Abstract: A method includes detecting a connection attempt from a device, quarantining the device to prevent the device from substantially interacting with a host system, and determining whether the device requires verification while the device is quarantined. The method also includes, in response to determining that the device requires verification, presenting at least one authorization challenge to a user while the device is quarantined. The at least one authorization challenge requests that the user provide at least one specified response. The method further includes, in response to determining that the device requires verification, determining whether the user correctly provided the at least one specified response while the device is quarantined, granting access to the device in response to determining that the user correctly provided the at least one specified response, and continuing to quarantine the device in response to determining that the user did not correctly provide the at least one specified response.

Abstract: This disclosure provides an apparatus and method for a consolidated enterprise view of cybersecurity data from multiple sites, including but not limited to in industrial control systems and other systems. A method includes receiving, by a replicator system, cybersecurity data from a site risk manager (RM) database. The method includes transferring the cybersecurity data, by the replicator system, through a secure firewall to an enterprise RM database. The enterprise RM database consolidates data received from a plurality of replicator systems.

Abstract: A method includes detecting a storage device. The method also includes performing a check-in process so that the storage device is recognizable by one or more protected nodes within a protected system and not recognizable by nodes outside of the protected system while the storage device is checked-in. The method further includes storing data associated with one or more cyber-security threats on the storage device. The method may also include detecting the storage device a second time and retrieving audit data on the storage device, where the audit data identifies which of the one or more protected nodes accessed the data on the storage device. The method may further include performing a check-out process so that the storage device is recognizable by the nodes outside of the protected system and not recognizable by the one or more protected nodes within the protected system while the storage device is checked-out.

Abstract: A method of data transfer in a cyber-protected system includes inserting a removable media device into a removable media interface of a Secure Media Exchange (SMX) kiosk running a cyber-checking algorithm. The SMX kiosk includes a user interface, physical controls, input and output ports. An enclosure for physical protection prevents access to the physical controls, input and output ports configured with openings revealing the removable media interface and user interface. The cyber-checking algorithm inspects the removable media device for threats and adds encryption to the removable media device only if passing inspecting. The cyber-protected system includes networked devices coupled to communicate over a communications network including at least one SMX protected machine at a protected system node having a SMX algorithm and an encryption key. The SMX algorithm allows reading information from the removable media device on the SMX protected machine only if the encryption is confirmed.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes storing data identifying file activity involving the storage device on the storage device. The data could identify all files copied to or from the storage device and all file activity that is blocked from occurring on the storage device. The method may also include copying one or more log files stored at the protected node onto the storage device, and storing the data identifying the file activity may include appending data identifying details of the file activity to the one or more log files.

Abstract: A method includes detecting a storage device and performing a check-in process for the storage device. The check-in process includes scanning the storage device to identify any malware contained on the storage device, digitally signing one or more clean files on the storage device, and modifying a file system of the storage device. The method may also include performing a check-out process for the storage device, where the check-out process includes restoring the file system of the storage device. The file system of the storage device can be modified during the check-in process so that one or more protected nodes within a protected system are able to recognize the modified file system of the storage device and nodes outside of the protected system cannot recognize the modified file system of the storage device.

Abstract: A system includes one or more protected nodes within a protected system, where each protected node is configured to be coupled to a storage device. The system also includes a server configured to perform a check-in process so that one or more files on the storage device are (i) accessible by the one or more protected nodes within the protected system and (ii) not accessible by nodes outside of the protected system while the storage device is checked-in. The server is also configured to perform a check-out process so that the one or more files on the storage device are (i) accessible by the nodes outside of the protected system and (ii) not accessible by the one or more protected nodes within the protected system while the storage device is checked-out. The server could be configured to modify a file system of the storage device during the check-in process.

Abstract: A method includes detecting a peripheral device at a protected node. The method also includes determining whether the peripheral device has been checked-in for use with at least the protected node and determining whether the peripheral device or a device type has been whitelisted or blacklisted. The method further includes granting access to the peripheral device in response to (i) determining that the peripheral device has been checked-in and has not been blacklisted or (ii) determining that the peripheral device or the device type has been whitelisted, even if the peripheral device has not been checked-in. In addition, the method includes blocking access to the peripheral device in response to (i) determining that the peripheral device has not been checked-in and has not been whitelisted or (ii) determining that the peripheral device or the device type has been blacklisted, even if the peripheral device has been checked-in.

Abstract: This disclosure provides systems and methods for tying cyber-security risk analysis to common risk methodologies and risk levels. A method includes identifying a plurality of connected devices that are vulnerable to cyber-security risks and identifying cyber-security risks in the connected devices. The method includes assigning a risk level to each of the risks and comparing the risk levels to a first threshold and to a second threshold. The method includes assigning each identified cyber-security risk to a risk classification and displaying a user interface that includes a notification according to the identified cyber-security risks and the corresponding assigned risk classifications.

