Governments worldwide are raising alarms about the dramatic surge in attacks targeting critical infrastructure, from power and water systems to critical manufacturing, mining, and energy. While many of these cyber threats have traditionally focused on IT systems, an increasing number are now aimed at disrupting operations by attacking OT/IoT systems. Industrial control systems – such as programmable logic controllers (PLCs), distributed control systems (DCSs), and remote terminal units (RTUs) – are the heart of OT/IoT networks. By better understanding and defending these vital systems, there is a significant opportunity to strengthen overall defenses and ensure the resilience of critical infrastructure.
The Rise of the OT/IoT Attack Framework
Among these industrial control systems, PLCs play a particularly critical role, making them a key focus for enhancing cybersecurity measures. Recent CISA advisories on attempted PLC exploits are a harsh reminder that a direct attack on one or more PLCs could shut down production or cause a public safety crisis. To stem cyberattacks and stay ahead of bad actors, organizations need to bolster their security defenses with visibility of assets at the operational level to monitor for unusual activities or anomalies that could indicate a potential attack on the physical layer of the control system.
In the Purdue Model for industrial control systems, a hierarchical model for industrial control system security, PLCs are usually situated at Level 1 and are designed to interface directly with Level 0 devices such as sensors and actuators – sometimes collectively called “field assets.” Level 0 assets provide real-time data from the physical processes and execute control commands from the PLCs to manage these processes. In the event of a cyberattack, PLCs can provide detailed information about the state of the physical processes, helping security teams to understand the situation and respond effectively to minimize potential devastating impacts.
World’s First Security Sensor that Runs Embedded in Industrial Control Systems
Nozomi Arc Embedded is the world’s first endpoint security and sensor solution that runs in and provides advanced layers of defense for industrial automation equipment, such as PLCs. Arc Embedded provides in-depth, real-time monitoring of assets, network traffic, anomaly detection, and threat identification down to Level 1, the PLC, and Level 0, the field assets these PLCs control. Arc Embedded powers continuous insights, more accurate detection, and faster response times when incidents affect PLCs and their field assets.
Developed in partnership with Mitsubishi Electric, Arc Embedded for Mitsubishi PLCs makes it possible for the first time ever for organizations to monitor east-west activity to detect and respond to cyber incidents at the PLC level before they can do harm or escalate across the entire industrial operations environment. This proactive approach strengthens operational resilience, reduces downtime, protects critical infrastructure, and maintains process integrity.
Visibility and Security at Layers 1 and 0
Before Arc Embedded, there wasn’t a good way for security teams to get continuous insights into what was happening at the physical layer of a control system – in other words, inside and below the PLC in the Purdue model.
With Arc Embedded running directly on the host PLC, security teams can continuously monitor the health of the controller with data from every module. Understanding the status and behavior of Level 0 devices during an attack helps to mitigate the impacts and ensure the safety and integrity of operations. Key features allow security teams to understand:
- Continuous PLC status, including inventory, software, hardware, vulnerability data and performance data
- Physical access to the PLC, including USB connections, files transferred over USB and other malicious HIDs
- PLC status and status changes, including changes to ladder logic
- Visibility to monitor Level 0 field assets, including unusual readings or behaviors
With real-time monitoring of Level 0 devices, any unusual readings or behaviors can be quickly detected to help identify potential cyberattacks or other problems. Security teams can be alerted to any sudden changes in PLC status or sensor data, and quickly respond to prevent malicious activities or operational problems that could cause physical damage to essential equipment or even pose safety risks. During an attack, knowing the exact status and behavior of Level 0 devices helps security teams accurately identify which parts of the system are impacted and respond effectively with more targeted mitigation to prevent potential devastating operational impacts.
In addition, Arc Embedded can continue to collect Level 1 and 0 data when the host PLC is offline or not sending traffic, delivering comprehensive 24x7 visibility and detection for critical operations.
Advanced Layers of Defense for Industrial Control Systems
From this unprecedented and privileged position, Arc Embedded delivers vital new network and system information from Layers 1 and 0 – including back-plane operational and protocol information previously unavailable – information that powers more accurate anomaly and threat detection and faster response times.
As a new component of the larger Nozomi OT/IoT security platform, the additional insights and context generated by Arc Embedded feed into Nozomi’s AI-powered engines, continuing to enhance asset, vulnerability, anomaly and threat detection, as well as improve incident response time.