Abstract: A method includes detecting a storage device. The method also includes performing a check-in process so that the storage device is recognizable by one or more protected nodes within a protected system and not recognizable by nodes outside of the protected system while the storage device is checked-in. The method further includes storing data associated with one or more cyber-security threats on the storage device. The method may also include detecting the storage device a second time and retrieving audit data on the storage device, where the audit data identifies which of the one or more protected nodes accessed the data on the storage device. The method may further include performing a check-out process so that the storage device is recognizable by the nodes outside of the protected system and not recognizable by the one or more protected nodes within the protected system while the storage device is checked-out.

Abstract: This disclosure provides for patch monitoring and analysis, such as in an industrial process control and automation system. A method includes discovering at least one connected device by a risk manager system, including a software module for the connected device and installed patch information for the software module. The method includes identifying current patch information for the software module by the risk manager system. The method includes populating a patch definition file according to the device, the software module, the installed patch information, the current patch information, by the risk manager system. The method includes analyzing the patch definition file. The method includes producing an output based on the analysis by the risk manager system, the output including the software module, the installed patch information, the current patch information, and the status of the software module with respect to the installed patch information.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes storing data identifying file activity involving the storage device on the storage device. The data could identify all files copied to or from the storage device and all file activity that is blocked from occurring on the storage device. The method may also include copying one or more log files stored at the protected node onto the storage device, and storing the data identifying the file activity may include appending data identifying details of the file activity to the one or more log files.

Abstract: A method of data transfer in a cyber-protected system includes inserting a removable media device into a removable media interface of a Secure Media Exchange (SMX) kiosk running a cyber-checking algorithm. The SMX kiosk includes a user interface, physical controls, input and output ports. An enclosure for physical protection prevents access to the physical controls, input and output ports configured with openings revealing the removable media interface and user interface. The cyber-checking algorithm inspects the removable media device for threats and adds encryption to the removable media device only if passing inspecting. The cyber-protected system includes networked devices coupled to communicate over a communications network including at least one SMX protected machine at a protected system node having a SMX algorithm and an encryption key. The SMX algorithm allows reading information from the removable media device on the SMX protected machine only if the encryption is confirmed.

Abstract: A method includes detecting a storage device and performing a check-in process for the storage device. The check-in process includes scanning the storage device to identify any malware contained on the storage device, digitally signing one or more clean files on the storage device, and modifying a file system of the storage device. The method may also include performing a check-out process for the storage device, where the check-out process includes restoring the file system of the storage device. The file system of the storage device can be modified during the check-in process so that one or more protected nodes within a protected system are able to recognize the modified file system of the storage device and nodes outside of the protected system cannot recognize the modified file system of the storage device.

Abstract: A system includes one or more protected nodes within a protected system, where each protected node is configured to be coupled to a storage device. The system also includes a server configured to perform a check-in process so that one or more files on the storage device are (i) accessible by the one or more protected nodes within the protected system and (ii) not accessible by nodes outside of the protected system while the storage device is checked-in. The server is also configured to perform a check-out process so that the one or more files on the storage device are (i) accessible by the nodes outside of the protected system and (ii) not accessible by the one or more protected nodes within the protected system while the storage device is checked-out. The server could be configured to modify a file system of the storage device during the check-in process.

Abstract: A method includes detecting a peripheral device at a protected node. The method also includes determining whether the peripheral device has been checked-in for use with at least the protected node and determining whether the peripheral device or a device type has been whitelisted or blacklisted. The method further includes granting access to the peripheral device in response to (i) determining that the peripheral device has been checked-in and has not been blacklisted or (ii) determining that the peripheral device or the device type has been whitelisted, even if the peripheral device has not been checked-in. In addition, the method includes blocking access to the peripheral device in response to (i) determining that the peripheral device has not been checked-in and has not been whitelisted or (ii) determining that the peripheral device or the device type has been blacklisted, even if the peripheral device has been checked-in.

Abstract: A method includes detecting a storage device at a protected node and determining whether the storage device has been checked-in for use with at least the protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node. The method may also include determining whether a file on the storage device has been checked-in for use with at least the protected node. Meaningful access to the file is granted or blocked in response to determining that the file has or has not been checked-in for use with at least the protected node.

Abstract: This disclosure provides a notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications. A method includes discovering multiple devices in a computing system. The method includes grouping the multiple devices into multiple security zones. The method includes generating a risk value identifying at least one cyber-security risk of the devices for one of the security zones. The method includes comparing the risk value to a threshold. The method includes automatically generating a notification for one or more users when the risk value violates the threshold.

Abstract: This disclosure provides an infrastructure monitoring tool, and related systems and methods, for collecting industrial process control and automation system risk data, and other data. A method includes discovering multiple devices in a computing system by a risk manager system. The method includes grouping the multiple devices into multiple security zones by the risk manager system. The method includes, for each security zone, causing one or more devices in that security zone to provide information to the risk manager system identifying alerts and events associated with the one or more devices. The method includes storing the information, by the risk manager system, in association with unique identifier values, the unique identifier values identifying different types of information.

