Select Page

Detecting Malware Infections in Building Systems

CHALLENGE

Detecting Malware Infections in Building Systems

CHALLENGE

Detecting Malware Operating Within My OT/IoT Networks

In 2013, malware gained entry to the network of retailing giant Target and stole the personal and credit card information of 40 million people.1 It was originally thought that the infection occurred through the remote monitoring system of a HVAC system vendor, though later it was determined to be through accounting connections between the supplier and Target.

Nonetheless, the threat of an attack originating with a building management system vendor is real. Imagine your HVAC system was breached, causing a heating and ventilation failure or power outage at one of your properties. Such an incident could directly impact the safety and health of thousands of occupants.

Why is malware risk higher now than ever before? As buildings become “smarter” they are increasingly connected to other systems. They may be maintained remotely by third party vendors or connected to cloud applications for data analysis. This open and expanding threat surface is vulnerable to malicious intrusion.

As many BAS (Building Automation Systems) and IoT devices lack inherent security and use insecure communications protocols, the risk to your property is significant. Plus, consider the fact that the final payload of a BAS attack requires less sophistication that an attack on a critical infrastructure facility, because the physical processes involved in BAS are less complex.

1“Target Breach: Phishing Attack Implicated,” DarkReading, February, 2014.

THE SOLUTION

Automated Monitoring of OT and IoT Networks to Identify Threats

An important part of neutralizing threats before they can migrate to automation systems, or between IT and OT networks, involves early warning.

Advanced malware progresses through different phases during an attack. Early identification of the malware is essential to neutralizing it before it migrates between IT and OT network and damage occurs.

The Nozomi Networks solution uses behavior-based anomaly detection and multiple types of signature and rule-based detection to identify malware at each attack phase.

  • During early stages, Guardian’s anomaly detection flags irregular activity, such as malware that is beaconing out to an external Command and Control server (C&C). Its signatures detect specific content in network traffic related to the presence of the malware.
  • During the reconnaissance stage, malware prepares for an attack by triggering a learning process. Here, Nozomi Networks’ anomaly detection identifies new commands in the host network. Even if the malware uses standard or proprietary transport control system protocols to communicate, the messages will vary from usual baseline behavior, allowing Guardian to single them out.
  • In both early and late stage attacks, Guardian enables you to implement new firewall rules to block communication or take other actions to stop further attack commands and limit harm.

Built-in integration with IT tools such as SIEMs and scheduling systems means that you can respond to OT threats cost-effectively with existing tools and workflows.

The Asset Intelligence and Threat Intelligence subscriptions continuously update Guardian™ appliances so you can quickly detect and respond to cyber threats and anomalies before they can succeed.

The Nozomi Networks solution alerts IT/OT security teams to early stage malware infection and reconnaissance activities, and provides the information needed to respond before damage occurs. Threat Intellience, which delivers up-to-date threat intelligence to Guardian, makes it easy to stay on top of the dynamic threat landscape and reduce time to detection.

Stay Up-to-date on Emerging Threats with Threat Intelligence

The Threat Intelligence subscription delivers up-to-date OT & IoT threat intelligence to the Nozomi Networks Guardian solution, making it easy for you to detect threats and identify vulnerabilities in your environment.

When new information is received, Guardian rapidly checks your network for the presence of new malware and vulnerabilities. If a threat is found, you are immediately notified.

More Challenges

CHALLENGE 

Gaining Complete Visibility Into My OT/IoT Systems

Without visibility into all the IoT and OT assets and networks used across our properties, it’s hard to ensure system safety and security.

Learn More

CHALLENGE

Improving Awareness Across Properties

A wide-range of building automation systems plus the rapid roll-out of smart sensors makes it hard to monitor and secure our buildings.

Learn More

CHALLENGE

Understanding My Operational System Vulnerabilities

Knowing which vendor’s sensors, controllers and IoT devices are at risk of attack would help me focus my cybersecurity efforts.

Learn More

Want to Know More?