WHITE PAPER

A Comprehensive
Guide to OT Security
1
| A COMPREHENSIVE GUIDE TO OT SECURITY

CONTENTS

Abstract 1 Darktrace/OT: A Unified Platform Solution 9

Identify vulnerable assets and harden systems? 9
A New Era of OT Security 2
Unified visibility across OT, IT, & IoT 10
What are the Challenges of OT anomaly detection and real time response 11
Securing OT Environments? 3 Streamlined workflows for OT/ICS specialists 12
IT & OT convergence 3 Vulnerability and asset tracking 12
Spillover from corporate network compromises 3 Reduce time to triage and report security events 13
Introduction of IIoT to ICS 3
Attack Case Studies 14
Transitioning OT to managed cloud services 4
Protecting industrial IoT 14
Keeping up with changing cyber regulations 4
Conti ransomware 15
Threats Facing OT Systems 5 Spotting insider threats 16
Advanced Persistent Threats (APTs) 5
Insider threats 5
Exposed OT initial access point 5
Ransomware 6

What to Consider When Choosing an OT Solution 7

Does it help meet required compliance regulations? 7
Can it integrate with existing technology and systems? 7
Does it have the availability to scale? 7
Does it provide visibility and tracking of assets? 7
Does it use anomaly-based detection? 7
Can it secure both IT and OT in unison? 8

Abstract
The emergence of OT cyber security solutions in recent years demonstrates that
critical infrastructure and industrialized organizations are trying to find a way to
address the risks posed by modernizing networked industrial operations and the
threats who aim to disrupt them.
However, many OT cyber security solutions are limited in scope. By assuming IT and
OT are separated, they use legacy security techniques such as malware signature
detection and vulnerability management as a means to reduce the cyber risk to OT.
This white paper will explore the new challenges posed to OT security professionals
and explore the best solutions for fighting the eminent cyber threats associated
with OT and ICS security.
2

| A COMPREHENSIVE GUIDE TO OT SECURITY

A New Era of OT Security
The practice of cyber security has changed dramatically With increased pressure to secure these environments,
in the past few years, presenting a significant challenge IT security teams have become more accountable
to management teams across all industries and for defending Operational Technology (OT) and OT-
business domains. specialist teams have similarly inherited responsibility
for traditional IT security with an OT focus. Additionally,
Compromised OT devices within ICS and SCADA
the convergence of IT and OT technologies and
environments can lead to enormous physical damage and
responsibilities requires the synergy of both specialist
danger to human life. All the while, industrial and energy
skills and working practices to protect these mission
industries have remained heavy targets for threat actors,
critical environments.
accounting for a combined 18% of data breaches in IBM’s
2023 Data Breach Report.
For the industrial and critical infrastructure sectors,
the consequences associated with attacks on OT and
the growing threat to OT has recently increased OT More than 40% of the total
cybersecurity pressure on these industries from
regulatory authorities and cyber insurance providers. number of global industrial
Recent government initiatives — such as the US control systems (ICS)
Department of Energy’s 100-day ‘cyber sprint’ to protect computers saw some kind
electricity operations and President Biden’s Executive
Order on Improving the Nation’s Cybersecurity, TSA of malicious attack during
cybersecurity directives for Pipeline, Airports and Rail the course of 2022.
Systems — and regulatory frameworks and directives
such as the EU’s NIS directive have either encouraged Kaspersky
or mandated that critical infrastructure industries
start addressing the new risks directly associated with
OT environments.
3
| A COMPREHENSIVE GUIDE TO OT SECURITY

