Defend Your SCADA Network from Zero Day Threats with the WildFire Appliance

Palo Alto Networks recently announced availability of PAN-OS 6.1, the newest version of our operating system.  As with all our operating system releases, there is an amazing list of new features to help our customers better secure their networks, respond more quickly to incidents and reduce operational overhead.  Given my focus on cybersecurity for Industrial Control Systems, the one feature I am particularly excited about is the capability of the WildFire appliance, the WF-500, to generate threat prevention signatures on premises.

WildFire is of course a service available in our security platform that isolates suspicious payloads (e.g. executables, MS-Office documents) at the network, detonates them in our Threat Intelligence Cloud, then sends a report back to the user about the nature of a payload.  Not only that, if the payload is malicious, the cloud sends threat prevention signatures (anti-virus, malicious URL, malicious DNS) back to the firewall, essentially converting the unknown threat into a known, stoppable threat.

Many of the critical infrastructure and manufacturing asset owners I work with have told me they like the idea of WildFire and the threat intelligence cloud, but faced constraints in sending files out to the public cloud. Many have general privacy concerns, some have regulatory constraints, and on occasion, they cite the unavailability of an internet connection (airgap).

We are excited to announce with the release of PAN-OS 6.1 that we can now address these concerns via the WF-500’s ability to generate on-premise malware signatures in as little as 5 minutes. This update will come in very handy in securing several perimeters and even internal zone traffic within the automation environment — assuming you have proper segmentation! – and here’s how:

• Corporate-to-SCADA perimeter: Some of the traffic which you may be allowing on a limited basis from the Enterprise IT side may be file-bearing. Use the WF-500 to inspect this for malicious content.
• Vendor/Partner-to-SCADA: Just because you are using a secure VPN to let your partner or vendor into your SCADA system doesn’t mean the content is secure. Implement a zero-trust model and inspect all traffic.
• Operator/Engineering to Server: Files may be introduced by removable media at HMIs and Engineering workstations or via mobile laptops connected in the LAN. Use WF-500 to detect and block zero days that originate from within.
• Inter-plant traffic: Yes other plants are behind the IT-OT firewall and considered trusted, but again, don’t assume anything and be vigilant of malware that may come from other sites within the organization.

Remember: one WF-500 supports multiple next-generation firewalls, essentially transforming each firewall into a sensor for detecting unknown threats in hundreds of file-bearing applications across standard and non-standard ports, with the ability to automatically prevent them as well.  This is a fundamental difference from other detection-only, point solutions which require one or more application-specific sandboxing appliances at each point of inspection in the network, resulting in partial, open-loop security at high costs to you.

WildFire is of course one element of our entire solution.  For more details on our complete security platform which spans network security (Next-Generation Firewall), endpoint (Traps Advanced Endpoint Protection) and the cloud (Threat Intelligence Cloud), please feel free to read our brief whitepaper on protecting critical infrastructure.

[Palo Alto Networks Blog]