The Importance of Physical Access Endpoint Detection in OT & IoT

The Importance of Physical Access Endpoint Detection in OT & IoT

Given the rising prevalence and sophistication of cyberattacks in today's threat landscape, safeguarding networks against them is essential to maintain the confidentiality, integrity, and availability of critical information assets. While network-based detection and monitoring is crucial for OT/IoT security, it alone cannot provide sufficient protection against multi-level sophisticated cyberattacks. It's essential to implement a comprehensive layered defense strategy that includes host-based detection systems. These systems offer a range of benefits to businesses and organizations by detecting malicious activity that may not be visible in network traffic.

Nozomi Networks recently released Arc, an OT/IoT endpoint security sensor that supports more accurate diagnostics of in-progress threats and anomalies, including the identification of compromised hosts with malware, rogue applications, unauthorized USB drives, and suspicious user activity. This level of visibility also allows for the monitoring and analysis of user behavior, which can help identify potential insider threats before they become a major issue.

In this blog, we share insights into host-based threats, highlight the importance of endpoint detection sensors in securing networks against cyber threats, and explain how these sensors work to detect and respond to potential security breaches.

Why Endpoint Detection for OT/IoT?

Endpoint protection is particularly critical in OT and IoT because these systems are responsible for controlling and monitoring physical processes such as power generation, oil and gas pipelines, water treatment, and transportation. Any cyberattack on these systems could have severe consequences, including disruptions to critical infrastructure, financial losses, and even loss of life. Unlike IT systems that primarily deal with data processing and storage, OT/IoT endpoints rely on physical equipment and machinery. Therefore, securing these endpoints is crucial to preventing unauthorized access or malicious tampering with the system's operations. Additionally, OT/IoT endpoints often have limited computing resources and may not be regularly updated like typical IT endpoints. This makes them more vulnerable to cyber threats, placing endpoint protection as a top priority in OT/IoT environments.

Gabriele Webber, product manager behind the Nozomi Arc sensor, stresses the importance of securing OT/IoT endpoints. “As technology continues to advance, so do the methods that hackers use to gain unauthorized access,” he says. “An endpoint security solution helps to prevent these attacks by providing a layer of protection that can detect and block potential threats from within, complementing network monitoring.”

Examples of Physical Endpoint Cyber Threats

One of the first steps an attacker can take to gain access to a system is through physical access. Attackers can obtain physical access to their target endpoints by exploiting Human Interface Devices (HIDs) such as the special keyboards or mouse, also known as BadUSB devices. These counterfeit HIDs appear physically identical to legitimate ones, but their internal components are modified so that when connected to the targeted computer, malicious code is executed. Once physical access is obtained, they can gain access to more sensitive parts of the system that may not have been visible before.

Why are threat actors interested in the physical access attack vector, and how are they using these BadUSB devices to obtain physical access A BadUSB device can modify system settings, open backdoors, retrieve sensitive data or do anything that can be achieved with physical access. There are two common threats posed by BadUSBs – key loggers and keystroke injections – which can compromise endpoints.

Key loggers: A keylogger is a type of device that records every keystroke made on a computer or mobile device. Once active, the keylogger operates in the background without the user's knowledge, recording all keystrokes and storing or transmitting them.

Hackers use keyloggers to steal sensitive information such as login credentials. A keylogger can be utilized on an OT/IoT endpoint to acquire log-in credentials for a computing endpoint, like a desktop computer used in an industrial environment. These credentials can then be used in a subsequent keystroke injection attack, which allows the attacker to gain elevated privileges within the system.

Keystroke injections: A keystroke injection is a type of cyberattack that involves injecting keystrokes into a computer system to execute unauthorized commands or actions. In this case the BadUSB devices are indeed designed to emulate keyboards and inject keystrokes. The attacker typically pre-programs the BadUSB with a script containing a series of keystrokes that mimic legitimate user inputs. When the device is plugged into the target system, it typically emulates these keystrokes at a rapid pace, executing malicious commands and actions such as installing malware, stealing sensitive data, or taking control of the system. The goal of a rapid execution is to conceal the script from the HID user.

Keystroke injection attacks can be particularly effective because they bypass traditional security measures such as firewalls and antivirus software. Additionally, they do not require any network connectivity, making them difficult to detect using network monitoring tools.

While both may be similar, a keystroke injection is an active attack that aims to execute unauthorized commands or actions on a system, while keylogging is a passive technique used for monitoring user activity and stealing sensitive information.

Nozomi Networks’ Research

USB devices can be an attack vector for OT/IoT because they can be used to introduce malware into the system. In many cases, USB devices are used to transfer data between different systems or to update firmware on ICS devices. However, if a USB device is infected with malware, it can easily spread throughout the network and compromise critical systems. The current challenge that industrial operators are facing is the limited visibility inside critical devices potentially exposed to these types of supply chain compromises.

To address this challenge, Nozomi Networks Labs has been working on a cutting-edge cybersecurity research project to gain further insight into the problem. By building a compromised BadUSB device which executes a malicious payload once connected to the target machine, this research project provided insights into how to develop a sensor that protects OT/IoT endpoints from BadUSB attacks and other malicious activity.

Here are a few highlights from our findings:

• We conducted a thorough analysis of USB traffic, considering factors such as typing speed, keystrokes, and blacklisted or whitelisted words and sentences;

• The patterns we observed during our study were categorized as either Legitimate or Malicious;

• We developed features within our Arc sensor that allow it to detect keystroke injections on OT/IoT endpoints by comparing artificial typing traffic to legitimate human typing traffic;

• We used the Arc sensor to process the traffic and apply detections based on the MITRE Framework;

• Finally, we created a fully functional demo of USB backdoor attacks that showcased how our Arc sensor can identify malicious activity at the host-level (see Figure 1).


Malicious USB HID detection
Figure 1. Malicious USB HID detection

Because of the in-depth research from our Labs team, the Nozomi Networks Arc sensor can detect malicious devices that may appear legitimate to a PC. For example, it can check the typing rate to determine if it is too high to feasibly be a human  typing, which is indicative of malicious activity. For additional technical details, read our blog on hardware supply chain compromise in HIDs.

Advantages of Host-Based Detection for OT

One of the biggest issues with OT/IoT is that many devices do not have the ability to detect all potential threats. However, with this type of system, it is possible to complement network visibility with endpoint visibility, tracing data all the way from the end point to the application or service that generated it; which accurately identifies the source and location of any malicious activity. This level of visibility allows organizations to quickly identify and respond to threats, giving them a more proactive approach to cybersecurity.

Arc also makes it possible for organizations to monitor multiple machines and devices simultaneously, ensuring that any suspicious activity is identified and dealt with quickly. Additionally, this scalability allows for improved threat intelligence gathering capabilities, helping organizations stay ahead of potential attacks.


Threat actors are becoming increasingly sophisticated in their tactics for targeting OT and IoT endpoints, making it essential for organizations to implement robust security measures to protect against these threats. Attack vectors can come from a variety of sources – from phishing emails to infected BadUSB devices. It's important for organizations to be vigilant and proactive in identifying potential threats before they can cause damage. This includes implementing not only technical solutions such as firewalls and intrusion detection systems, but also developing strong policies around employee behavior and physical access control.

Protecting OT and IoT endpoints requires a multifaceted approach that considers both technical solutions and human behavior. With the right strategy in place, however, organizations can reduce their risk of falling victim to cyberattacks targeting these critical systems.