Product
industrial
Industrial Threat Hunter®
Cybersecurity for Industrial Networks

Industrial Threat Hunter® is an intrusion detection/prevention system designed specifically for the unique requirements of Industrial Control Systems and SCADA networks. Industrial Threat Hunter® identifies changes in the network like new devices, protocols, communication channels, applications and services.

Industrial Threat Hunter® can be run in stand alone mode as an Intrusion Detection System. In this mode, Industrial Threat Hunter® can identify over 250 SCADA protocol violations. Additionally, Industrial Threat Hunter® can be run as a dynamic preprocessor attached to Snort® providing additional IT style Detection AND Protection.

How its Works
Cybersecurity for Industrial Networks

Threat Hunter® is a software application that runs on a Linux operating system. After establishing a baseline of all devices communicating on the operational network, Threat Hunter® monitors for any changes: new devices, new communications ports, new protocols, etc. Additionally, Threat Hunter® monitors SCADA protocols including DNP3, Modbus, IEC 61850 and IEC 60870-104 for violations of the protocol. These violations could indicate something as simple as a programming error on the part of the manufacturer, or it could be more serious and indicate intentionally corrupted code, data leakage or it attempts to flood or hijack sessions.

Request a Demo
Industrial Threat Hunter® Features & Benefits
Cybersecurity for Industrial NetworksCybersecurity for Industrial Networks
Cybersecurity for Industrial Networks
FastFast
Fast
Easy SetupEasy Setup
Easy Setup
FlexibleFlexible
Flexible
AffordableAffordable
Affordable
No LatencyNo Latency
No Latency
Improve StabilityImprove Stability
Improve Stability
Integrates with your existing infrastructureIntegrates with your existing infrastructure
Integrates with your existing infrastructure
Industrial Threat Hunter® TECHNICAL REQUIREMENTS

INSTALLATION REQUIREMENTS

Operating System:
Ubuntu Linux 14.0.4 or newer (16.0.4 recommended)

Required Libraries:
libpcap

Minimum Required Hardware:
2 processor cores, 2GB RAM, 60GB disk space

Network Connection:
copper/fiber port, must be set to promiscuous mode -one port dedicated to management

INTEGRATED SYSTEMS

Cisco Firepower Intrusion Preventions Systems

Cisco ASA Firewalls with Firepower

Palo Alto Networks Next Generation Firewall

Splunk -ArcSight

Snort® (OpenSource solution)

SECURE YOUR NETWORK

Threat Hunter® adds network visibility and protection to your SCADA/ICS network. Proactively monitoring your industrial network makes it possible to identify and isolate unauthorized change before it becomes an issue.

Network ASSESSMENT

Thomason Technologies will review your current infrastructure, network architecture, communications capabilities.

01
Identify MONITORING AND PROTECTION

Thomason Technologies will work with you to identify the appropriate points of monitoring and protection. Depending on your infrastructure design, Thomason Technologies will design the specific network monitoring and/or active blocking capabilities.

02
Plan MIGRATION

Thomason Technologies can work with you to build a seamless migration plan, with minimal downtime and a complete integration of your system with existing security infrastructure. Industrial Threat Hunter® will integrate with other IPS and Firewall systems and virtually any SEIM.

03
Execute IMPLEMENTATION

Thomason Technologies has the resources to execute on your plan. Our team, upon request, can deliver your systems pre-configured to your network environment such that your installation is plug-and-play.

04
Request A Demo
NERC CIP v5 SUPPORT
NERC CIP v5 SUPPORT

Because Industrial Threat Hunter® constantly watches the network for changes, events created by Industrial Threat Hunter® can be used to document changes to meet NERC CIP V requirements.

EVENT REPORTING
EVENT REPORTING

In stand alone mode, Industrial Threat Hunter® does not actively block attacks or suspicious activity. It does provide information that is critical to knowing the source of an attack. None of these alerts are typical for IT-based network detection systems. Industrial Threat Hunter® supports the following protocols: DNP3, Modbus, IEC 61850, IEC 60870-5-104.

DEPLOYMENT OPTIONS
DEPLOYMENT OPTIONS

Industrial Threat Hunter® can be deployed as either a passive, stand-alone network monitoring tool, or it can be combined with Snort® and deployed in blocking or passive monitoring mode.

In stand-alone mode, Industrial Threat Hunter® cannot block operational traffic. Most often, a network SPAN or Mirror port on the network switch are used to send the needed traffic to Industrial Threat Hunter®. Network taps may also be used in this context. Industrial Threat Hunter® is a software application that runs on a Linux platform. Depending on the hardware used and the network infrastructure, Industrial Threat Hunter® can be deployed to monitor multiple networks with a single instance. Industrial Threat Hunter® requires no external communication. Your Administrator, or a Thomason Technologies consultant, will configure where Industrial Threat Hunter® will send alert data. No other data is sent out from Industrial Threat Hunter®.

Industrial Threat Hunter® can also be integrated with Snort as a Dynamic Preprocessor. In this way, Industrial Threat Hunter® can sit on network segments and block unauthorized traffic. Additionally, in this mode, Industrial Threat Hunter® can monitor other IT protocols not being monitored by Industrial Threat Hunter® (e.g. HTTP, FTP, SNMP, ICMP, etc.)