"New Framework Harnesses Multiple Cybersecurity Tools to Protect Critical Infrastructure"
The US Bureau of Reclamation (USBR) partnered with the Cybersecurity and Infrastructure Security Agency (CISA) and tasked the Idaho National Laboratory (INL) with developing a low-cost cybersecurity solution that could analyze network traffic and identify malicious code before a cyberattack harms critical infrastructure. The threat analysis data generated by the program is then reviewed by a human security analyst working from a different location. The software developed by Seth Grover, an INL cybersecurity researcher, and his colleagues was the first iteration of Malcolm, a framework that combines several existing open-source cybersecurity tools into a single low-cost solution. Malcolm is intended to detect malicious activity by analyzing high-volume network traffic. The framework is described as adaptable and specialized. It is one of the few cybersecurity solutions designed to analyze network traffic of operational control technology, which is used to open a floodgate in a dam, turn off a pump on a natural gas pipeline, and more. Malcolm's strength stems from its reliance on a constantly evolving set of cybersecurity tools. Grover describes it as a mixture of open-source, industry-standard tools that are trusted, with many components that maximize their ability to work together. Two of the tools incorporated into the Malcolm framework are Zeek and Arkime. Zeek captures and summarizes network traffic, logging the important application-layer metadata. Arkime connects each indexed network session to its source in the traffic stream, thus allowing an analyst to see the original payload. Another way to detect potential cyberattacks is to use Machine Learning (ML) and Artificial Intelligence (AI) to catch deviations from normal behavior. Commonly, most types of operational control systems repeat the same types of tasks. Malcolm finds deviations that cybersecurity analysts might not be aware they were looking for by using anomaly detection techniques. This article continues to discuss the new Malcolm framework that uses multiple cybersecurity tools to protect critical infrastructure.