Armis Deployment Across 55 Midstream Operating Assets (USA)

A midstream operating company elected to deploy the Armis network monitoring system to 55 sites in the continental United States as part of a multiyear security improvement program. Deploying Armis was the first step to creating a centralized management system and a Security Operations Center.

By baselining existing network traffic and communication patterns, as well as common and consistent user access of the SCADA endpoints, an operating asset can dramatically improve its security posture by centralized endpoint management, real time network alerting and effective incident response.


Work Stream A: Secure Architecture and Design
Field visits were conducted at all 55 operating locations. The control system networks were fully documented, including 3rd party vendors. This design method is called East to West, meaning traffic within an operating asset and how various systems communicate with each other inside a particular network, or inside the site itself. Current best practices typically have good firewall and perimeter control between the IT and OT networks (called North to South) but a critical blind spot is network traffic that the perimeter firewall is not able to detect because it stays within the East West internal OT networks and does not pass through the IT/OT firewalls.

Work Stream B: Baselining and Operationalization
Once the site walkdowns and network maps were completed, sensors were installed according to the secure architecture developed in Workstream A. Network traffic was collected and analyzed, and working with site personnel a baseline of accepted and routine traffic was created. This per asset baseline was considered normal, but all traffic that did not match the baseline would be immediately flagged for incident response.

Work Stream C: Incident Response
Playbooks and incident response strategies were created using incident cases. A particular case like Ransomware being introduced from an infected USB device detailed how the SOC would respond, and how the site first responders would react during an incident, what steps would be taken by the various security teams and how the incident would be contained.

Work Stream A: Secure Architecture and Design
Cause: No systems were in operation that allowed any level of network visibility or monitoring of network traffic.
Effect: The organization was flying blind and unable to react to a security incident on the network, which exposed the organization to major risk.
Solution: Creating a secure architecture that minimized risk to the operating networks but allowed full East to West visibility and alerting capabilities.
Outcome: By doing site walkdowns, documenting the existing network architecture and then applying a secure design to how Armis would collect and transmit process control data, the sites gained visibility into day to day network traffic.

Work Stream B: Baselining and Operationalization
Cause: Lack of documentation on existing network and endpoint systems created excessive risk to the organization.
Effect: There existed no capability to react to a security incident or proactively avert an incident by understanding routine vs anomalous network traffic.
Solution: By baselining the traffic to understand what normal and routine looked like, the sites were operationalized meaning they could effectively react during an incident.
Outcome:

Work Stream C: Incident Response
Cause: Inconsistent skill level, training and understanding of security incidents across 55 sites.
Effect: Realistically there would be almost no chance to stop or contain an incident before it took down an entire operating asset.
Solution: Creating detailed but practical and simple to follow incident response playbooks for the site and the SOC personnel, each with their designated responsibilities and actions during an incident.
Outcome: By working directly with specific site personnel, the SOC would be able to effectively mitigate and contain an incident because each member of the various teams would be able to follow the playbook and know their role and responsibility before an incident occurred.