What are the Challenges of

Securing OT Environments?
IT & OT convergence
Even when operating in the same organization, corporate IT While the attack did not directly compromise any operational
systems and Industrial Control Systems (ICS) will have different technology, it cost them approximately $5 million in ransom
objectives. However, intensified competition resulting from and forced the organization to shut down operations for
globalization has propelled the convergence and synergy nearly a week to not risk compromise of their physical
of the cyber-physical realm and more general and disparate pipelines. The shutdown prompted gas shortages across the
information networks. east coast of the United States. Such incidents demonstrate
that indirect compromises pose as significant a threat to
Organizations with OT have traditionally tried to reconcile the
operational environments as successful, targeted attacks
conflict between IT and OT by attempting to separate them
against ICS.
completely into distinct networks. While historically this was
accomplished with an air gap, or a combination of uni-directional
firewalls, jumpshot servers, and micro-segmentation so that any Introduction of IIoT to ICS
cyber threats that slip into IT systems do not then spread laterally
The scope of Operational Technology is broadening with
into highly sensitive, mission-critical OT systems.
the rise of Industrial Internet of Things (IIoT) devices being
Regardless of how well an organization separates their IT and integrated into traditional ICS environments. The IoT and IIoT
OT environments, there are often multiple ways an attacker paradigm presents the challenge of managing more complex
can move from one environment to the other. Adversaries take dynamic and potentially exposed industrial networks.
advantage of organizations lacking visibility especially of OT
As the shift towards IIoT introduces myriad device classes
network traffic and commonly exploit vulnerabilities including
and an expanded attack surface, complete visibility of the
unpatched systems and unnecessary open ports on devices to
digital ecosystem has become increasingly unattainable.
laterally move while other TTPs may include directly targeting OT
While effectively designed to be interoperable and resilient,
via removable media and rogue devices.
industrial control systems are not necessarily easy to protect
Full visibility across IT and OT ecosystems in a single pane of and are typically extremely difficult to update. Cyber security
glass is thus essential for organizations seeking to secure their researchers are particularly concerned about the systemic
OT. This is not only to illuminate any points of IT/OT convergence lack of authentication in the design, deployment, and
and validate the fact that an air gap exists in the first place, but operation of some existing ICS networks. For this reason, the
also to see when an attack persists from IT to OT. addition of IoT and IIoT in traditional industrial networks has
made it increasingly clear that any connection to the internet
Spillover from corporate can be exploited to access inherently unsecure by design ICS

network compromises
networks.
IoT/IIoT increasing points of initial access to industrial
Industrial control systems and industrial operations are networks poses significant risk as there are usually a myriad
increasingly affected as an unintended side effect of attacks of unpatched vulnerabilities. Patching is extremely difficult
targeting corporate networks. Standard PCs that now form within ICS network, as the inbuilt methods for delivering
part of a typical ICS are open to the same compromises updates in operational environments are unsuited to the
as their enterprise counterparts. Several cyber security requirement of uninterrupted availability. Security support
breaches on US power stations have been publicly attributed for operating systems at the point of installation has also
to this method of attack. proven not to last as long as the control systems themselves.
Colonial Pipeline, one of the largest oil pipelines in the US, Security teams suffer from the inability to retrofit security
experienced a ransomware attack in 2021 that targeted their features into devices with decades of service life remaining.
IT systems.
4

