What is Neighborhood Keeper?
A collective defense and community-wide visibility program designed for operational technology (OT) and industrial control system (ICS) networks developed by Dragos in collaboration with the Department of Energy. Idaho National Labs and the E-ISAC are advisers on its creation.
It is available to all Dragos Platform customers.
The novelty of Neighborhood Keeper is that in traditional information sharing programs participants are required to share their data to central groups such as ISACs or government agencies. This poses data sensitivity issues (such as NERC CIP BES information considerations), poses a security risk (if the entity collecting all the data is compromised the data is available to adversaries), and the participant’s identity is tied to the data meaning that discoveries cannot be done anonymously.
In Neighborhood Keeper the model is reversed. Instead of centralizing the data and then asking questions of it, the data stays at the participants’ sites and the questions are federated out. Because the Dragos Platform is operating in the participant network, all the data is stored there on-premises at the participant. Dragos and the E-ISAC can send their questions out to the participants to get “Yes” or “No” answers back. No sensitive data such as IP addresses, logs, packet captures, file names, are ever shared to Neighborhood Keeper or leave the customers’ site. Further, the participant’s identity is technologically irreversible from the insights thus always ensuring anonymity for the participants.
The Dragos Platform is a high-fidelity continuous monitoring software technology deployed into ICS/OT networks as a network appliance that passively and unobtrusively monitors the ICS/OT networks and their communications. It can perform deep packet inspection to analyze the content inside ICS protocols such as ICCP, DNP3, Emerson, SEL, etc. It does this to identify assets and provide network visibility while using the Dragos team’s cyber threat intelligence to identify ICS/OT-focused cyber threats.
In addition, it helps discover devices and vulnerabilities to support supply chain use-cases, provide response procedures to help incident response and investigation efforts, and support operational visibility and use-cases to achieve root cause analysis when there are mishaps that are not cyber attacks
Each participant can access a web portal to see all the threat detections firing across the community. As one company encounters a threat another will know in machine-speed without the need for human involvement. This enables a true collective defense approach at the ICS/OT layer.
Further, as Dragos and E-ISAC uncover new threats, supply chain risks, or vulnerabilities they can federate out those questions in the form of a detection, which runs automatically at the technology deployed in the participant networks in order to ascertain “Has anyone seen this new threat?” Through Neighborhood Keeper, they will find which anonymous participants have that issue. As an example, Utility 1, Utility 4, and Utility 32’s technology answer, “Yes, we have that issue.” Dragos/E-ISAC do not know the identity of those participants or have access to their data. However, they can now send an encrypted message directly to the participant to provide additional data, context, or offer of support. The participant can then determine how they wish to proceed or even activate mechanisms such as Cyber Mutual Assistance to get help from other utilities.