Abstract: A method includes detecting a storage device at a protected node and determining whether the storage device has been checked-in for use with at least the protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node. The method may also include determining whether a file on the storage device has been checked-in for use with at least the protected node. Meaningful access to the file is granted or blocked in response to determining that the file has or has not been checked-in for use with at least the protected node.

Abstract: This disclosure provides an apparatus and method for deployment assurance checks for monitoring industrial control systems and other systems. A method includes identifying, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes determining devices to be monitored from the plurality of connected devices. The method includes evaluating system resource usage, by the risk manager system, on each device to be monitored. The method includes providing recommendations to a user as to whether or not the user should proceed with the monitoring, based on the evaluation.

Abstract: A system and method for analyzing cyber-security risk inter-dependencies in a control system having networked devices. The system includes a central server that has a processor and a memory device in communication with the processor. The memory device stores inter-device dependencies and quantified individual risks for each of the networked devices. The memory device also stores a dynamic quantification of risk (DQR) program. The central server is programmed to implement the DQR program. Responsive to observed cyber behavior, the central server changes one or more of the quantified individual risks to generate at least one modified quantified individual risk. The inter-device dependencies for a first of the networked devices and the quantified individual risk for at least one other of the networked devices reflecting the modified quantified individual risk are used to dynamically modify the quantified individual risk for the first device to generate an inter-device modified quantified individual risk.

Abstract: A method includes detecting a connection attempt from a device, quarantining the device to prevent the device from substantially interacting with a host system, and determining whether the device requires verification while the device is quarantined. The method also includes, in response to determining that the device requires verification, presenting at least one authorization challenge to a user while the device is quarantined. The at least one authorization challenge requests that the user provide at least one specified response. The method further includes, in response to determining that the device requires verification, determining whether the user correctly provided the at least one specified response while the device is quarantined, granting access to the device in response to determining that the user correctly provided the at least one specified response, and continuing to quarantine the device in response to determining that the user did not correctly provide the at least one specified response.

Abstract: This disclosure provides an apparatus and method for near-real-time export of cyber-security risk information, including but not limited to in industrial control systems and other systems. A method includes monitoring, by a risk manager system, a plurality of connected devices that are vulnerable to cyber-security risks. The method includes detecting a cyber-security risk to one or more of the devices being monitored. The method includes identifying an external system to be notified of the detected cyber-security risk. The method includes sending cyber-security risk data to the external system according to the detected cyber-security risk and at least one filtering option.

Abstract: This disclosure provides an apparatus and method for a consolidated enterprise view of cybersecurity data from multiple sites, including but not limited to in industrial control systems and other systems. A method includes receiving, by a replicator system, cybersecurity data from a site risk manager (RM) database. The method includes transferring the cybersecurity data, by the replicator system, through a secure firewall to an enterprise RM database. The enterprise RM database consolidates data received from a plurality of replicator systems.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.

Abstract: A method of data transfer in a cyber-protected system includes inserting a removable media device into a removable media interface of a Secure Media Exchange (SMX) kiosk running a cyber-checking algorithm. The SMX kiosk includes a user interface, physical controls, input and output ports. An enclosure for physical protection prevents access to the physical controls, input and output ports configured with openings revealing the removable media interface and user interface. The cyber-checking algorithm inspects the removable media device for threats and adds encryption to the removable media device only if passing inspecting. The cyber-protected system includes networked devices coupled to communicate over a communications network including at least one SMX protected machine at a protected system node having a SMX algorithm and an encryption key. The SMX algorithm allows reading information from the removable media device on the SMX protected machine only if the encryption is confirmed.

Abstract: A method includes detecting a storage device at a protected node and determining whether the storage device has been checked-in for use with at least the protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node. The method may also include determining whether a file on the storage device has been checked-in for use with at least the protected node. Meaningful access to the file is granted or blocked in response to determining that the file has or has not been checked-in for use with at least the protected node.

Abstract: A method includes detecting a storage device and performing a check-in process for the storage device. The check-in process includes scanning the storage device to identify any malware contained on the storage device, digitally signing one or more clean files on the storage device, and modifying a file system of the storage device. The method may also include performing a check-out process for the storage device, where the check-out process includes restoring the file system of the storage device. The file system of the storage device can be modified during the check-in process so that one or more protected nodes within a protected system are able to recognize the modified file system of the storage device and nodes outside of the protected system cannot recognize the modified file system of the storage device.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes storing data identifying file activity involving the storage device on the storage device. The data could identify all files copied to or from the storage device and all file activity that is blocked from occurring on the storage device. The method may also include copying one or more log files stored at the protected node onto the storage device, and storing the data identifying the file activity may include appending data identifying details of the file activity to the one or more log files.