What is ARMORE?

ARMORE logoARMORE is being developed as an open-source software solution (a security appliance) that will aid energy asset owners by:

How does ARMORE work?

ARMORE combines inspection with optional actions, including alarming or enforcement when communications do not comply with an instantiated ARMORE policy. This can work for many standard protocols, but ARMORE is focused on industrial control systems (ICS) and currently targets DNP3 and Modbus for its primary policies.

To aid visibility, ARMORE tracks ICS communications to gather statistics on communications patterns, conversation pairs, and details about what the communications is about. For example, ARMORE can tell you the frequency that two hosts communicate, what protocols they speak, what functions they call and what the targets are of those functions. ARMORE could even be set to look at the values and determine if they are in range, or hand those values off for additional computation. Computation hooks could be leveraged to feed the results into state estimation functions, calculate averages in a time window, look for value trends, or many other features.

ARMORE will also be capable of encapsulating and encrypting legacy communications and resiliently exchanging this information among ARMORE nodes. It does so with an abstracted middleware layer that encapsulates communications from one point to others. For the initial implementation, ARMORE utilizes a secure transport mode of operation with ZeroMQ.

Bro, an open source network analysis platform, is the core packet engine that is leveraged by ARMORE to inspect the network packets and reason about them. Bro enables ARMORE to conduct a semantic analysis of network traffic in process control and other networks and then decide what to do. Because of Bro, ARMORE can collect statistics, inspect relevant traffic, and call out to apply policies to that traffic to help secure critical infrastructure from attackers

Combine this reasoning with other components of ARMORE and a node can also securely communicate both known and unknown protocols to their intended destination with increased reliability and resiliency.

Deployment and Licensing

ARMORE is open source and intended to create an easy path to adoption. One of the key ways this is accomplished is by architecting ARMORE such that it supports multiple modes of deployment. These modes can be summarized in two high-level categories, passive and active.

This effort is funded by the Department of Energy Office of Electricity Delivery & Energy Reliability and is organized by the Grid Protection Alliance (GPA). The University of Illinois is the technical lead for the effort with Pacific Northwest National Labs providing input and external assessment of the effort.