| A COMPREHENSIVE GUIDE TO OT SECURITY

Transitioning OT to
managed cloud services
Though moving Industrial Control Systems (ICS) to the As OT converges with IT in the cloud, so too do their
cloud has been theoretically possible for at least 10 years, respective risks. Only complete and unified visibility across
the associated risks have meant that uptake has been both IT and OT will allow companies to accelerate their
slow. Operational technology is often bespoke and has digital transformation whilst at the same time managing
traditionally been isolated from the Internet, and so moving the associated risks of digitization and of their increasingly
OT systems to the cloud can impact reliability, performance, dynamic workforces.
and security. Industrial Control Systems are high-stake
environments: the slightest period of downtime can have
Keeping up with changing
cyber regulations
significant ramifications for the safety of workers and the
business as a whole.
These considerations have traditionally led most Cyber regulations, agencies, and standards are expanding
organizations to conclude that the benefits of moving ICS and evolving. These regulations will always be changing to
to the cloud — namely, making it cheaper and easier to catch up with the changing threat landscape. Similarly, they
manage, and improving its availability — are outweighed can often be hard to interpret and apply to unique contexts
by the risks. Even though workers may be able to remotely and situations. Additional challenges to complying with
control equipment on the factory floor, for example, the cyber regulations may include complex environments that
threat of those with malicious intent gaining access to the require different compliance standards, resource constraints,
same protocols is a strong deterrent for organizations to maintaining appropriate documentation, and more.
hold back on transitioning to the cloud. To address these challenges, OT facilities need to be aware of
However, the conditions brought about by the COVID-19 the cyber regulations that apply to their industry and establish
pandemic have since brought unique challenges to ongoing training on policies and procedures that can help
the management of SCADA systems on site, causing them comply with relevant regulations.
organizations to consider secure ways to slowly transition
these environments to the cloud.
5
| A COMPREHENSIVE GUIDE TO OT SECURITY

Threats Facing OT Systems

Advanced Persistent Threats (APTs)
APTs are sophisticated and perform highly targeted forms Compliance breaches, poor cyber hygiene, and disgruntled
of cyber-attacks. These attacks are typically launched by or rogue employees all pose a greater everyday threat to
organizations like nation-states, state-sponsored criminal these systems than APTs or the latest zero day.
organizations, and highly capable and developed cybercrime
Insider threats rarely use attack tools or malware to achieve
organizations that have the resources to carry out specialized
their goal, rendering signature-based threat detection
and persistent malicious activity that takes place over
useless. Instead, they leverage their legitimate access to
extended periods of time and is considerably more effective
make changes to native functionality. Rules-based threat
and disruptive than common cyber-attacks.
detection can be used to prevent certain actions, but
In some cases, APTs are part of a larger strategic agenda to playbooks are limited to the imagination of the person
disrupt a nation’s critical infrastructure or retrieve sensitive implementing them and the time they have to create and
data with malicious intent. These attacks use advanced maintain them.
tactics, such as unique novel malware, in an attempt to
move laterally through systems while remaining undetected, Real world insider attacks:
leveraging previously unknown vulnerabilities and gaining The 2001 sewage spill in Maroochy Shire, Australia,
unauthorized access to information and controls. was the first high-profile example of a malicious insider
manipulating control systems to impact OT. More recently,
Insider threats the 2021 incident at the Oldsmar Water Facility in Florida
was the result of poor cyber security practices. While there
Insider threats can come in the form of employees, vendors,
is much speculation as to the exact cause of the incident,
contractors, or anyone with access to sensitive systems,
the root cause appears to have been human error which
data, or information. The cyber risk posed by insiders can be
resulted in changes to intended chemical content levels in
grouped into malicious insiders, such as rogue or disgruntled
drinking water.
employees, or accidental, such as a well-meaning employee
inadvertently leaking data or introducing a security flaw.
There are generally two types of insider threats: malicious Exposed OT initial access point
and non-malicious, or accidental. For organizations managing
For some organizations with OT/IoT, the adversary’s intention
OT, both types originate from personnel who have legitimate
may not be to target OT and disrupt operations or physical
privileged access to OT networks and have insider knowledge
process controlled by the OT. Instead, for these organizations,
of assets, configurations, locations, security controls, or
internet facing unsecured OT many times in the form of
vulnerabilities. Of increasing concern to security teams, these
building or warehouse management systems, IIoT, and IoT
personnel can also include external contractors, such as
devices that exist as part of the organizations expanded
vendors or consultants, who require high levels of access to
network attack surface may be left exposed and unprotected.
perform their role.
These devices if internet facing can act as an initial point of
access for attackers who can exploit the device and pivot
from these devices and move laterally to action upon more
critical systems or data.
6

