Parallel Reference Monitoring

HMI’s Can be Fooled!
Detect anomalies before they damage your critical assets. SIGA’s Parallel Reference Monitor (PRM) provides multi-level real-time monitoring, revealing otherwise undetectable Level-0 attacks

BACKGROUND
Current security methods for industrial control systems are beginning to evolve and include network-level security, some use of firewalls, unidirectional diodes and protected gateways. This vulnerability and common operational constraints lead to very limited solutions, at best. Therefore, the SCADA’s controller level, or Level 1 as it is called in the Purdue Model (e.g., PLC, RTU, etc.) can be compromised in various scenarios.

An attacker has taken control of a critical process while a perfectly normal operational status is reflected on the HMI and other levels. The attack is allowed to continue undetected because the control system’s Level 1 (and above) monitoring devices are blind to what is happening at Level 0 (the physical layer).

THE SOLUTION: PRM

SIGA’s Parallel Reference Monitoring (PRM) product augments SIGA’s critical process monitoring solution by comparing on one screen what operators are seeing at the HMI and other layers with what’s actually happening at the end-device layer — and alerting the operators to any discrepancies.

Any inconsistency between the Level-0 status and that of the network levels is a red flag that a hacker may be spoofing the HMI and that an attack is already underway—unbeknownst to the operator.

How does PRM Work?

SIGA’s algorithmic engine continually compares SIGA’s Level-0 sensor/actuator measurements with the values transferred between the PLC and the HMI, while factoring in synchronization issues like delays in communication, differing sampling rates, etc. SIGA generates an alert when it detects any deviation between the two values for the same I/O at the same time.