WHITE PAPER

Cyber Security for Corporate and Industrial Control Systems

Darktrace Industrial Immune System Provides Continuous Threat Monitoring for Oil &
Gas, Energy, Utilities, and Manufacturing Plants
 Darktrace named Gartner 'Cool Vendor' 2015

"CISOs responsible for cyber security strategies should

consider solutions for advanced persistent threat detection and
analysis that can be used across both IT and OT environments."
Randy Rhodes, Zarko Sumic, Earl Perkins, Gartner Cool Vendors in Energy and
Utilities, 2015

"The worst case scenario is a critical infrastructure attack, and

these organizations are ill prepared to deal with it."
Dr Larry Ponemon, Founder of Ponemon Institute
Executive Summary
Industrial Control Systems (ICS) underpin both individual businesses and large parts of the National Critical Infrastructure.
They maintain control over facilities such as power stations, water distribution and car production lines. Historically they
were kept separate from corporate networks, but significant achievable business benefits are driving a convergence
between Operational Technology (OT) systems, such as ICS, and the corporate Information Technology (IT) environment,
and hence the wider internet.

The business of cyber security has changed dramatically in the past few years, presenting a significant challenge to
management teams across all industries and business domains. Organizations today are in a unique position to quantifiably
outpace threats and manage them to minimize organizational impact, whether that be reputational, financial or physical.
We see an increasing trend toward IT security teams taking on more accountability and responsibility for securing the OT
systems, which require different specialist skills and working practices. This cultural and technical convergence will be a
steep learning curve, one to be overcome.

Now open to the same attack vectors used in the majority of cyber-attacks, ICS devices are inherently much less secure but
their compromise can lead to enormous physical damage and danger to human lives. Ever since the Stuxnet malware was
widely reported in 2010, threats to industrial systems have grown rapidly in both number and capability. This was made
clear in the 2014 compromise of a German steel mill that caused massive damage to a blast furnace. Ongoing malware
campaigns such as Energetic Bear are actively acquiring critical data about control systems, while quietly maintaining
persistent access. Existing defenses such as firewalls have repeatedly proven inadequate on their own, especially against
insiders who may already have privileged access.

Darktraces Industrial Immune System is a fundamental innovation that views data from an ICS network in real time,
and establishes an evolving baseline for what is normal for operators, workstations and automated systems within that
environment. Advanced Bayesian mathematics and cutting-edge machine learning detect abnormal behavior and flag
it for investigation, capable of discovering previously unknown attacks as they emerge. Total prevention of all cyber
compromises is not a realistic goal but, if identified early enough, threats can be mitigated before they become a full-
blown crisis. Darktraces technology can be deployed across both IT and OT environments to provide full coverage of an
organization.

3
Enabling Modern Industry Enhanced performance through cost and time
saving which allows for the smooth transition
Industrial Control Systems (ICS) are at the heart of of newly-developed products into existing
modern industry, monitoring and controlling complex manufacturing operations, reducing time to market
processes and equipment. Many businesses are Business optimization using data transferred
wholly underpinned by the reliable functioning of between IT and OT environments
this Operational Technology (OT), such as automated
production lines at car manufacturing plants. For The breakdown of this cultural divide between OT and
organizations that form part of the National Critical IT staffs will often require CISOs to manage across
Infrastructure, the consequences of unplanned teams that historically have different approaches to
outages are far-reaching, being responsible for cyber security. During this convergence the assurance
maintaining utilities such as power, heating and clean of long-term reliability and safety requires CISOs to
water to huge numbers of households and places of reshape enterprise security practices. The merging
work. In many industrial processes, reliability of an ICS of specialized OT systems with IT technologies and
has a direct and immediate impact on the safety of endpoints will require CISOs to assume responsibility
human lives. for OT cyber security without specialized OT skills or
in matrix-based organizational environments, thereby
exposing new technology and change-management
risks. This gap in skill sets as IT and OT systems converge
ICS and SCADA will generate new cyber security problems as attacks
ICS is an umbrella term covering many historically become more focused and sophisticated. A strategic
different types of control system such as SCADA and unified approach to cyber security will inevitably
(Supervisory Control and Data Acquisition) and DCS benefit organizations, allowing them to operate in a
(Distributed Control Systems). Also known as IACS more reliable and efficient manner.
(Industrial Automation and Control Systems), they are
a form of Operational Technology. In practice, media Industrial Control Systems face numerous cyber-
publications often use SCADA interchangeably with security threat vectors with varying degrees of potential
ICS. loss, ranging from non-compliance to disruption of
operations which could result in destruction of property
and, unfortunately, potential loss of human life.
Corporate Information Technology (IT) systems and
Industrial Control Systems have different objectives, Examples of potential ICS-related threats include:
even when operating within the same organization. Advanced Persistent Threats (APTs)
While IT and OT often speak different languages, cyber- Unintended spillover of corporate network
attacks across both environments have continued to compromises
evolve to become more targeted and destructive. When Disruption of voice & data network services
it comes to ICS, reliability is the primary concern as Coordinated physical & cyber-attack
attackers aim to disrupt the critical services customers Insider sabotage
rely upon. Hacktivist attacks
Supply chain disruption or compromise
IT and OT systems are converging, driven primarily by Catastrophic human error
economic pressures resulting from globalization and Distributed Denial of Service (DDOS)
intensifying competition, along with the benefits and
eventual competitive advantages that stem from the The cost is significantly higher to remediate a system
integration of these disciplines. These benefits include; than to detect a cyber threat early, not only in time
and money, but also in safety and reputation. Legacy
Cost reduction by applying similar technology,
approaches have fallen short as evidenced by cyber-
standards and governance principles for IT and OT,
attacks ranging from the infamous Stuxnet to a recent
including remote management
German steel mill compromise. What if the Saudi
Risk reduction through jointly addressing safety Aramco attack had been aimed at critical infrastructure
issues, leading to an integrated approach that instead of business workstations?
provides enhanced security against cyber intrusions
from outside the company and to central cyber-
security governance within the company