Abstract: A method of analyzing cyber-security risks in an industrial control system (ICS) including a plurality of networked devices includes providing a processor and a memory storing a cyber-security algorithm. The processor runs the cyber-security algorithm and implements data collecting to compile security data including at least vulnerability data including cyber-risks (risks) regarding the plurality of networked devices by scanning the plurality of devices, processing the security data using a rules engine which associates a numerical score to each of the risks, aggregating data including ranking the risks across the plurality of networked devices and arranging the risks into at least one logical grouping, and displaying the logical grouping(s) on a user station.

Abstract: A method of data transfer in a cyber-protected system includes inserting a removable media device into a removable media interface of a Secure Media Exchange (SMX) kiosk running a cyber-checking algorithm. The SMX kiosk includes a user interface, physical controls, input and output ports. An enclosure for physical protection prevents access to the physical controls, input and output ports configured with openings revealing the removable media interface and user interface. The cyber-checking algorithm inspects the removable media device for threats and adds encryption to the removable media device only if passing inspecting. The cyber-protected system includes networked devices coupled to communicate over a communications network including at least one SMX protected machine at a protected system node having a SMX algorithm and an encryption key. The SMX algorithm allows reading information from the removable media device on the SMX protected machine only if the encryption is confirmed.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes storing data identifying file activity involving the storage device on the storage device. The data could identify all files copied to or from the storage device and all file activity that is blocked from occurring on the storage device. The method may also include copying one or more log files stored at the protected node onto the storage device, and storing the data identifying the file activity may include appending data identifying details of the file activity to the one or more log files.

Abstract: A method includes detecting a storage device at a protected node and determining whether the storage device has been checked-in for use with at least the protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes blocking access to the storage device in response to determining that the storage device has not been checked-in for use with at least the protected node. The method may also include determining whether a file on the storage device has been checked-in for use with at least the protected node. Meaningful access to the file is granted or blocked in response to determining that the file has or has not been checked-in for use with at least the protected node.

Abstract: A system includes one or more protected nodes within a protected system, where each protected node is configured to be coupled to a storage device. The system also includes a server configured to perform a check-in process so that one or more files on the storage device are (i) accessible by the one or more protected nodes within the protected system and (ii) not accessible by nodes outside of the protected system while the storage device is checked-in. The server is also configured to perform a check-out process so that the one or more files on the storage device are (i) accessible by the nodes outside of the protected system and (ii) not accessible by the one or more protected nodes within the protected system while the storage device is checked-out. The server could be configured to modify a file system of the storage device during the check-in process.

Abstract: A method includes detecting a storage device and performing a check-in process for the storage device. The check-in process includes scanning the storage device to identify any malware contained on the storage device, digitally signing one or more clean files on the storage device, and modifying a file system of the storage device. The method may also include performing a check-out process for the storage device, where the check-out process includes restoring the file system of the storage device. The file system of the storage device can be modified during the check-in process so that one or more protected nodes within a protected system are able to recognize the modified file system of the storage device and nodes outside of the protected system cannot recognize the modified file system of the storage device.

Abstract: A method includes detecting a storage device and determining whether the storage device has been checked-in for use with at least a protected node. The method also includes granting access to the storage device in response to determining that the storage device has been checked-in for use with at least the protected node. The method further includes retrieving, from the storage device, data associated with at least one of (i) one or more applications executed by the protected node and (ii) one or more services provided by the protected node. The data is used to alter a configuration or operation of at least one of: the one or more applications and the one or more services.

Abstract: A method includes detecting a peripheral device at a protected node. The method also includes determining whether the peripheral device has been checked-in for use with at least the protected node and determining whether the peripheral device or a device type has been whitelisted or blacklisted. The method further includes granting access to the peripheral device in response to (i) determining that the peripheral device has been checked-in and has not been blacklisted or (ii) determining that the peripheral device or the device type has been whitelisted, even if the peripheral device has not been checked-in. In addition, the method includes blocking access to the peripheral device in response to (i) determining that the peripheral device has not been checked-in and has not been whitelisted or (ii) determining that the peripheral device or the device type has been blacklisted, even if the peripheral device has been checked-in.

Abstract: A method includes detecting a storage device. The method also includes performing a check-in process so that the storage device is recognizable by one or more protected nodes within a protected system and not recognizable by nodes outside of the protected system while the storage device is checked-in. The method further includes storing data associated with one or more cyber-security threats on the storage device. The method may also include detecting the storage device a second time and retrieving audit data on the storage device, where the audit data identifies which of the one or more protected nodes accessed the data on the storage device. The method may further include performing a check-out process so that the storage device is recognizable by the nodes outside of the protected system and not recognizable by the one or more protected nodes within the protected system while the storage device is checked-out.

Abstract: This disclosure provides a notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications. A method includes discovering multiple devices in a computing system. The method includes grouping the multiple devices into multiple security zones. The method includes generating a risk value identifying at least one cyber-security risk of the devices for one of the security zones. The method includes comparing the risk value to a threshold. The method includes automatically generating a notification for one or more users when the risk value violates the threshold.