Intrusion Detection & Prevention Solution for Cyber-Securing Critical Utilities

TEL AVIV, Israel -- Radiflow issued an analysis of the December 2015 cyber-attack on a Ukrainian power provider. According to multiple accounts, multiple western-Ukrainian power utilities were attacked, disconnecting thirty substations, and leaving 80,000 customers without power for hours. Using compromised HMI software and remote access software, the attackers targeted specific servers on the utilities' operational networks and deleted their attack paths-which delayed the response to the attack.

Draft guidelines for preventing attacks of this type against critical infrastructures were already issued prior to the attack by the U.S. National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST).

These guidelines were developed in collaboration with a select group of industry leaders. Radiflow took part in two NCCoE projects focused on identity and access management, and situational awareness, in critical infrastructures.

Radiflow's IDPS (Intrusion Detection & Prevention Solution), designed specifically to protect ICS operational networks, meets and exceeds the NCCoE guidelines. It offers multiple layers of protection, including an IDS with network visibility and anomaly detection capabilities, an industrial DPI firewall, and user authentication and task-based permissions management for securing maintenance activities.

The NCCoE guidelines, and their implementation in Radiflow's IDPS, apply directly to multiple points along the Ukrainian outage "Kill-Chain":
•Penetration phase: segregation of the OT network would have enabled detecting penetration attempts (as already suggested by ICS-CERT in August 2014) by deploying firewall protection between sites (preferably a DPI Industrial Firewall), and implementing an extensive authentication mechanism.
•An Industrial IDS would detected opened SSH connections used for communication between networked substations and the attackers' Command-and-Control servers.
•Signature-based detection would have detected known malware (the Ukraine attackers used the Black-Energy malware as well as known SSH-Backdoors, which both have signatures).
•Analysis of the attackers' commands using an Industrial IDS during the attack, which would assist post attack forensic research.

Radiflow's new IDPS has already been successfully deployed at a renewable energy site operated by a large-scale European utility. This is in addition to a large number of Radiflow secure-gateways and standalone IDSs that are already installed in utilities around the world.

To read the complete analysis paper, and for more information, visit

Suggested Articles

While a number of semi makers saw their stock prices drop on Friday, the prior three days of market growth helped their outlook.

Purdue University researchers are creating technologies to help compress 3D camera files and automate focus and exposure settings.

A $2.2 trillion economic relief package is anticipated to give the struggling U.S. economy a shot in the arm.