About company The customer is one of the 10 busiest airports in the world; an important regional transshipment center and passener hub. With over 50,000 employees and flights by hundreds of operators to destinations around the world. The airport has dozens of SCADA systems and OT networks in place that cover every aspect of airport operations - from check-in and baggage handling to electricity generation and A/C.

The challenge As with many critical infrastructure organizations, the airport’s OT and IT networks were insecure by design as they were built primarily to ensure availability, rather than to be secure.
This means the architecture was flat, with minimal internal segregation, authentication controls were lacking, and patching was simply not a priority. Like all major airports, they have numerous OT assets and protocolsin place including:

• TIM luggage handling and security

• Siemens baggage handling

• TIBCO Fast Data technology stack

• TIBCO Enterprise Service Bus (ESB)

• StreamBase Complex Event Processing (CEP)

• Live Datamart business rules engines

• Inductive Automation’s Ignition SCADA

• SITA/ARINC (international protocol for information)

• Luggage carousels

• Electricity generation and control

• Climate control

• AirTrain (FMSS)

All major transportation hubs are high-value targets for cyber attackers motivated by financial gain or sponsored by nationstates. The most menacing threat is APT (advanced persistent threats) in which hackers gain network access and stay inside, undetected, for an extended period of time carrying out stealthy reconnaissance and data collection. In this case, the massively complex, highly-distributed and interconnected airport operational computing environment left numerous security blind spots open to potential attackers. These included switches and routers supplied by top-tier vendors frequently targeted by hackers, infrastructure running legacy operating systems, and OT systems left exposed to the Internet via VPN and other online maintenance channels.

The solution The airport chose Cyberbit’s SCADAShield platform to map, monitor and continuously protect its OT networks against cyberthreats. The first step was to leverage SCADAShield’s network mapping capabilities to create an up-to-date map of all network assets. This visualization helped network managers understand all the IT/OT touch points and identify vulnerabilities such as unpatched devices, insecure protocols, unidentified hosts and other configuration issues. The airport was able to quickly gain deeper visibility and granular insights into its OT assets – including vendors, models, software versions, OS, roles, and types. This mapping clearly demonstrated significant IT/OT touchpoints - meaning that any attack coming from an infected IT endpoint (like a workstation becoming infected via a phishing email sent to an employee) could immediately threaten mission-critical OT networks, too. The airport then used SCADAShield to conduct an extensive vulnerability audit. This process included identifying suspicious traffic, unencrypted protocols, unpatched systems and old system versions – as well as risk assessment and remediation prioritization. Cyberbit then remediated the issues discovered. Without interrupting operations, SCADAShield patched high-risk assets, strengthened vulnerable assets and protocols, upgraded outdated versions, and segregated the networks in accordance with the Purdue Model for Control Hierarchy.
Moreover, SCADAShield provides continuous scanning and automatically builds and enforces network and operation policies. It provide the airport with continuous security monitoring – detecting zero-day attacks, monitoring risk levels, and enabling ongoing OT network change management to maintain a high level of security

The benefits With SCADAShield, the airport is protected against cyberthreats and the OT network is monitored; creating alerts about potential security threats and additional non-security related operational malfunctioning. By providing visibility over the entire airport network – including assets, communications and processes – SCADAShield measurably improved the airport’s mass transportation management from routing, baggage handling, check-in and beyond.

The Utility A major energy utility of a European country, with dozens of geographically dispersed electrical substations. The utility holds two SCADA command and control centers for the transmission grid – a main site and a disaster recovery site, Using different SCADA protocols, standard and proprietary, and multiple vendors’ equipment.

The challenge The utility operates, amongst new equipment, old and unsecured legacy equipment, which leaves it exposed to cyber security attacks, unknown malfunctions, human errors and tampering attempts with insufficient detection capabilities and network visibility. This combination of varied risks and deficient network visibility and detection directly influences system downtime, resulting in financial, reputational and even legal implications. Moreover, the utility worries about network policy violation performed by both employees and system technicians, that don’t fully obey regulation restrictions and thus impose yet additional threats on the OT network. Using no inspection and monitoring solution, network visibility and security remain neglected and unnoticeable, leaving the network unreliable and unsafe. The utility had no capability of monitoring and tracking any action performed in the network, moreover its consequences. There was a crucial need to obtain visibility and see what actually occurred in the network in order to assure continuous network operability and full ongoing functionality.

