Critical infrastructure is an essential element of everyday life, but also national security, and its damage in any form has a far-reaching effect on the economic and social climate of a country. That’s why state-owned or private companies that control vast networks connected to the Internet of Things (IoT) need protection solutions that provide them with an advanced level of security, as well as increased visibility of threats and risks coming from cyberspace. Azure Defender for IoT and Darktrace Industrial immune System are two of the security solutions used by Safetech.
The most competent American institutions (CISA, NSA) recommend that organizations make a precise and detailed map of the OT (Operational Technology) infrastructure. It is also necessary to use a validated set of assets to investigate and determine the specific risks associated with existing OT devices, as well as to implement a continuous and vigilant system monitoring program with anomaly detection.
Azure Defender for IoT is a solution formerly known as CyberX, relatively recently acquired by Microsoft. Developed by an Israeli team with rich experience in securing industrial IT environments, the solution is built specifically by them for OT environments. Azure Defender is very easy to implement and includes native integration with technologies most used by incident response teams (Azure Sentinel, Splunk, ServiceNow, etc.).
The system can detect unauthorized changes within the network, detect OT protocols, and detect traffic inside OT protocols, package structure, and field values that do not meet protocol specifications. Azure Defender of IoT can also detect abnormal behaviour from a normal business day and attacker behaviour, detect malware activity, and detect any anomalies within the network by listening to traffic and detecting all equipment within the network. Operational incidents or equipment that have failed may also be detected.
The implementation is simple, at the meeting point between the IT environment and the OT environment. The control part is placed in the IT environment – a central management console. In the OT part, there are only sensors that listen to the traffic generated from the switches, through port-mirroring, span or tap mechanisms, depending on the situation.
New, never-before-seen threats (zero-days) easily avoid lists, rules, and signatures. Methods based on historical information cannot keep up with the attackers’ fastest progress, as well as the transformations in the industrial infrastructure itself. The Darktrace Industrial Immune System is a response to this kind of challenge. The system leverages advanced artificial intelligence to identify zero-days threats in real time.
Regardless of technology and protocols, self-learning artificial intelligence evolves as the industrial environment changes, allowing it to stay one step ahead of the attackers.
Darktrace understands the “normal life model” in individual industrial environments and can detect sophisticated threats by detecting subtle deviations. The system analyzes behavior, not content, which allows it to detect and prevent abnormal incidents, regardless of the source of the threat or the specific technology compromised, whether it is PLC, SCADA, HMI or any new integration (e.g. IIoT) or workflow innovation (e.g. ICSaaS).
Safetech uses these solutions in its recurrent activity of monitoring and incident response, for customers in Romania, too, but also for customers outside the country.