Industrial Threat Hunter® is an intrusion detection/prevention system designed specifically for the unique requirements of Industrial Control Systems and SCADA networks. Industrial Threat Hunter® identifies changes in the network like new devices, protocols, communication channels, applications and services.
Industrial Threat Hunter® can be run in stand alone mode as an Intrusion Detection System. In this mode, Industrial Threat Hunter® can identify over 250 SCADA protocol violations. Additionally, Industrial Threat Hunter® can be run as a dynamic preprocessor attached to Snort® providing additional IT style Detection AND Protection.
Threat Hunter® is a software application that runs on a Linux operating system. After establishing a baseline of all devices communicating on the operational network, Threat Hunter® monitors for any changes: new devices, new communications ports, new protocols, etc. Additionally, Threat Hunter® monitors SCADA protocols including DNP3, Modbus, IEC 61850 and IEC 60870-104 for violations of the protocol. These violations could indicate something as simple as a programming error on the part of the manufacturer, or it could be more serious and indicate intentionally corrupted code, data leakage or it attempts to flood or hijack sessions.
Ubuntu Linux 14.0.4 or newer (16.0.4 recommended)
Minimum Required Hardware:
2 processor cores, 2GB RAM, 60GB disk space
copper/fiber port, must be set to promiscuous mode -one port dedicated to management
Cisco Firepower Intrusion Preventions Systems
Cisco ASA Firewalls with Firepower
Palo Alto Networks Next Generation Firewall
Snort® (OpenSource solution)
Threat Hunter® adds network visibility and protection to your SCADA/ICS network. Proactively monitoring your industrial network makes it possible to identify and isolate unauthorized change before it becomes an issue.
Thomason Technologies will review your current infrastructure, network architecture, communications capabilities.
Thomason Technologies will work with you to identify the appropriate points of monitoring and protection. Depending on your infrastructure design, Thomason Technologies will design the specific network monitoring and/or active blocking capabilities.
Thomason Technologies can work with you to build a seamless migration plan, with minimal downtime and a complete integration of your system with existing security infrastructure. Industrial Threat Hunter® will integrate with other IPS and Firewall systems and virtually any SEIM.
Thomason Technologies has the resources to execute on your plan. Our team, upon request, can deliver your systems pre-configured to your network environment such that your installation is plug-and-play.
Because Industrial Threat Hunter® constantly watches the network for changes, events created by Industrial Threat Hunter® can be used to document changes to meet NERC CIP V requirements.
In stand alone mode, Industrial Threat Hunter® does not actively block attacks or suspicious activity. It does provide information that is critical to knowing the source of an attack. None of these alerts are typical for IT-based network detection systems. Industrial Threat Hunter® supports the following protocols: DNP3, Modbus, IEC 61850, IEC 60870-5-104.
Industrial Threat Hunter® can be deployed as either a passive, stand-alone network monitoring tool, or it can be combined with Snort® and deployed in blocking or passive monitoring mode.
In stand-alone mode, Industrial Threat Hunter® cannot block operational traffic. Most often, a network SPAN or Mirror port on the network switch are used to send the needed traffic to Industrial Threat Hunter®. Network taps may also be used in this context. Industrial Threat Hunter® is a software application that runs on a Linux platform. Depending on the hardware used and the network infrastructure, Industrial Threat Hunter® can be deployed to monitor multiple networks with a single instance. Industrial Threat Hunter® requires no external communication. Your Administrator, or a Thomason Technologies consultant, will configure where Industrial Threat Hunter® will send alert data. No other data is sent out from Industrial Threat Hunter®.
Industrial Threat Hunter® can also be integrated with Snort as a Dynamic Preprocessor. In this way, Industrial Threat Hunter® can sit on network segments and block unauthorized traffic. Additionally, in this mode, Industrial Threat Hunter® can monitor other IT protocols not being monitored by Industrial Threat Hunter® (e.g. HTTP, FTP, SNMP, ICMP, etc.)