4
ICS Cyber Security Issues well documented and easily exploited. The use of a VPN
(Virtual Private Network) is also not sufficient protection
Historically, industrial control environments were air- for ICS users as this can be trivially bypassed with
gapped; physically isolated from corporate networks physical access to network switches and never provides
and the internet. However, computer viruses and end-to-end coverage. ICS vendors are increasingly
other forms of cyber-attacks such as Stuxnet [1] and urging CISOs to converge their approaches to IT and
agent.btz [2] have been known to bridge the gap OT cyber security, with an equal level of caution and
by exploiting security holes related to the handling depth in defense strategy.
of removable media, or simple human error. While
security is an upside of having a seemingly closed or
isolated system, the downside includes the limited Challenges Facing Industry
access or inability to access enterprise decision
making data or to allow control engineers to monitor Industry faces a growing challenge in dealing with
systems from other networks. Additionally, ICS often cyber threats, both external and internal. There are
tie together decentralized facilities such as power, oil an increasing number of threat actors with both the
& gas pipelines, water distribution and wastewater motivation and capability to compromise industrial
collection systems, among many others, where the control networks and devices. The consequences of
network is hard to physically secure. compromise range from damaging to catastrophic,
from immediate physical harm to long-term industrial
ICS systems, whilst effectively designed to be espionage.
interoperable and resilient, are not necessarily
secure. With the increasing number of connections Control engineers historically have not had to worry
between ICS systems, corporate networks and the about cyber threats coming through corporate IT
internet, combined with the move from proprietary systems, while IT security staff have had little to do with
technologies to more standardized and open solutions, the fundamental differences in control systems or the
they are becoming more susceptible to the kind of physical equipment that those systems manage. ICS
network attacks that are found more commonly in IT devices are inherently insecure, and extremely difficult
environments. to update with even the rudimentary protections that
are possible.
Cyber-security researchers are particularly concerned
about the systemic lack of authentication in the
design, deployment and operation of some existing
ICS networks and the belief that they are completely A New Approach: Darktrace and the
secure simply because they are physically secure. It Immune System
has become clear that any possible connection to the
Utilities, OT-centric industries and other national
internet can be exploited, even if it is not direct. ICS-
infrastructure organizations, are challenged with
specific protocols and proprietary interfaces are now
rethinking cyber security across all technologies to
deliver continuous insight that provides early warning
of both indiscriminate and targeted compromises,
supported by mechanisms that can manage incidents
"Darktrace adds another level before they become a business crisis. Total prevention
of sophistication to our defense of compromise at any cost is untenable, however,
detection and response to prevent a crisis from
systems, and had already developing is an achievable cyber security goal in an IT/
identified threats with the potential OT environment.
to disrupt out networks."
Darktraces Industrial Immune System for ICS is a
Martin Sloan, Group Head of Security, Drax fundamental innovation that implements a real-
time immune system for operational technologies
and enables a fundamental shift in the approach to
cyber defense. Based on groundbreaking advances in
Bayesian probability theory and powered by cutting-
edge machine learning, Darktrace analyzes data and

