Skip to content

Industrial IoT: How AI detects pre-existing cyber-threats inside Industrial Control Systems

The IT Security teams responsible for keeping industrial controls systems safe are fighting an uphill battle. To avoid downtime, companies invest heavily in securing their OT environments, but the legacy systems used to protect critical IT Infrastructure, which many industrial processes depend on, are partially blind. While most gateways and signature-based security tools monitor the perimeter, they are ineffective once the threat is already inside the industrial network.

In this phase of the cyber-kill chain, the cyber-criminals have plenty of opportunities to carry out further reconnaissance, change PLC settings, or disrupt the production process by other means – potentially incurring significant costs.

MUNINN Industrial, an AI-based network monitoring technology that autonomously detects and responds to cyber-threats in OT-environments, recently detected several pre-existing Industrial IoT-compromises and latent vulnerabilities at a utilities company in the EMEA region. The company had successfully deployed MUNINN on the enterprise network and decided to expand their AI-based protection to cover OT-environments such as pumping stations, allowing MUNINN to discover 0-day vulnerabilities across the entire digital estate.

MUNINN Industrial detected a previously unidentified threat within hours of deployment, allowing the customer to conduct a thorough threat investigation and incident response – before the threat actor managed to disrupt industrial operations.

Although the initial delivery method is unknown, MUNINN Industrial quickly identified the compromised endpoint that was used as the attacker’s first point of entry. In many cases, the infection is introduced to the industrial network via a USB loaded with malware. In this case, the infected PLCs were being used as part of a continuous water treatment process and could not be installed with endpoint security.

MUNINN Industrial analyzes all network packets (full packet capture) using AI as well as signature-based methods. While the signature-based detection models swiftly find known threats, the unique AI engine continuously calibrates its understanding of what constitutes legitimate network behaviors in an industrial environment. This self-learning methodology empowers security teams to detect and investigate 0-days that have never been discovered on other networks before.

Pumping Station Attacked

Only a few hours after the deployment of MUNINN AI, the self-learning technology proved its value by detecting an unusual network scan. The following timeline of events demonstrates how MUNINN’s detection models were used to mitigate the cyber-attack – from discovering the initial compromise to incident response.

MUNINN AI quickly detected that the infected endpoint was exploiting an outdated SMB protocol (SMBv1) to move laterally within the network.

The infected PLC-device, which usually does not connect to many other devices on the industrial network, suddenly made an unusually large number of connections to internal devices, including connections to industrial IoT devices that were not accounted for in the company’s asset inventory. Using MUNINN’s user-friendly interface, the security team could quickly understand the network topology and identify the infected network segments.

Anomalous connections to internal devices are a clear indication of network reconnaissance. Using MUNINN’s AI engine that analyses and correlates sequences of related events, the security team had all the relevant information at hand to effectively investigate and mitigate the incident by temporarily quarantining and subsequently patching the device which, upon further investigation, proved to be infected with worms.

Protecting your industrial IT-Infrastructure

The proliferation of Industrial IoT devices (some of which connect to the internet) has made industrial environments more exposed and therefore a greater security liability. Furthermore, industrial environments are merging with enterprise IT networks, making it even more difficult to maintain a coherent overview of the entire digital estate. This blog demonstrates that the firewall of many industrial networks has presumably already been breached and that AI-based monitoring tools are necessary to find the trespassers – before their actions become a crisis for the organization.

MUNINN Industrial helps security teams take back control of their IT and OT networks by providing full visibility and AI-based analysis of every single interaction taking place between every single user and device on the network, greatly reducing the time it takes to detect, investigate, and mitigate cyber-threats, regardless of where and how the threat actor enters the network.