Networks Next Generation Firewall
for ICS provides highly granular visibility into
traffic at the application and user levels as well as being able to apply these parameters
in policy.
The CyberX platform integrates with the
Palo Alto Networks Next Generation Firewall
through XML API’s.
The ChallengeCompanies with critical industrial infrastructure are increasingly concerned about
ICS/SCADA cyberattacks by nation-states and cybercriminals.
As IT and Operational Technology (OT) networks become increasingly connected
to support digitalization and collection of real-time intelligence from production
operations, this has increased the attack surface and hence the risk from both
targeted attacks and malware.
While downtime in a traditional IT environment can result in the lack of business
continuity, breaches in OT environments can have far more devastating impacts
including costly production outages, catastrophic safety failures, environmental
damage, and theft of corporate IP.
CyberXThe CyberX platform provides continuous monitoring with specialized behavioral
analytics that were purpose-built for detecting unauthorized or suspicious ICS/
SCADA traffic. The platform incorporates patented, ICS-aware self-learning engines that automatically inventory and profile assets, identify vulnerabilities, and detect a wide range of threats in real-time — without relying on rules or
signatures, specialized skills, or prior knowledge of the environment. Plus, it
uses passive monitoring to ensure zero impact on the ICS/SCADA network.
Palo Alto NetworksThe Palo Alto Networks® Security Operating Platform prevents successful
cyberattacks through intelligent automation. Our platform combines network
and endpoint security with threat intelligence and accurate analytics to help
streamline routine tasks, automate protection and prevent cyber breaches. Tight
integrations across the platform and with ecosystem partners deliver consistent
security across clouds, networks and mobile devices, natively providing the right
capabilities at the right place across all stages of an attack lifecycle. Because
our platform was built from the ground up with breach prevention in mind – with
important threat information being shared across security functions system-
wide – and architected to operate in modern networks with new technology
initiatives like cloud and mobility, customers benefit from better security than legacy or point security products provide and realize better total cost of
ownership.
PALO ALTO NETWORKS AND CYBERXICS/SCADA THREAT DETECTION AND PREVENTION
CyberX’s integration with Panorama™ enables joint customers to rapidly block sources
of malicious traffic in ICS/SCADA networks
Five Key Use Cases for Prevention• Unauthorized PLC changes: An update to the ladder logic or firmware of a device. Can represent a legitimate activity or an
attempt to compromise the device by inserting malicious code, such as a RAT or parameters causing the physical process —
such as a spinning turbine — to operate in an unsafe manner.
• Protocol Violation: An unpermitted packet structure or field value that violates the protocol specification. Can represent a misconfigured application or a malicious attempt to compromise the device – for example, by causing a buffer overflow condition in the target device.
• PLC Stop: A command that causes the device to stop functioning, thereby risking the physical process that is being controlled
by the PLC.
• Malware found in the ICS network: ICS-specific malware that manipulates ICS devices via their native protocols, such as TRITON and Industroyer. CyberX also detects IT malware that has moved laterally into the ICS/SCADA environment, such as Conficker, WannaCry, and NotPetya.
• Scanning malware: Reconnaissance tools that collect data about system configurations in a pre-attack phase. For example, the Havex Trojan scans industrial networks for devices using OPC (a standard protocol used by Windows-based SCADA systems to communicate with ICS devices)
Palo Alto Networks + CyberXJoint customers of Palo Alto Networks® and CyberX are now looking for a way to rapidly block malicious traffic detected by the CyberX platform. Together, we’ve developed an off-the-shelf integration that automatically creates new policies in Palo Alto Network next-generation firewalls, based on contextual information provided by the CyberX platform. A 1-click “confirmation mode” prompt ensures a human in the loop at all times.
Rapid Creation of Asset-Based PoliciesCyberX has also developed an integration with the Palo Alto Networks Security Operating Platform that facilitates automatic creation
of fine-grained, ICS-aware policy templates using tags, based on the type of asset.
Using passive Network Traffic Analysis (NTA), the CyberX platform automatically discovers all assets and their communication behavior, thereby fingerprinting the asset type and associated properties (protocol, vendor, firmware revision level, etc.).
By automatically tagging devices with their discovered properties — such as device type (HMI, PLC, etc.), and whether they are
authorized devices or not — the CyberX application enables administrators to rapidly create asset-based policies. Administrators can
also rapidly create Dynamic Access Groups (DAGs) using these asset-based tags.
Examples of ICS-aware policies include:
• “Unauthorized devices are not allowed to communicate between subnets”
• “HMIs can only communicate with PLCs using the MODBUS protocol”
• “Only engineering workstations are allowed to program PLCs”
Integration with the Palo Alto Networks Application FrameworkAdditionally, CyberX has developed an integration with Palo Alto Networks’ Application Framework that leverages Palo Alto Networks sensors that customers already have deployed.
The application maps Palo Alto SCADA App-IDs to CyberX’s automatically-generated baseline of all ICS/SCADA network behavior,
providing extensive detection, visibility, monitoring, and analysis capabilities. This enables security teams to:
• Easily implement fine-grained policies to prevent malicious or unauthorized activities
• Accelerate detection and investigation of targeted ICS attacks via deep forensic, threat hunting, and ICS threat modeling
capabilities
• Identify vulnerable or compromised OT devices, so they can be rapidly remediated or isolated
• Alert on suspicious or risky behaviors such as PLC programming changes and network scanning
About CyberXFounded by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS/SCADA/OT risk.
Our ICS-aware self-learning engines deliver immediate insights about assets, vulnerabilities, and threats — in less than an hour —
without relying on rules or signatures, specialized skills, or prior knowledge of the environment.
CyberX is a member of the Palo Alto Networks Application Framework Community and the IBM Security App Exchange Community, and has partnered with premier solution providers and MSSPs worldwide including Optiv Security, DXC Technology,
Wipro, and Deutsche-Telekom/T-Systems.
About Palo Alto NetworksWe are the global cybersecurity leader, known for always challenging the security status quo. Our mission is to protect our way of
life in the digital age by preventing successful cyberattacks. This has given us the privilege of safely enabling tens of thousands
of organizations and their customers. Our pioneering Security Operating Platform emboldens their digital transformation with
continuous innovation that seizes the latest breakthroughs in security, automation, and analytics. By delivering a true platform and
empowering a growing ecosystem of change‐makers like us, we provide highly effective and innovative cybersecurity across clouds, networks, and mobile devices. Find out more at www.paloaltonetworks.com.