5
creates a unique behavioral understanding of self attributed to this; the Davis-Besse nuclear power station
for each user and device within the network and, like a (Ohio, USA) when safety systems were crippled by the
biological immune system, it detects threats that cannot Slammer worm [5], the Browns Ferry nuclear power
be defined in advance by identifying even subtle shifts station (Alabama, USA) being manually scrammed as a
in expected behavior. People and devices all behave result of a drastic increase in network traffic [3], and the
in a unique way that necessarily differs from their Hatch nuclear power station (Georgia, USA) due to a
peers to varying degrees. However, their behaviors are faulty software update on a business network machine
significantly more predictable when compared to their that communicated with the control network [6].
historical behaviors and patterns of change.

With Darktraces self-learning immune system, German Steel Mill

organizations are able to detect and respond to At the end of 2014, the most significantly publicized
emerging threats, even if novel or tailored, and attack since Stuxnet was revealed in a German report
regardless of whether they originate in either the IT disclosing that hackers had struck an unnamed steel
or operational domains, or traverse between them. mill in Germany [7]. This was a targeted Advanced
By identifying unexpected anomalies in behavior, Persistent Threat (APT) compromise, beginning with a
defenders are able to investigate malware compromises spear-phishing attack that enabled the hackers to gain
and insider risks as they emerge and throughout stages initial access onto the office network of the steelworks.
of the attack lifecycle. Darktrace provides the real-time From there, they were able to successfully explore the
visibility required to make intelligence-based decisions companys networks and eventually manipulate and
in live situations, while enabling in-depth investigations disrupt the production networks. Failures of individual
into historical activity. control components accelerated, resulting in a blast
furnace being unable to shut down which caused
massive damage to the installation.
Real Vulnerability
Reconnaissance and Pre-positioning
While it is likely that many attacks are never revealed to
the public, the list of known compromises is growing. The goals of the largest known ongoing ICS attack
The most notorious incident that arguably propelled the campaigns have mostly shifted away from active
vulnerability of ICS into the mainstream consciousness sabotage to long-term persistent compromise and
was the discovery of the Stuxnet attack in June 2010 reconnaissance. Recently the Energetic Bear campaign
[1], a weaponized form of malware. Stuxnet targeted has used the Havex [8] Remote Access Trojan (RAT) and
the Natanz nuclear facilities in Iran with great precision, the Sandworm APT group have been using a variant of
causing nuclear centrifuge equipment to wear out at a the BlackEnergy malware [9]. In both cases ICS-CERT,
vastly increased rate. the USAs Industrial Control Systems Cyber Emergency
Response Team, have long-running alerts tracking
them [10][11]. Both provide persistent external access
Sabotage and Shutdowns to compromised control networks and are capable
of downloading additional modules to enhance their
Significant attacks have been made by former
capability. Having identified all of the devices in a
employees who wrongfully retained access following
network, it would be simple for them to download
dismissal, such as Mario Azar, who was indicted for
additional sabotage modules and cause immediate,
disabling a computer system detecting pipeline leaks
widespread damage.
in Southern California [3]. Attacks by individuals
who never possessed legitimate access include the
Havex was targeted against ICS customers by using
compromise of the South Houston, TX water system.
a highly effective watering-hole attack, where the
[4].
attackers compromised three legitimate ICS vendor
websites and replaced real software updates with
ICS networks have also been damaged as unintended
versions already containing the malware. There was no
side effects of problems starting in corporate networks
possible way for traditional network defenses such as
that took advantage of the increasing connectivity,
border firewalls to protect against this, and standard
proving clearly that the standard PCs which now form
procedures employed in many corporations would
part of a typical ICS are open to the same compromises
have trusted the trojanized updates and added them
as their enterprise counterparts. At least three
to internal whitelists of software for authorized use.
problems at major power stations have been publicly

