Expansive Industrial Cybersecurity Protection
In a complex world of ever-evolving technologies, Nexus Controls, a Baker Hughes business, understands the importance of having an experienced industrial cybersecurity partner to help you safely secure your digital assets.
As a leading provider of operational technology cybersecurity solutions for more than a decade, Nexus Controls is well-equipped to enhance the security posture of your enterprise, achieve greater visibility to protect critical assets, and support internal and external compliance policies and requirements.
Nexus OTArmor Cybersecurity Platform
With the application whitelisting option, Windows®-based devices have an improved security posture by reducing the risk and cost of malware, improving network stability and reliability.
This feature automatically identifies trusted software that is authorized to run on control system HMIs and prevents unknown or unwanted software.
Continuous threat monitoring and advanced logging intelligence that gives you deep, granular ICS visibility. By analyzing network traffic through deep packet inspection and fluent in over 42 of the native industrial protocols commonly found in ICS security, a baseline is constructed of normal operations which is then used to detect anomalies.
- Identify and list the assets present on the networks monitored
- Identify information such as make, model, firmware, Operating System, installed software
Asset Configuration Change Detection
- Identify if a change has occurred over the network or to the devices on the network which may indicate a compromise
- Identify if a change has occurred to an industrial device which may be an indicator of a compromise
Methods of Discovery
- Active discovery
- Passive discovery
- Hybrid discovery
Backup and Recovery
Automatic, centralized backup and recovery of the process control domain saves time and cost by deploying a quick disaster recovery plan with minimal downtime.
All backup activities are logged and easily accessed for generating reports that conform with compliance reporting.
A hardware-based electronic device designed with two separate circuits - one send-only, and one receive-only - which physically constrain the transfer of data to one direction only and form an “air gap” between the source and destination networks.
A data diode is a physical piece of hardware that acts as a unidirectional network communication device that facilitates a secure, one-direction transfer of data between networks. Their design inherently creates a physical separation between the source and destination networks. Data diodes effectively eliminate any and all external points of entry to the sending system, thus preventing unauthorized users the ability to gain access to the protected network.
By securing a network's data outflow, data diodes make it impossible for any third party to inject malware, access your system, or make any harmful changes to your network.
Data diodes can be used to protect network segments of all sizes, from a single controller to an entire facility.
Network Intrusion Detection and Prevention Systems
This customizable network security option monitors and blocks malicious activity and attacks and provides continuous visibility of unusual activity and potential threats to the control system network.
Patch Management (Centralized)
Patching your systems is one of the essential first steps to take to protect your assets and assure the operating systems and programs running have updates to provide the latest security protection without risking your operation. Listed as two of the “First Five Quick Wins” by The SANS Institute, a well-respected authority on information security and cybersecurity training, patching of application and system software is critical to improving and maintaining a high-security posture.
The Cyber Asset Protection subscription provides monthly software and firmware updates for your HMI, historians, switches, firewalls, OSM and RSG, including essential security patches. With Nexus OTArmor, patches can be centrally deployed, eliminating an average of four hours per HMI of work hours, which can save up to $20,000 monthly per plant.
Role-Based Access Control (RBAC)
Provides centralized control and management specific to the controls environment, enabling you to manage access to the industrial control system based on permissions. Benefits of RBAC include:
Increased Oversight for Admins - RBAC gives admins and managers deeper visibility and greater oversight, while also controlling authorized users and guests on the system so that they are only given access to what they need for their respective roles.
Lower Risk - By implementing RBAC, you have inherently restricted access to sensitive information while simultaneously creating logs of access for those with proper permissions, thus greatly reducing your risk of a data breach.
Cost Reduction - By restricting a user's access to certain processes and applications, admins can effectively conserve their key system resources such as bandwidth, memory, and storage.
Enhanced Operational Efficiency - By employing an effective RBAC strategy, organizations can decrease the need for password changes when onboarding new hires or when a user has to switch their role within the organization. RBAC lets you quickly add and change user-defined roles, while greatly reducing the time and resources needed to implement these roles across platforms, operating systems, and applications. Additionally, RBAC allows organizations to easily integrate outside, third-party users into their networks by assigning them predefined roles specifically designed for contractors and the like.
Improved Compliance - Every industry has its own governmentally mandated standard for compliance. Most organizations prefer to implement RBAC systems to meet the regulatory and statutory requirements, thus allowing their IT departments to more effectively manage how their data is accessed and used. This is particularly important for power providers and their supporting plants/locations where unauthorized access to their networks represents a significant threat that manage sensitive data.
Security Information and Event Management (SIEM)
We provide a scalable solution with both real-time and historic dashboard views of cyber activity, such as changes to switch configurations, failed login attempts, unauthorized port access, and USB usage.
Operator Cybersecurity Dashboards
- Nexus Controls designed dashboards
- Data-rich Security Incidents & Events Management (SIEM)
- Ready for Security Operator Center (SOC) integration
Multi-factor authentication (2FA)
Adopting stronger employee and vendor authentication is an easy method to reduce risk.
Multifactor Authentication (MFA), sometimes referred to as two-factor authentication or 2FA, is a security protocol that requires a user to present two pieces of evidence when logging in to a given account or application. The most common example of multifactor authentication you'll typically encounter is when looking into your personal bank account. You will have one set of authenticators, your username and password for the site/app, and a second set of authenticators, usually by means of a separate device, i.e. your phone, where you will be sent a one-time code that must be entered into your banking site/app in order to proceed. This exponentially reduces the risks associated with brute force and stolen credential attacks as this 2FA protocol requires access to a separate device, and the window for authentication is typically pretty short.
Multi-factor authentication combines hardware-based authentication and public key cryptography to ensure strong authentication and eliminate account takeovers.