| A COMPREHENSIVE GUIDE TO OT SECURITY

Ransomware
Ransomware has become an increasingly prevalent threat for This heterogenous composition makes asset identification
organizations operating ICS, with several high-profile attacks and accurate visualization of connections and activity difficult.
hitting organizations in recent years affecting operations.
Vulnerability management is also a process of diminishing
Many of these organizations provide critical infrastructure,
returns. Many advisories for ICS devices have no practical
meaning any disruption they suffer as a result of ransomware
mitigation advice, with the 2021 SANS ICS Security
can have broad societal or safety consequences, and place
Summit confirming that over a fifth of reported common
more pressure on the organizations themselves to deliver
vulnerabilities and exposures (CVEs) do not include a patch.
ransom payments.
Remote access is an emerging attack vector. Many industrial
Ransomware can target ICS mechanisms directly, as
organizations have adopted remote access tools such as
with EKANS ransomware attacks, or can indirectly impact
TeamViewer to allow employees to control ICS and OT without
Operational Technology by disrupting the IT systems which
taking the health risk associated with entering physical
provide essential visibility into them. IT/OT convergence has
premises, creating additional attack paths for threat actors.
considerably widened the attack surface for OT ransomware
and made it harder to predict where attackers will come
from next.
Gaining visibility remains challenging in industrial
environments, where decades-old legacy devices, designed
without security in mind, are often deployed alongside newer
technologies, such as the industrial internet of things (IIoT).

A Timeline of High-Profile Industrial Ransomware Attacks

Each of these threats are not mutually exclusive. An APT may leverage a disgruntled employee to exfiltrate sensitive
data. Equally, a ransomware gang may well be backed or aided by a nation state. Thus, attribution in OT security can
be tricky and demonstrates the limitations of relying on threat intelligence for detection.
7
| A COMPREHENSIVE GUIDE TO OT SECURITY

What to Consider When

Choosing an OT Solution
Does it help meet required Does it provide visibility
compliance regulations? and tracking of assets?
A large number of OT operators work in critical infrastructure In today’s threat landscape, where many attacks target OT
industries (i.e. government/defense, water providers, electric infrastructure after first pivoting through IT environments,
cooperatives, and transportation). This means that there are having a unified view of IT and OT systems has become an
government mandated security standards that need to be invaluable tool for detecting and neutralizing threats before
complied with. the damage is done.
Consider finding an OT security solution that maps out how Similarly, OT security professionals should consider a
its solutions and features can help your organization comply security solution that provides both active and passive
with relevant compliance mandates such as NIST, ISA, FERC, options for keeping track of their digital and physical assets.
TSA, HIPAA, CIS Controls, and more.
Key Benefits:

Can it integrate with existing Active Identification:

technology and systems? Accurate enumeration, real time updates, vulnerability
assessment, asset validation
OT and ICS devices make up complex digital environments
that can sometimes be further complicated with non- Passive Identification:
integrated security solutions. Implementation of several Eliminates risk of operational disruption, minimizes risk,
point solutions that complete individual tasks runs the does not generate additional network traffic
risk of increasing workloads for operators and creates
additional challenges with compliance, budgeting, and Does it use anomaly-based detection?
technical support. Anomaly based detection enhances an organization’s
cyber security posture by staying ahead of evolving threats,
Does it have the availability to scale? proactively defending against potential attacks, and
As new devices are added and OT environments expand maintaining a comprehensive view of their attack surface.
or evolve, static security solutions require constant tuning,
Static baselines cannot keep pace with changes in the
updating, and sometimes even an entire overhaul of the
diverse technologies used in ICS ecosystems, where legacy
security structure.
devices are often retrofitted and used alongside IIoT. Siloed
To keep up with the demands of digitization and the security solutions also fail to detect attacks that span
expansion of business, OT security buyers should seek a the entire organization like malware that enters through
solution that can grow with their business. a phishing email and moves laterally, disrupting visibility
into OT.
8

| A COMPREHENSIVE GUIDE TO OT SECURITY

Figure 1: The advantages of a combined IT/OT security solution

Can it secure both IT and OT in unison?

