4 Min Read
An Elevator Ride with Mission Secure
Written by Mission Secure
Every company has an elevator pitch. But what if your building doesn't have an elevator? What if you work from home? We wouldn't want you to miss out on our elevator pitch, especially now that we've launched our new Sentinel 5.0 platform.
And so we've put our pitch in writing. If you were on an elevator ride with us (let's assume it's a long ride to a high floor), here's how the conversation might go.
What does Mission Secure do?
Thanks for asking! Mission Secure protects operational technology (OT) networks and assets from cyber threats, using industry-first policy enforcement technology.
When we talk about policy enforcement, we mean active OT authorization and validation rules. For example, rules that permit an engineering workstation to send commands to a PLC only if the right user is logged in, or the workstation has the right applications installed, or it’s the right time of day, or it’s in the right part of the facility, or all of the above.
That type of enforcement is almost unheard-of today, but we believe that’s the direction the industry needs to move in the long term. And we’ve built our platform with that in mind, to create a path from square one—where you don’t know what assets you have or how they’re communicating—all the way to a fully mature Zero Trust environment, where nothing happens that hasn’t been defined and authorized in advance.
OK. How does this policy enforcement happen?
Our platform is built around a policy engine that lets administrators configure and deploy rules based on hundreds of different parameters. For example, you can set conditions based on an asset’s firmware version, patch status, IP address, CVSS score, or even the signal value coming from a level 0 device.
Once your rules are defined in our management console, they’re deployed to an appliance that sits in the OT network and acts as a policy enforcement point. Rules can be configured to block unauthorized activity, or to send alerts for human follow-up, which is how most organizations implement it at first.
What exactly is the process for implementing this type of protection?
The first step is gaining visibility. You need a complete picture of every asset in your environment and how the assets communicate with each other. We accomplish that by installing our appliance in passive mode on a SPAN port or network tap, and listening to the traffic on the network. We can do targeted scans to find assets that aren’t sending or receiving data but are still connected to the network. And we can also install agents on endpoints to determine their security posture—what’s installed on them, who’s using them, what exploits are they vulnerable to. Using that information, we create an interactive network map, along with an assessment of current cybersecurity risks and mitigation strategies.
The next step is monitoring and alerting. After a month or two in learn mode, we have a picture of what normal traffic looks like. Using that, we can start building rules to detect unexpected or unauthorized activity. Typically there will be rules to detect new devices that connect to the network, new connections between existing devices, sudden changes in the amount of data a device is sending or receiving, or anything else outside the profile of normal activity. We can also alert on new vulnerabilities or exploits, and identify which assets in the network are potentially at risk.
To move toward a mature Zero Trust architecture, we gradually start turning those alert rules into enforced policies. Segmentation is the simplest form of this—dividing the network into zones to restrict east-west and north-south traffic based on IP ranges or physical locations. As you get more confident in your definition of what should be happening, you can start turning on more rules to block things that shouldn’t happen. The end state, which understandably will take years to reach for most organizations, is that every aspect of expected activity is defined, and any exceptions to it are blocked and sent to the SOC for investigation.
How is this different from what other OT security companies do?
No one else provides the fine-grained, context-aware control that Mission Secure makes possible. Most OT security companies are focused strictly on visibility and passive alerting. Those are important first steps, but in the long term organizations will need the ability to actively enforce rules and take control over what happens in their OT networks. We believe many organizations have avoided taking action on OT security because visibility-only products don’t provide enough value to justify the effort and expense.
There are also OT firewall providers, but firewalls are blunt instruments—they block or allow traffic based on IP addresses or ports. The use cases we see for active protection require a much more sophisticated approach, which only our platform provides.
What types of threats do you defend against?
We believe our technology has the ability to detect and block virtually any type of attack against an OT network, because we’re monitoring so many different factors. In addition to watching for changes in network traffic, we also monitor OT assets for indications of trouble, and we maintain current data on patches and vulnerabilities that apply to the assets in your environment. We even have patented technology that detects anomalies in the electrical signals generated by level 0 devices, and can defend against sophisticated attacks that aim to create unsafe conditions while forcing PLCs to report normal values.
We like to call our approach “inspect what you expect,” meaning that you need to understand exactly what’s supposed to be happening in your environment, and continually validate that nothing else is taking place. In addition to defending against cyber attacks, this approach also prevents damage from misconfigurations or other human errors.
Where do your appliances sit in the network?
In a traditional Purdue Model architecture, we can sit at Level 1, 2, or 3, depending on whether we’re in passive mode or serving as an active policy enforcement point. Our Level 0 Sentinel takes in the digital or analog signal from actuators, pumps, or other physical assets, and compares that signal to the values being reported by the PLC or other controller at level 1. Our management console can be hosted on premises or in the cloud.
Who manages the platform?
Mission Secure has a managed services team who provide OT cyber assessments, implementation services, and ongoing 24/7 managed OT SOC support. For larger organizations who already have a dedicated OT security team, our platform can be managed by the internal team and integrated into the existing SOC.
Just out of curiosity, can Mission Secure protect elevator control systems?
We certainly can. Fortunately, this elevator is still in perfect working order, and now that we've reached our floor, we can all go about our business. But if you'd like to learn more about Mission Secure and our OT protection capabilities, please let us know!
Originally published November 13, 2022, updated November 14, 2022.