Introducing a Next Generation ICS Security Expert: Andrea Carcano

This article was updated on October 16, 2019. 

There is positive momentum in the field of industrial cyber security and an exciting aspect of it is the energy that a new generation of ICS security expert / entrepreneur is bringing to the field. An example of this generation is Andrea Carcano, the co-founder and Chief Product Officer of Nozomi Networks.

You have likely never heard of Andrea Carcano but it is worthwhile getting to know him because of his academic research and because the industrial security solution he pioneered is making protecting critical infrastructure a lot easier.

 I interviewed Andrea about how his research and development efforts are making a difference not just in ICS security but also in improving reliability through better operational monitoring.

HM: You have completed both your Masters and Ph.D. degrees in industrial cyber security. Why did you choose this area of study?

 AC: Since my teenager days I have been interested in figuring out how computer systems work and how to defend them. In high school, I used to have fun doing things like causing documents to print out on my friends’ home printers, for example. That fascination led me to doing my undergraduate degree in computer science.

After I completed my Bachelor’s degree I applied for and won a European scholarship in industrial security. My project was focused on how to build malware and viruses tailored for Industrial control systems. My thesis was called “Critical Infrastructure: protocols, threats, vulnerabilities, attacks and countermeasures.” As part of this work I developed malware specifically designed to take advantage of the lack of security in some SCADA protocols. I also analyzed the consequences of my ICS-focused attacks.

Thanks to the encouragement of Prof. Igor Nai Fovino, an excellent mentor and motivator, I went on to do my Ph.D in the field of critical infrastructure security. My research in this area concerned the development of software that detects intrusions in SCADA systems, particularly by taking advantage of weaknesses in the Modbus and DNP protocols.

When Stuxnet was revealed in 2010 it was fascinating for me to see that the idea behind Stuxnet was like the SCADA malware PoC (Proof of Concept) I had developed. I was also able to test my defensive system against Stuxnet and was pleased to see that the software I developed during my Ph.D. could detect and alert based on the changes on PLCs caused by Stuxnet. In essence my software was able to detect zero day attacks. (HM: A list of Andrea’s published papers is available at the end of this article.)

HM: Near the end of your Ph.D. degree you started working in the Security Operations Center (S.O.C.) of Eni, an oil and gas producer with facilities in 72 countries. How did that experience shape your approach to ICS security?

 AC: Working at Eni was a great experience because it introduced me to the needs and language of both the IT side of an organization and the Operations Technology (OT) side. I also experienced first-hand the tension between the two groups. I was part of the IT team, but my role took me for weeks at a time to production sites, such as remote facilities in Tunisia and oil rigs in the ocean.

I learned how to build relationships with industrial engineers in the field who were initially skeptical about IT people. I also had the realization that the software I developed during my Ph.D. would be useful in solving the day-to-day issues that we had as a cyber security team. I could see how some cyber security analysis and tasks could be automated, simplifying the challenges faced by industrial engineers.

HM: Is that what led you to decide to start Nozomi Networks?

AC: Yes. Eni is not a software development company, so it was not possible for me to develop the solution I envisioned internally. I left Eni and founded Nozomi Networks with the person I most respected as a programmer and technologist, Moreno Carullo.

Since starting the company in 2013 we have gone on to develop and implement the Nozomi Networks’ solution at several very large organizations, including Enel, a multi-national power company. Our technology was initially deployed at an Enel Regional Control Center (RCC), one of many such centers that monitor the 500 power generation plants in Italy. It was then rolled out to all the RCCs with our Central Management Console implemented at the company’s central control room.

It was exciting to participate in the roll-out, but even better was seeing how the extensive operational insight our products provide helped Enel improve the reliability, efficiency and cyber security of the Italian power generation system.

HM: As Nozomi Networks expands into the North American markets what do you want industrial operators and critical infrastructure providers to know about ICS security solutions?

AC: The first thing I want them to know is that there is a whole new class of software application that can provide tremendous help. Nozomi Networks’ products are examples. They use advances in computer science, such as machine learning and artificial intelligence, to build an internal representation of an industrial network and its physical process. Then they deploy behavioral analytics and continuous monitoring to detect changes to individual baseline profiles.