Given that most OT cyber-attacks actually start in IT Separate solutions can also make detecting an attacker
networks before pivoting into OT, investing in an IT security abusing traditional IT attack TTPs within an OT network much
solution rather than an OT-specific solution may at first seem harder if the security team is relying on a pure OT solution
like a better business decision. However, IT solutions fall to defend the OT environment. Examples of this include the
short if an attacker successfully pivots into the OT network, abuse of IT remote management tools to affect industrial
or if the attacker is a rogue insider who already has direct environments, such as in the suspected cyber-attack at the
access to the OT network. A siloed approach to securing Florida water facility.
either IT or OT in isolation will thus fall short of the full scope
needed to safeguard industrial systems.
A mature security posture for critical infrastructure would
include security solutions for both IT and OT. Even then,
We needed a solution that would
using separate solutions to protect the IT and OT networks converge IT and OT together to
is limited, as it presents challenges when defending network have a single pane of glass where
boundaries and detecting incidents when an attacker pivots
from IT to OT. Under time pressure, a security team does not
we can look at all the incidents
want changes in visibility, detection, language or interface and alerts related to IT and OT.
while trying to determine whether a threat crossed the
/ I nformation Security Manager,
‘boundary’ between IT and OT. Media and Entertainment
9
| A COMPREHENSIVE GUIDE TO OT SECURITY

Darktrace/OT:
A Unified Platform Solution
Organizations providing critical infrastructure must now Identify vulnerable assets
look to cyber security technology that delivers continuous and harden systems
insights and provides early warning of both indiscriminate
and targeted compromises. If an OT network is not monitored Preventative security measures like attack surface
in real time, there is no way of knowing if assets have management, penetration testing, and vulnerability
vulnerabilities or not. assessment provide security teams with a proactive approach
to securing their most critical assets. Being able to identify
Darktrace’s Self-Learning AI technology is a cutting-edge the most at-risk systems and running emulated attacks allows
innovation that implements real time prevention, detection, organizations to harden defenses where attacks are most
response, and recovery for operational technologies and likely to occur, reducing risk and preventing attacks before
enables a fundamental shift from the traditional approach to they happen.
cyber defense by learning a ‘pattern of life’ for every network,
device, and user. Darktrace assesses the strategic risks facing an organization
by identifying and prioritizing high-value targets and pathways
Rather than relying on knowledge of past attacks, AI to secure vital internal systems and assets.
technology learns what is ‘normal’ for its environment,
discovering previously unknown threats by detecting subtle
Attack surface management
shifts in behavior. Through identifying these unexpected
The solution continuously monitors the external attack
anomalies, security teams can investigate novel attacks,
surface, assessing all your Internet-exposed assets for risks
discover blind spots, have live time visibility across all their
and identifying possible initial access vectors into the core
physical and digital assets, and reduce time to detect,
OT network.
respond to, and triage security events.

Attack path modelling

Maps the most relevant and impactful attack paths through
Organizations that used these your organization in real time based on MITRE ATT&CK for
Enterprise and for ICS frameworks.
[AI and automation security]
capabilities extensively within Pentest augmentation
their approach experienced, Assesses all potential attack pathways around the clock.
on average, a 108-day shorter
Breach & attack emulation
time to identify and contain
Deploys de-fanged “attacks” that emulate malware, phishing,
the breach. spoofing, and other common threats.
IBM
/ Cost of a Data Breach Report, 2023 Security and awareness training
Identifies users who are exposed or vulnerable to phishing,
allowing security teams to tailor training based on
real-world data.

