Detecting Malware Infections in Building Systems


Detecting Malware Operating Within My OT/IoT Networks

In 2013, malware gained entry to the network of retailing giant Target and stole the personal and credit card information of 40 million people. It was originally thought that the infection occurred through the remote monitoring system of a HVAC system vendor, though later it was determined to be through accounting connections between the supplier and Target.

Nonetheless, the threat of an attack originating with a building management system vendor is real. Imagine your HVAC system was breached, causing a heating and ventilation failure or power outage at one of your properties. Such an incident could directly impact the safety and health of thousands of occupants.

Why is malware risk higher now than ever before? As buildings become “smarter” they are increasingly connected to other systems. They may be maintained remotely by third party vendors or connected to cloud applications for data analysis. This open and expanding threat surface is vulnerable to malicious intrusion.

As many BAS (Building Automation Systems) and IoT devices lack inherent security and use insecure communications protocols, the risk to your property is significant. Plus, consider the fact that the final payload of a BAS attack requires less sophistication that an attack on a critical infrastructure facility, because the physical processes involved in BAS are less complex.


Automated Monitoring of OT and IoT Networks to Identify Threats

Nozomi Networks Solution: Alerts List The Nozomi Networks solution alerts security teams to early stage reconnaissance and compromise activities, and provides the information needed to respond before damage occurs. The Threat Intelligence service delivers up-to-date threat and vulnerability information to stay on top of the dynamic threat landscape and reduce mean-time-to-detection (MTTD).
An important part of neutralizing threats before they can migrate to automation systems, or between IT and OT networks, involves early warning. Advanced malware progresses through different phases during an attack. Early identification of the malware is essential to neutralizing it before it migrates between IT and OT network and damage occurs. The Nozomi Networks solution uses behavior-based anomaly detection and multiple types of signature and rule-based detection to identify malware at each attack phase.
  • During early stages, Guardian’s anomaly detection flags irregular activity, such as malware that is beaconing out to an external Command and Control server (C&C). Its signatures detect specific content in network traffic related to the presence of the malware.
  • During the reconnaissance stage, malware prepares for an attack by triggering a learning process. Here, Nozomi Networks’ anomaly detection identifies new commands in the host network. Even if the malware uses standard or proprietary transport control system protocols to communicate, the messages will vary from usual baseline behavior, allowing Guardian sensors to single them out.
  • In both early and late stage attacks, Guardian enables you to implement new firewall rules to block communication or take other actions to stop further attack commands and limit harm.
Built-in integration with IT tools such as SIEMs and scheduling systems means that you can respond to OT threats cost-effectively with existing tools and workflows. The Asset Intelligence and Threat Intelligence subscriptions continuously update Guardian sensors so you can quickly detect and respond to cyber threats and anomalies before they can succeed.

Stay Up-to-date on Emerging Threats with Threat Intelligence

The Threat Intelligence subscription delivers up-to-date OT & IoT threat intelligence to the Nozomi Networks solution, making it easy for you to detect threats and identify vulnerabilities in your environment.

When new information is received, Vantage rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.

Let's get started

Discover how easy it is to identify and respond to cyber threats by automating your IoT and OT asset discovery, inventory, and management.