The outcome of using such a powerful toolset is that it does the hard work of knowing and monitoring the ICS and provides the real-time visibility and detection needed to ensure cyber resilience.

The second thing I want them to know is that Guardian provides a lot of value, not just in cyber security, but also in operational visibility. For example, on the cyber security side it can detect complex or zero day attacks with no fixed pattern or signature, and on the operations’ side it detects things like communication failures and configuration changes. To truly ensure reliability, cyber security and real-time operational monitoring go hand-in-hand.

HM: Thanks Andrea and good luck!

Andrea Carcano – Published Papers

Critical state-based filtering system for securing SCADA network protocols
IN Fovino, A Coletta, A Carcano… – IEEE Transactions on …, 2012 – ieeexplore.ieee.org
Abstract – The security of SCADA systems is one of the most pressing subjects in industrial systems, especially for those installations actively using the public network in order to provide new features and services. In this paper we present an innovative approach to the …

A multidimensional critical state analysis for detecting intrusions in SCADA systems
A Carcano, A Coletta, M Guglielmi… – IEEE Transactions …, 2011 – ieeexplore.ieee.org
Abstract – A relatively new trend in Critical Infrastructures (eg, power plants, nuclear plants, energy grids, etc.) is the massive migration from the classic model of isolated systems, to a system-of-systems model, where these infrastructures are intensifying their …

Modbus/DNP3 state-based intrusion detection system
IN Fovino, A Carcano, TDL Murel… – 2010 24th IEEE …, 2010 – ieeexplore.ieee.org
Abstract – The security of Industrial Critical Infrastructures is become a prominent problem with the advent of modern ICT technologies used to improve the performances and the features of the SCADA systems. In this paper we present an innovative approach to the…

Modbus/DNP3 state-based filtering system
A Carcano, IN Fovino, M Masera – 2010 IEEE International …, 2010 – ieeexplore.ieee.org
Abstract – The security of SCADA systems is one of the most pressing subjects in industrial systems, especially for those installations actively using the public network in order to provide new features and services. In this paper we present an innovative approach to the design…

Distributed intrusion detection system for SCADA protocols
IN Fovino, M Masera, M Guglielmi, A Carcano… – … Conference on Critical …, 2010 – Springer
Abstract – This paper presents an innovative, distributed, multilayer approach for detecting known and unknown attacks on industrial control systems. The approach employs process event correlation, critical state detection and critical state aggregation. The paper also …

An experimental investigation of malware attacks on SCADA systems
IN Fovino, A Carcano, M Masera… – International Journal of …, 2009 – Elsevier
Modern critical infrastructures are continually exposed to new threats due to the vulnerabilities and architectural weaknesses introduced by the extensive use of information and communications technologies (ICT). Of particular significance are the vulnerabilities …

State-based network intrusion detection systems for SCADA protocols: a proof of concept
A Carcano, IN Fovino, M Masera… – International Workshop on …, 2009 – Springer
Abstract – We present a novel Intrusion Detection System able to detect complex attacks to SCADA systems. By complex attack, we mean a set of commands (carried in Modbus packets) that, while licit when considered in isolation on a single-packet basis, interfere …

A secure and survivable architecture for SCADA systems
IN Fovino, A Carcano, M Masera – … , 2009. DEPEND’09. Second …, 2009 – ieeexplore.ieee.org
Abstract – Industrial Systems are nowadays exposed to new kinds of malicious threats. The cause of this is related to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and Networking Technologies for the …

Design and implementation of a secure modbus protocol
IN Fovino, A Carcano, M Masera… – … Conference on Critical …, 2009 – Springer
Abstract – The interconnectivity of modern and legacy supervisory control and data acquisition (SCADA) systems with corporate networks and the Internet has significantly increased the threats to critical infrastructure assets. Meanwhile, traditional IT security solutions such as …

Scada Malware, a proof of Concept
A Carcano, IN Fovino, M Masera… – International Workshop on …, 2008 – Springer
Abstract – Critical Infrastructures are nowadays exposed to new kind of threats. The cause of such threats is related to the large number of new vulnerabilities and architectural weaknesses introduced by the extensive use of ICT and Network technologies into such