Cyber risk prioritization and reporting

Identifies CVEs on OT assets and contextualizes wider
possibilities and weaknesses to intelligently prioritize patching
recommendations, or the use of other mitigation controls.
10

| A COMPREHENSIVE GUIDE TO OT SECURITY

Unified visibility across OT, IT, & IoT
Architectures of ICS and their operational networks are The Threat Visualizer allows security teams to view real-time
complicated and typically undergo many changes by information about data flows across OT, IT, and the Industrial
multiple individuals over their lifetime. In ICS environments, Internet of Things, all while Darktrace’s Self- Learning AI
segregation and zoning of the network is a critical security continuously compares this activity against expected
control, especially given the lack of security within endpoint behavior patterns.
devices themselves. In such environments, understanding
While Cyber AI Analyst can be used to triage and investigate
the correct flow of data on the network and patterns
these detections, it is also possible to route the output to
of communication is essential. Darktrace addresses
an organization’s existing Security Information and Event
this challenge by observing, analyzing, and capturing
Management (SIEM) systems to integrate with established
communications along with their associated metadata.
processes and procedures.
Darktrace’s unified view technology can be safely
implemented as a separate appliance designed to provide
a consolidated view into both OT and IT environments. Its
user interface, the Threat Visualizer, uniquely displays all
this rich information in an intuitive 3D dashboard that gives
the operator a comprehensive, real-time overview of their
network. This can be used to investigate whether the control
system’s actual behavior matches its intended design.

Figure 2: Darktrace AI generates an incident summary of a suspicious activity at the IT layer followed by an unusual reprogram
request on an OT endpoint
11
| A COMPREHENSIVE GUIDE TO OT SECURITY

OT anomaly detection
and real time response
Critical infrastructure organizations control the operations Darktrace/OT can be configured to defend all the way
of essential systems such as power grids, water treatment down to Level 1 devices in the Purdue model and indirectly
plants, transportation systems, and manufacturing facilities, into Level 0. It also covers all higher Purdue levels, from
making operational downtime detrimental to society and risks supervisory functions, business logistics, and enterprise
people’s safety. Real time detection and response helps spot networks (Level 4&5), and beyond into cloud and SaaS. The
early warning signs of a cyber-attack and can significantly technology also provides visibility into and around the DMZ.
reduce operational downtime in the face of an event,
allowing organizations to respond quickly and effectively
mitigate attacks.
By analyzing all traffic and activity on a granular level in
a protocol and technology agnostic capacity, Darktrace
provides continuous detection, full visibility, actionable
insights, and, where appropriate, autonomous response for
diverse and complex ICS ecosystems. Darktrace harnesses
Self-Learning AI to continuously learn ‘normal’ for all forms
of machine and human behavior, identifying deviations
indicative of an emerging attack.

Figure 3: AI Analyst Incident reporting an unusual reprogram command using the MODBUS protocol.
The incident includes a plain English summary, relevant technical information, and the investigation process used by the AI.
12

| A COMPREHENSIVE GUIDE TO OT SECURITY

CASE STUDY

Enforcing policy and IR

Darktrace/OT monitors connections in and out of the Additionally, the victim organization leverages Darktrace
OT environment at a large geographically distributed to enforce incident management policies. While Darktrace
organization. This organization uses a Secure Remote autonomously responds to the compromised remote access,
Access Solution (SRAS) to grant remote personnel the security team is prompted with additional human confirm-
access to OT systems. able respond actions:

Because Darktrace ingests logs from the SRAS, it was able Block all incoming connections to the industrial control
to alert the security team to a suspicious remote access system via Darktrace pushing preset rules to the firewall at
attempt. Darktrace determined the user’s remote access the security perimeter.
account has become compromised, and a malicious actor is
Isolate the endpoint device of the user with compromised
attempting to access critical control systems. endpoint device via Darktrace/Endpoint.
Darktrace autonomously blocked the remote connection
Force logout or lock the remote access account of the
by updating Firewall rules via an integration. Even without end user via integration with the remote access solution.
the integration, Darktrace can respond by taking a native
response against the jump host, such as blocking matching
internal connections to prevent the attacker from reaching
further OT devices.