6
If an environment is infected in this manner, only its Passive Observation
unique behavior, once installed on the ICS network,
could be used to detect Havexs presence. Connecting new devices into a corporate network is
straightforward and routine, with little attached risk.
A survey published in April 2014 by the SANS Institute The same is not true of industrial networks, where for
[12] reported a significant increase in the number of many applications even the slightest interruption in
identified or reported breaches of control systems service could be damaging. This is why larger and more
over just the previous twelve months. Respondents critical networks are left as untouched as possible
also noted that their ability to protect these systems between planned outages.
had not improved within the same period. This is a
chilling indictment of the challenges facing the OT The Darktrace appliance runs on a server that is
cyber-security efforts of organizations today. connected completely passively to an ICS network,
receiving copies of as much communication traffic
as possible. It does not interfere with the operation
Darktrace Technology of the control network in any way, flagging anomalies
for investigation but not attempting to influence the
New vulnerabilities are emerging at a pace that is situation. The appliance receives copies of raw network
difficult to keep up with, and looking only for published data using the built-in port mirroring or spanning
historical attack types is an unsuitable approach for capabilities of network switches, or using fail-safe
operationally important environments. Darktrace does taps, sometimes via an aggregator to bring together
not require a priori assumptions about environments numerous connections in one location.
or threats, and can therefore detect the unknown
unknown threats that are as yet unidentified, either ICS networks are deliberately segregated into Trust
because they are novel or have been tailored to a Levels as defined by the ISA95/Purdue reference model
particular defender. [13], depending on how much each device on the
network is trusted to behave as expected. Darktrace
The Darktrace architecture continues to adapt and can be connected at Level 2 (supervisory control), Level
self-learn throughout its entire deployment. Its 3 (data servers) and Level 4 (IT networks) to provide
understanding is constantly being revised and refined defense in depth. It also extends cyber-security
in light of new evidence as it ingests and analyzes new coverage down into Level 1 (field devices).
information - the more data it sees, the more it learns.
This adaption means that no new or customized threat A highly flexible, distributed architecture allows
has the ability to hide from Darktrace. Whenever an Darktrace to securely cover multiple Trust Levels and
abnormal change to behavior takes place within the the wide variety of network topologies within and
environment, the Industrial Immune System identifies between them. Examples include wholly separate
deviations from the learned pattern of life and alerts appliances for each Trust Level, or multiple appliances
the organization to the possible threat. Changes that within a widely distributed single Trust Level with
are not real threats are incorporated into Darktraces a master appliance providing a single interface. If
evolving understanding of normality. required, a network diode device could guarantee that
a channel for moving data from one Trust Level to a
The advanced mathematics inside Darktrace make it higher Trust Level to reach a single appliance covering
uniquely capable of highlighting significant potential both cannot be used to communicate in the other
threats without burying them beneath many direction.
misguided, insignificant or repeating alerts. Far more
than a set of simple rules applied to network traffic,
it can correlate many subtle indicators separated by
location or time into strong evidence of a real emerging
threat, meaning that security analysts are not flooded
with false positives.

Darktraces Threat Visualizer interface can be used

to manage these detections, but it is also possible to
route the output to an organizations existing Security
Information and Event Management (SIEM) system, to
integrate with established processes and procedures.

7
 Visibility Into Industrial Control Systems
Darktrace Proof of Value Architectures of ICS systems and their operational
networks are often documented to a standard that
Darktrace's Proof of Value (POV) allows organizations exceeds corporate equivalents, but these long-lived
to experience first-hand its Industrial Immune environments are complicated and will typically have
System's ability to detect previously unseen threats undergone many changes by multiple individuals over
and anomalous behaviors within a customers own their lifetime. Knowing and understanding what is
environment. Along with the POV, Darktrace provides genuinely happening inside the environment can be a
access to our Threat Visualizer (below) for use during real challenge. Darktrace addresses this challenge by
the POV as well as weekly Threat Intelligence Reports observing, analyzing and capturing communications
produced by its team of cyber security specialists. along with their associated metadata.
Some organizations prefer to trial Darktrace on their
corporate IT systems to confirm the passive and In addition to its core identification of anomalous
secure operation before engaging installation into ICS activity and possible compromise, Darktraces Threat
networks. Visualizer interface uniquely displays all this rich
information in an intuitive 3D dashboard that allows
the operator to get a true and real-time overview of
what is happening. This can be used to investigate
whether the control systems real behavior matches its
intended design.

Darktraces Industrial Immune System retains all of the

capabilities of Darktrace in the corporate environment,
and will ideally be deployed observing both the ICS
and corporate networks. The most likely attack vector
for ICS compromise is the IT network. Discovering
threats while still within the corporate network vastly
increases the defense-in-depth of the control system.
This also protects confidential data about the control
system stored on corporate servers, which might
include detailed operational diagrams, device details
or efficiency and safety reports.

Fig. 1 - Threat Visualizer

8
 Insider Threat
Threat from trusted insiders is an important consideration for OT environments. Over the long lifecycles
involved with the building and utilization of infrastructure and manufacturing equipment, a large number of
different individuals, including both permanent staff and short-term contracted specialists, will usually have
interacted with control systems. Many of them will have had privileges that allow them to modify configurations
or the underlying software and hardware.

