Select Page

Detecting Malware Infections in Building Systems

The Challenge

Detecting Malware Operating Within My OT/IoT Networks

In 2013, malware gained entry to the network of retailing giant Target and stole the personal and credit card information of 40 million people.1 It was originally thought that the infection occurred through the remote monitoring system of a HVAC system vendor, though later it was determined to be through accounting connections between the supplier and Target.

Nonetheless, the threat of an attack originating with a building management system vendor is real. Imagine your HVAC system was breached, causing a heating and ventilation failure or power outage at one of your properties. Such an incident could directly impact the safety and health of thousands of occupants.

Why is malware risk higher now than ever before? As buildings become “smarter” they are increasingly connected to other systems. They may be maintained remotely by third party vendors or connected to cloud applications for data analysis. This open and expanding threat surface is vulnerable to malicious intrusion.

As many BAS (Building Automation Systems) and IoT devices lack inherent security and use insecure communications protocols, the risk to your property is significant. Plus, consider the fact that the final payload of a BAS attack requires less sophistication that an attack on a critical infrastructure facility, because the physical processes involved in BAS are less complex.

1“Target Breach: Phishing Attack Implicated,” DarkReading, February, 2014.

The Solution

Automated Monitoring of OT and IoT Networks to Identify Threats

An important part of neutralizing threats before they can migrate to automation systems, or between IT and OT networks, involves early warning.

Advanced persistent threat malware goes through different phases during an attack. The Nozomi Networks solution uses behavior-based anomaly detection and multiple types of signature and rule-based detection to detect malware at each phase. It alerts operators to early stage infection and reconnaissance activities, and provides the information needed to act before a final attack occurs.

  • For early stage attacks, anomaly detection identifies irregular activity, such as a malware that is beaconing out to an external Command and Control server (C&C) through its connections to a new public IP address. It detects specific files, data and events in network traffic related to the presence of the malware.
  • During the reconnaissance mode, malware prepares for an attack by triggering a learning process. During this phase, the solution’s anomaly detection identifies new commands in the host network and generates alerts that include command sources. Even if the malware uses regular BAS protocols to communicate, its messages will vary from the system’s baseline behavior, allowing them to be singled out.
  • If an attack occurs, it is quickly identified, and an alert is sent out. This enables you to implement new firewall rules, or take other actions to stop further attack commands and limit harm.

Thanks to built-in integration with IT tools such as SIEMs and ticketing systems, OT threats can be handled using the tools and workflows your organization already uses.

Click to enlarge.

The Nozomi Networks solution alerts IT/OT security teams to early stage malware infection and reconnaissance activities, and provides the information needed to respond before damage occurs. Threat Intellience, which delivers up-to-date threat intelligence to Guardian, makes it easy to stay on top of the dynamic threat landscape and reduce time to detection.

Stay Up-to-date on Emerging Threats with Threat Intelligence

The Threat Intelligence subscription delivers up-to-date OT & IoT threat intelligence to the Nozomi Networks Guardian solution, making it easy for you to detect threats and identify vulnerabilities in your environment.

When new information is received, Guardian rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.

More Operational Visibility & Cybersecurity Challenges

Gaining Complete Visibility into My OT/IoT Systems 

Without visibility into all the IoT and OT assets and networks used across our properties, it’s hard to ensure system safety and security.

Improving Situational Awareness Across Properties

A wide-range of building automation systems plus the rapid roll-out of smart sensors makes it hard to monitor and secure our buildings.

Understanding My Operational System Vulnerabilities

Knowing which vendor’s sensors, controllers and IoT devices are at risk of attack would help me focus my cyber security efforts.


Want to Know More?