Next generation firewalls (NGFW)
Stateful tracking of network traffic to allow approved communications between connected devices and the “outside” network. In addition, Next Generation Firewalls can inspect certain network traffic types to identify ports that may change during communications to ensure traffic is permitted to flow (e.g. FTP, TFTP).
Next Gen Firewalls have the ability to perform additional checks on traffic including application-level inspection and filtering of network traffic with exception.
Secure remote access
A zero-trust solution that safeguards against cyber risks, including insider threats, through its unique, browser-based hardened platform. Secure remote access technology provides a simple and secure access mechanism to critical assets by utilizing protocol and system isolation, encrypted display, and multi-factor authentication.
- Multi-Factor Authentication encrypted remote access
- Secure gateway using Zero Trust secure access solution
- Video replay technology for maximum isolation between plant operation assets and external remote access users
- Granular access control mechanisms and mediated remote file transfer
- Protect against zero-day malware utilizing advanced malware detection
- Simultaneous user access, ideal for a work-from-home environment
Nexus OTArmor Cybersecurity Intelligence
Nexus Controls offers a control system agnostic cybersecurity risk assessment service to support compliance with industry standards such as ISA99/IEC 62443, NEI 08-09, and NERC-CIP and will help elevate your cybersecurity awareness and identify potential vulnerabilities. After the assessment is conducted, the final report provided enables the creation of an actionable roadmap of prioritized mitigations to improve your security posture.
IEC 62443-2-4 - IEC 62443-2-4 is a published international standard, defining cybersecurity capabilities that Industrial Automation and Control System (IACS) service providers may implement and offer. The standard can help asset owners consistently procure and manage control systems security expertise. IEC 62443-2-4 was developed by IEC technical committee 65, in collaboration with the International Instrumentation Users Association (previously WIB) and ISA 99 committee members. Nexus Controls hardens customer systems using a combination of technical and procedural measures (including patch management) that have been certified to meet IEC 62443-2-4 security standards. These standards specify a comprehensive set of security requirements for the installation and maintenance of IACS.
NEI 08-09 - US nuclear power companies are federally mandated to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber-attacks. As part of having a cybersecurity plan, operators are required to address known ICS security vulnerabilities and have solutions in place for operating system, application, and third-party software updates, Host Intrusion Detection (HID), and non-repudiation, among others.
NERC CIP - Many U.S. electric utilities are now federally mandated to comply with NERC CIP requirements that dictate industrial security and remediation technology, including required compliance. To be considered in adapting operations to these regulations is the difficulty of patching industrial controls and the frequent attacks on the equipment. In addition, customers need to address known ICS security vulnerabilities without disrupting operations. Because of these factors, electric utilities require a solution that is easy to implement and provides visibility into the industrial network and compliance.
Features of a Nexus Controls Cybersecurity Risk Assessment
Below is a list of some of the important items that are reviewed during the assessment:
- Control system application: Control system configuration review, network security configuration, control system integration methodologies, and technical support agreement status
- HMI server hardware configuration: Hardware warranty status, health, environmental conditions, and physical security
- HMI operating system configuration: Access control, account and password review, anti-virus configuration, patch management, logging, backup and recovery, server performance and resource snapshot, installed applications, TCP/IP network integration and architecture, performance, availability, and health monitoring
- Mark/EX/LSI protection system: Password strength, control system integration methodology, TCP/IP network integration architecture, environmental conditions, and physical security
- TCP/IP network infrastructure review: Review firewall, router, and switch configuration, firmware updates, and management process, access control and authorization, system performance and availability management, physical security, and environmental conditions
- Process review: Change management, IT incident management, patch management, system access authorization, and implementation, lost/forgotten password, key management, and governance documentation
Nexus OTArmor Cybersecurity Services
Managed Security Services (MSSP/MDR)
Nexus Controls’ team of cybersecurity analysts are experts in big data solutions like, Elastic Search, Splunk & Hadoop. These highly skilled forensic analysts review relevant logs to minimize false positives and maximize detection of threats.
Whether you already have a Security Operations Center (SOC) or not, our 24X7 managed security services are scalable to meet your unique needs.
- Industrial process control experienced
- Ingest relevant logs to minimize false positives to maximize detection and forensics
- Expert system assists analysts for human evaluation of most important threats
- 24x7 operations, geographically distributed
- Full integration with holistic threat intelligence (not just another feed)
- Human-Led, OT/IT technology accelerated
Cyber Asset Protection (CAP) is a key part of a defense-in-depth system for turbine, plant, and generator controls environments. The patching program includes operating system and application patches as well as anti-virus/ intrusion detection signatures to cover updates for HMIs, servers, switches, and network intrusion detection devices. Monthly updates can be applied to individual HMIs or via the Nexus OTArmor™ platform for network-wide deployment.
How it works:
The Cyber Asset Protection subscription provides monthly updates for your HMI, data historians, switches, firewalls, OSM and RSG. Software updates include:
- Microsoft Windows® operating system
- Nexus OnCore
- GE cimplicity (ICS-CERT-specific)
- Intrusion detection signatures
- Anti-virus signatures
- Switch firmware updates, when impacted by a security vulnerability
The CAP subscription service also provides a monthly report of patches that need to be installed and the areas of which are critical for attention. Only the necessary patches are provided. Installing unnecessary patches, such as those coming directly from Microsoft, can increase the risks to the plant.
- Provides tested updates to keep your legacy critical infrastructure current
- Reduces downtime by providing only the necessary validated patches which are tested in an environment to assure applicability and compatibility
- On a monthly basis, CAP keeps your risk profile updated and increasingly improves your security posture, by protecting your critical assets from known vulnerabilities
- Helps you meet regulatory requirements and avoid fines
- Improves safety and reliability by preventing loss of view
- Provides a dedicated service manager for cybersecurity issues