Ripping Off the Blindfold: Illuminating OT Environments

Over the past year, ransomware attacks targeting the United States’ critical infrastructure – from widespread attacks on water facilities to the notorious Colonial Pipeline shutdown in May – have put the cybersecurity of industrial environments under the spotlight, and it’s clear the problem is multilayered.

First, these attacks are no longer launched solely by nation-states but also by lower-level threat actors seeking financial profit. Second, operational technology (OT) systems do not need to be directly targeted or even compromised to be shut down. For example, only IT systems were compromised in the Colonial Pipeline attack, but the security teams decided to shut down OT intentionally out of an abundance of caution.

In addition to ransomware, critical infrastructure faces a variety of other threats, including those from malicious or careless insiders (as with the Kansas water facility incident in April) and attackers exploiting remote access tools (seen in the February Florida water facility incident). The US Cybersecurity and Infrastructure Security Agency (CISA) recently released an advisory warning that cyber threats across all critical infrastructure sectors are increasing.

Unfortunately, though advanced attacks are targeting these vital and sensitive systems daily, many critical infrastructure organizations are still struggling to gain basic visibility into their environments, let alone actually equip themselves with the technologies they need to stop machine-speed attacks like ransomware.

Driving with Blindfolds: Identifying Assets in Industrial Environments
Cyberattacks against critical infrastructure pose major risks to economic and social stability — as well as human and environmental safety. And yet the security defenses protecting OT and industrial control systems (ICS) underpinning much of this infrastructure lag behind the approaches used in IT security.

This gap in maturity between OT and IT security often means that organizations are struggling to identify all the assets within their OT environments. For these security defenders, this is the equivalent of driving with blindfolds while navigating today’s threat landscape. It is simply impossible to build a robust cybersecurity strategy if an organization does not even know what it is protecting.

This challenge is compounded by the fact that many of these organizations have environments that are evolving. Efforts to modernize critical infrastructure led to the convergence of IT and OT systems and widespread adoption of the industrial Internet of things (IIoT). The increased complexity makes it even harder to get a clear picture of what’s happening in the critical infrastructure ecosystem.

No More Blindfolds: Actively Identifying Devices with AI
Darktrace’s Self-Learning AI provides a fundamentally different approach to this problem, offering comprehensive asset identification capabilities to help organizations see what’s happening in their environments. Darktrace’s technology is no stranger to an OT environment – our first customer was Drax, a major UK power station.

Most OT networks don't advertise their device identities in ongoing network traffic, making it hard to gain full visibility. By actively connecting to ICS devices, AI can gain insights into their full identity information, such as device type, host name, model, firmware, and other miscellaneous data, such as product code or hardware version.

At the same time, OT environments often contain highly sensitive computers and machines, many of which are running legacy or outdated software. In an environment for which operational continuity is paramount, any potential disruption to those devices should be avoided wherever possible.

Therefore, a security tool designed to actively obtain information from OT devices needs to do so in the narrowest way possible. If not carried out with caution, a single identity request sent to a decades-old machine holds the potential to disable the device, which can, in turn, disrupt the larger process that relies on it.

This is why the Self-Learning AI will only act on information obtained by passive monitoring of the network. The information gained in this way is used to create carefully crafted packets, using the optimal protocol and port, to query devices with minimal risk. The system is highly configurable, enabling local engineers and security teams to override the AI and exclude devices that are known to be highly critical or sensitive to unexpected connections.

In this way, AI, using passively obtained information about protocols and ports already in use on OT and ICS devices, can actively request device information in the narrowest way possible, which minimizes the inherent risk of an active approach. This is how Self-Learning AI helps critical infrastructure organizations rip off the blindfolds – but doing so responsibly.

Mapping Vulnerabilities: Necessary, but Not Sufficient
In addition to identifying assets, many organizations struggle to track and map Common Vulnerabilities and Exposures (CVEs) both for their own visibility and in efforts to comply with frameworks, regulations, or government guidance. As the Biden administration expressed in its recent National Security Memorandum: “We cannot address threats we cannot see.”

Mapping and patching vulnerabilities is necessary but not sufficient. CVEs only represent known and researched vulnerabilities, of which very few are investigated in the OT sphere. Their absence does not indicate an absence of risk. Further, many CVEs have no practical mitigation advice.

In contrast, Self-Learning AI does not require lists of CVEs to detect, investigate, and autonomously respond to threats. Rather, its approach to cyber defense depends on learning an organization’s "patterns of life" to understand subtle forms of unusual behavior that may be indicative of a threat. This allows the technology to detect both known and unknown threats, including sophisticated attacks that leverage zero-day exploits and novel tactics, techniques, and procedures (TTPs).

Critical infrastructure demands the most sophisticated technologies for robust cyber defense. Asset identification and vulnerability tracking are a healthy first step. They help rip off the blindfolds, but afterward organizations need technologies that will help them move fast enough to outpace sophisticated, stealthy, and machine-speed threats.