The Solution The utility understood it needed to combine a tool that will allow it to gain full OT network safety and reliability and add End Point security to it. Cyberbit EDR is an end point detection and response solution. By using SCADAShield, the utility’s network operators gained visibility of their network for the first time – which included seeing and investigating network transmissions, mapping both SCADA and non SCADA network assets, and obtaining a real, updated, network map. By using automated whitelisting and blacklisting capabilities, EDR for SCADA detects anomalous network activity, generates alerts, and allows the SCADA operators to conduct forensic investigation by breaking down the protocol using deep packet inspection (DPI). All network transmissions can be then investigated in order to understand and analyze all the data. Cyberbit EDR seamlessly integrated to the organization’s existing HP ArcSight SIEM, reporting its alerts directly to it.

The Results The utility finally gained OT network visibility, reliability and security, and is now able to see, investigate and monitor all transmissions within the OT network. The utility’s network operators can now assure operational continuity and ascertain minimum downtime, by identifying policy violations and unauthorized communications and tracking anomalous network activity caused by security threats, system malfunctions and operational. “The ability to see what is going on in our network enables us to follow for the first time after problematic transmissions and understand their origins and their cause. Seeing a true network map of our network allows us to be more efficient and knowledgeable when analyzing operational and security risks, and to respond to them better and more adequately.”

About Bank Bank Leumi is Israel’s largest bank with US$300 billion in assets, 2.5 million customers, 14,000 employees, more than 300 branches worldwide and tens of thousands of assets to protect. The bank operates a 24/7 Cyber SOC, facing hundreds of security alerts per day.

The challenge Bank Leumi understood that with the growing complexity, frequency, consistency, and variety of cyber threats imposed on financial institutions, the amount of information needed to be handled to mitigate these threats is ever growing. The mitigation processes involve a myriad of people and teams, all need to be orchestrated and managed together to supply quick response and mitigation. Using the existing technologies – SIEM, CRM, Ticketing, Email – did not provide the automation, situational awareness, knowledge and process management capabilities required to effectively mitigate the threats and shorten the timeframes required for response. The bank also needed to integrate and collaborate its intelligence information with network- collected information, and provide reports and updates periodically to its management and internal audit teams.

The Solution After examining a few existing solutions, Bank Leumi chose to implement Cyberbit SOC 3D (SOC Management Platform). SOC 3D seamlessly integrated to the bank’s SIEM, automatically receiving alerts and relevant information.
Using Cyberbit SOC 3D, the SOC personnel can now focus on the core mission of protecting the bank’s assets and responding to cyber threats, using automated procedures, workflows, and reporting mechanisms that save time and allow the team to concentrate full attention on mitigating the threat. SOC 3D audit trail and documentation capabilities allow for post-incident investigation and drawing conclusions, leading to constant improvement of SOC procedures and incident management processes. Using the system, the bank is now able to maintain situational awareness of its cyber domain and of the SOC operations, and easily send general and incident reports to the management and bank audit teams. The system’s automatic capabilities link similar incidents automatically, allowing the bank to leverage the knowledge and experience gained in previous incidents easily. SOC 3D now serves as a single interface for all related cyber events and is the bank’s primary cyber management and control system. Cyberbit SOC 3D solution was chosen due to its automation capabilities, intuitive and easy-to use UI, easy implementation, and its advanced and efficient retrieval capabilities, which exceeded the competition. “Implementing SOC 3D allowed our team to be more effective decreasing response times by 30% - with out-of-the-box capabilities to interlink, document and follow up on any relevant data”

The Results Bank Leumi identifies that the most notable result is the time saved while handling each incident - allowing the team to focus on the threat and response measures rather than be distracted by procedural tasks and documentation. Using the reports and situational awareness modules, the SOC obtains an updated situational awareness picture, allowing its managers and decision makers to better manage their SOC resources, improve its operations and procedures to meet the ever changing needs and challenges in confronting cyber threats. “For the first time since our SOC was established, we have a capability to overview, investigate and examine our procedures and processes thoroughly and without effort, and constantly improve our operations and methodologies to meet real-world challenges”