Vetting and training staff can reduce but not eliminate the risk of insider incidents from occurring. These
incidents can be unintentional due to a mistake or intended short-cut that puts something important at risk, or
a deliberate act by a disaffected or ideologically motivated individual. The increased access and organizational
familiarity that insiders have means their malicious actions can be very well targeted and effective at disrupting
operations. They also have a greater ability to interfere with monitoring or masquerade as others, making their
activities harder to identify and attribute.

Insider risk is a serious challenge often underestimated in breadth. When supply chains or contractors are
involved, it becomes impossible to draw a neat line between inside and outside. We need to trust people in
our extended organizations with the access and privilege that they require to do their jobs, but we also need
mechanisms to identify when something is going wrong and needs to be corrected.

Traditional network border defenses such as firewalls perform an important function in a complete cyber-
security solution, but insiders are a key example of their limitations. Insiders do not have to pass through
border defenses to accomplish most of their potential goals, meaning that those defenses have no chance at
all to prevent or identify their actions [14].

Given the complexity and the variety of people and processes that make up an organization, any monitoring
approach needs to start from a complete understanding of what is normal for the unique environment. Only
then can it have the insight to identify subtle patterns and correlated action over time that can be the only
early signs of emerging issues, and allow them to be handled before they become major crises.

9
Conclusion
Businesses face many challenges as we move into an era of ever increasing connectivity and standards of communication.
Those trying to secure industrial control systems as well as corporate networks face additional and substantially different
problems, as the devices involved are far less secure than their corporate counterparts.

There is public evidence of growing motivation and capability of threat actors towards control systems, a trend likely to
continue and brought into sharp focus by the 2014 cyber sabotage of a German steel mill. This attack used state-of-
the-art methods to reach the control system of a target with little political or ideological significance, a combination not
previously observed.

De-risking the OT environment is a perpetual challenge requiring new technologies that will deliver continuous insight
and provide early warning of both indiscriminate and targeted compromises. Total prevention of compromise seems
effectively impossible for the foreseeable future, but prevention of crises is an achievable goal across both corporate IT
and operational technology environments.

A new approach that can manage incidents across corporate IT and OT before they become an operational crisis is
required. With Darktraces self-learning immune system, organizations are able to detect and respond to emerging
threats in real-time. Advanced behavioral analysis mathematics can detect even previously unseen novel or tailored
attacks, regardless of whether they originate in the corporate IT or OT domains or traverse between them.

10
Resources

These additional resources, available from our website, complement the information in this white paper.

Data Sheet: Stuxnet Example and Full References

For a detailed example of how Darktrace can detect previously unseen ICS cyber-threats like Stuxnet, and the full list of
supporting references to this White Paper, please email [email protected]

Data Sheet: Standards and Compliance for ICS: NERC CIP V5

Darktrace Industrial Immune System can help organizations transition to the new cyber-security standards set by the
North American Electric Reliability Corporation can be found at www.darktrace.com/resources/data-sheets

Case Study: Darktrace at Drax

A case study of the use of Darktrace at Drax can be found at www.darktrace.com/resources/case-studies

White Paper: Enterprise Immune System White Paper

A white paper covering the wider use of the Darktrace Enterprise Immune System across a whole organization can be
found at www.darktrace.com/resources/whitepapers

11
 About Darktrace Contact Us
Winner of the Queens Award for Enterprise in Innovation 2016, Darktrace is one of the worlds leading US: +1 (415) 243 3940
cyber threat defense companies. Its Enterprise Immune System technology detects and responds to
Europe: +44 (0) 1223 324 114
previously unidentified threats, powered by machine learning and mathematics developed by specialists
from the University of Cambridge. Without using rules or signatures, Darktrace is uniquely capable of APAC: +65 6248 4516
understanding the pattern of life of every device, user and network within an organization, and defends
against evolving threats that bypass all other systems. Some of the worlds largest corporations rely
on Darktraces self-learning technology in sectors including energy and utilities, financial services, Email: [email protected]
telecommunications, healthcare, manufacturing, retail and transportation. Darktrace is headquartered
in Cambridge, UK and San Francisco, with 20 global offices including Auckland, Johannesburg, Lima,
London, Milan, Mumbai, Paris, Seoul, Singapore, Sydney, Tokyo, Toronto and Washington D.C. www.darktrace.com

ICS-001r4en Darktrace Copyright 2015 Darktrace Limited. All rights reserved. Darktrace is a registered trademark of Darktrace Limited. Enterprise Immune System, and Threat
Visualizer are unregistered trademarks of Darktrace Limited. Other trademarks included herein are the property of their respective owners.