Detecting Malware Infections in Building Systems
Detecting Malware Operating Within My OT/IoT Networks
In 2013, malware gained entry to the network of retailing giant Target and stole the personal and credit card information of 40 million people.1 It was originally thought that the infection occurred through the remote monitoring system of a HVAC system vendor, though later it was determined to be through accounting connections between the supplier and Target.
Nonetheless, the threat of an attack originating with a building management system vendor is real. Imagine your HVAC system was breached, causing a heating and ventilation failure or power outage at one of your properties. Such an incident could directly impact the safety and health of thousands of occupants.
Why is malware risk higher now than ever before? As buildings become “smarter” they are increasingly connected to other systems. They may be maintained remotely by third party vendors or connected to cloud applications for data analysis. This open and expanding threat surface is vulnerable to malicious intrusion.
As many BAS (Building Automation Systems) and IoT devices lack inherent security and use insecure communications protocols, the risk to your property is significant. Plus, consider the fact that the final payload of a BAS attack requires less sophistication that an attack on a critical infrastructure facility, because the physical processes involved in BAS are less complex.
Automated Monitoring of OT and IoT Networks to Identify Threats
An important part of neutralizing threats before they can migrate to automation systems, or between IT and OT networks, involves early warning.
Advanced persistent threat malware goes through different phases during an attack. The Nozomi Networks solution uses behavior-based anomaly detection and multiple types of signature and rule-based detection to detect malware at each phase. It alerts operators to early stage infection and reconnaissance activities, and provides the information needed to act before a final attack occurs.
- For early stage attacks, anomaly detection identifies irregular activity, such as a malware that is beaconing out to an external Command and Control server (C&C) through its connections to a new public IP address. It detects specific files, data and events in network traffic related to the presence of the malware.
- During the reconnaissance mode, malware prepares for an attack by triggering a learning process. During this phase, the solution’s anomaly detection identifies new commands in the host network and generates alerts that include command sources. Even if the malware uses regular BAS protocols to communicate, its messages will vary from the system’s baseline behavior, allowing them to be singled out.
- If an attack occurs, it is quickly identified, and an alert is sent out. This enables you to implement new firewall rules, or take other actions to stop further attack commands and limit harm.
Thanks to built-in integration with IT tools such as SIEMs and ticketing systems, OT threats can be handled using the tools and workflows your organization already uses.
Click to enlarge.
The Nozomi Networks solution alerts IT/OT security teams to early stage malware infection and reconnaissance activities, and provides the information needed to respond before damage occurs. Threat Intellience, which delivers up-to-date threat intelligence to Guardian, makes it easy to stay on top of the dynamic threat landscape and reduce time to detection.
Stay Up-to-date on Emerging Threats with Threat Intelligence
The Threat Intelligence subscription delivers up-to-date OT & IoT threat intelligence to the Nozomi Networks Guardian solution, making it easy for you to detect threats and identify vulnerabilities in your environment.
When new information is received, Guardian rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.
More Operational Visibility & Cybersecurity Challenges
Want to Know More?