Streamlined workflows Vulnerability and asset tracking

for OT/ICS specialists Darktrace’s ability to passively identify assets eliminates
the risk of operational disruption. Based on the behavior of
OT engineer devices, Darktrace autonomously catalogues IP-connected
Provides an operations-focused dashboard for control and non-IP ICS devices. This allows Darktrace/OT to create
engineers. This includes a subset of alerts with high a profile and full history of all devices seen on network. This
operational relevance that are suitable for those with typical device data is fully searchable with Advanced Search, Elastic
controls engineer domain knowledge. This feature grants Search, API, and OT threat detection models.
access to immediate information on emerging threats for fast
Additionally, Darktrace provides an active identification
triage, with the aim of minimal interface time. Further, drawing
module to be used where desired. The active identification
on Darktrace’s native ability to evolve alongside changes in
module makes requests to known OT devices to identify
the ecosystem, no tuning is necessary.
them using their observed and current protocol and service
port combination.
OT explore
Gaining visibility into assets in industrial environments is a
Enables a top-down visualization of the OT environment.
challenge due to the diversity of devices used in OT and
This provides a time-bounded snapshot of connectivity and
ICS ecosystems, from decades old legacy devices that are
also allows users to drill down into the subnet and device
retrofitted, to cutting edge IIoT.
level. This can surface unexpected relationships through
tags, such as clusters of similar devices not associated prior
to exploration.
13
| A COMPREHENSIVE GUIDE TO OT SECURITY

Reduce time to triage

and report security events
OT security teams are simultaneously suffering Organizations operating critical infrastructure must often
from a skills shortage and tight budgets, remaining comply with legislation like the US Cyber Incident Reporting
perpetually understaffed. for Critical Infrastructure Act, requiring prompt cyber
incident reporting. Cyber AI Analyst’s high-level summaries
Darktrace’s Cyber AI Analyst augments security and operation
of incidents also helps organizations that need to generate
teams, providing actionable insights, closing knowledge gaps
incident reports for these compliance regulations, using
between IT and OT specialists. By conducting autonomous
AI-generated natural language summaries to accelerate this
investigations across IT and OT that automatically triage all
process, making it considerably easier for organizations to hit
unusual behavior and connects the dots among disparate
government deadlines.
events, AI Analyst generates incident reports which are
‘human readable’ spelled out in attack phase terminology.
Darktrace’s analysis has shown that this reduces time to
triage by an average of 92%, putting security teams in a
position to immediately take action, allowing them to better
maintain availability and integrity as an attack emerges.

Figure 4: Darktrace’s Cyber AI Analyst detecting anomalous encryption of a suspicious chain of ICS administrative credentials
14

| A COMPREHENSIVE GUIDE TO OT SECURITY

Attack Case Studies
Hundreds of critical infrastructure providers across oil and
gas, energy and utilities, manufacturing, transportation,
With its ability to self-
and smart cities rely on Darktrace to protect their control learn what’s normal for
environments against all forms of cyber-threat. With years our organization and take
of experience defending highly complex and diverse
control systems, Darktrace/OT has become the leading
action autonomously,
AI technology for industrial cyber defense that works Darktrace’s Cyber AI has
across all existing OT technologies – and is ready for future fast proven to be our team’s
ones too.
most valuable assistant.
/ CIO, Manufacturing and Supply

CASE STUDY

Protecting industrial IoT

The mass adoption of IIoT devices has made industrial In total, Darktrace identified 13 infected production devices.
environments more complex and more vulnerable than ever. This ‘unknown known’ threat was detected without any prior
Darktrace recently detected a series of pre-existing infections knowledge of the devices, their supplier, or patch history, and
in Industrial IoT (IIoT) devices at a manufacturing firm in the without using malware signatures or IoCs.
EMEA region.
By casting light on this previously unknown threat, Darktrace
Self-Learning AI recognized a device exploiting the SMBv1 enabled the customer to perform full incident response and
protocol in order to attempt lateral movement. Darktrace threat investigation before the attack caused any serious
also detected the device abusing default vendor credentials damage to the company.
for device enumeration. The device made a large number
of unusual connections, including connections to internal
endpoints of which the company had previously been
unaware. As these occurred, Darktrace illuminated the
unusual activity’s spread from the infected device across
the infrastructure.

Figure 5: Darktrace’s unified view provides complete visibility across IT and OT

15
| A COMPREHENSIVE GUIDE TO OT SECURITY

CASE STUDY

Conti ransomware
In late 2021, Darktrace identified a Conti ransomware attack Darktrace detected every stage of the intrusion, and Cyber
targeting an OT R&D investment firm in Europe. AI Analyst stitched together many forms of unusual activity
across the compromised devices to give a clear security
A compromised domain controller led to the infection of
narrative containing details of the attack. Had the target
several devices, which performed network reconnaissance
organization deployed Autonomous Response, or reacted
as the attacker began to escalate their privileges within
to Darktrace’s threat notifications, this ransomware attack
the organization.
would have been stopped in its earliest stages. The incident
The ransomware payload was delivered when infected OT report for the Historian server is shown below. This provides a
devices used SMB to connect to a folder on the domain clear illustration of how Cyber AI Analyst can close any skills or
controller and read a malicious executable file. This payload communication gap between IT and OT specialists.
stayed dormant for some weeks while cryptomining software
was installed elsewhere on the network. The device made
successful C2 connections to around 40 unique external
endpoints, and Darktrace detected beaconing-type
behavior over suspicious TCP/ SSL ports including 465,
995, 2078, and 2222.

Figure 6: Cyber AI Analyst of the Historian server (abc-histdev). It investigated and reported the C2 communication (step 2) that
started just before network reconnaissance using TCP scanning (step 3) and the subsequent file encryption over SMB (step 4).
16

| A COMPREHENSIVE GUIDE TO OT SECURITY

CASE STUDY

Spotting insider threats

Darktrace/OT detected a subtle deviation from normal
behavior when a reprogram command was sent by an
Cyber AI can detect cyber-
engineering workstation to a PLC controlling a pump, threats before damage is
an action an insider threat with legitimized access to OT done – whether they arise
systems would take to alter the physical process without any
malware involved.
from an employee or from
the industrial systems on
In this instance, AI Analyst, Darktrace’s investigation tool that
triages events to reveal the full security incident, detected our production floor. You
the event as unusual based on multiple metrics including the need AI in place to quickly
source of the command, the destination device, the time of
identify and respond to
the activity, and the command itself.
threats – you truly can’t put
As a result, AI Analyst created a complete security incident,
with a natural language summary, the technical details of the
a dollar value on Darktrace.
activity, and an investigation process explaining how it came /D
irector of Infrastructure and Technical Services,
to its conclusion. By leveraging Explainable AI, a security team Produce Manufacturing
can quickly triage and escalate Darktrace incidents in real
time before it becomes disruptive, and even when performed
by a trusted insider.

Figure 7: AI Analyst revealing a suspicious chain of OT and administrative connections

About Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions
in its mission to free the world of cyber disruption. Its technology continuously learns and updates its knowledge of
Darktrace ‘you’ for an organization and applies that understanding to achieve an optimal state of cyber security. Breakthrough
innovations from its R&D Centers have resulted in over 145 patent applications filed. Darktrace employs over 2,200
people around the world and protects c.8,800 organizations globally from advanced cyber-threats.
Scan to
LEARN MORE

North America: +1 (415) 229 9100 Asia-Pacific: +65 6804 5010 [email protected]

Evolving threats call for evolved thinking™ Europe: +44 (0) 1223 394 100 Latin America: +55 11 97242 2011 darktrace.com

© 2023 Darktrace Holdings Limited. All rights reserved. The Darktrace name, logo, and other trademarks used herein are trademarks of Darktrace Holdings Limited.
The names of other companies, products and services are the property of their respective owners.