Unlocking the Power of Threat Hunting in OT Environments
Unlocking the Power of Threat Hunting in OT Environments
In today’s ever-evolving digital landscape, industrial systems and critical infrastructures are more exposed than ever to cyber threats. Since the arrival of the Industry 4.0 paradigm, both Information Technologies and Operational Technologies (IT and OT) coexist, and APT groups and cybercriminals take advantage of vulnerabilities in either of these two technologies to cause damage to these industrial infrastructures or to the society itself, which relies on them.
Threat hunting is a complex process carried out by cybersecurity experts to detect the presence of the above-mentioned Advanced Persistent Threats (APTs). This process usually entails inspecting network traffic, analyzing user and application logs, and correlating all that heterogeneous information in search of indications of the presence of any threat or potential vulnerability in the system.
CARMEN, the tool developed by S2 Grupo in collaboration with Spain’s National Cryptologic Centre to identify compromises by APTs, is one of the tools cybersecurity experts can use in the threat-hunting process. CARMEN covers both IT and OT traffic, providing comprehensive threat visibility that enables early detection of vulnerabilities and anomalies in industrial control systems. Proactive threat detection in OT environments enhances overall security, improves incident response, and minimizes operational disruptions. Furthermore, it enhances asset visibility, inventory management, compliance adherence, and cost reduction. Ultimately, this adaptation future-proofs security measures, ensuring the safeguarding of critical infrastructure in our ever-evolving digital landscape.
As part of the R2D2 project, S2 Grupo has begun expanding CARMEN’s capabilities for analyzing OT traffic by developing new capabilities for data ingestion and threat detection. These developments will include the creation of new specific protocol dissectors for CARMEN, such as MQTT, ICCP 60870-6/TASE.2, IEC 60870-5-104, or Modbus, as well as new pre-processing and aggregation capabilities to reduce the amount of information to be processed and its inner variability. These developments will enhance CARMEN’s ability to carry out a more in-depth analysis of network traffic at different levels and to improve its detection capabilities, including both signature-based and anomaly-detection-based methods.
Additionally, new capabilities aimed at APT and zero-day threat detection using Machine Learning techniques are being developed for CARMEN within the scope of R2D2. This approach is based on modeling and characterizing tactical and operational intelligence, allowing for the comparison of suspicious actions. This way, APT groups can be clustered based on the tactical and operational intelligence they employ when attacking a system. As a result, when anomalous behavior is observed and detected, it’s possible to match this behavior against each APT group cluster, assess the possibility of being under an attack carried out by one of the APT groups in these clusters, and raise an alert. Furthermore, this approach allows for alerting cybersecurity analysts about other actions typically associated with these APT groups so that they can search for any of these actions if they haven’t been noticed before or be prepared for the next stages of the attack.
This developmental milestone and new feature have received substantial acclaim, especially at events like the Navaja Negra Conference, held in Spain in October 2023. The enthusiastic approval from both attendees and experts underscores the significance of this advancement in threat-hunting technology.
This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No 101075714.
EMMA-SURVEILLANCE: Enhancing Substation Security with AI-Powered Visual Detection
EMMA-SURVEILLANCE: Enhancing Substation Security with AI-Powered Visual Detection
Within the context of the R2D2 project, an innovative tool known as EMMA-SURVEILLANCE is currently in development to bolster the security of critical facilities located in electrical substation transformer centers. This solution integrates an artificial vision algorithm that has been honed by retraining the well-known YOLO (You Only Look Once) model. This algorithm is equipped with the ability to efficiently detect fires, smoke, and the presence of animals in the vicinity of the substation. The purpose of identifying fires and smoke is to promptly alert personnel to potential emergencies, ensuring a swift and effective response. Furthermore, recognizing animals is of utmost importance, as many of them tend to come into contact with the substation structures, posing the risk of electrocution and causing significant disruptions to the electrical system. This model will be deployed in a stationary camera situated within the corresponding pilot substation.
In this initial phase, the algorithm has exhibited remarkable precision, achieving an F1 score of 0.84. This achievement is particularly noteworthy, especially when considering the project’s early stages. As the next steps, the plan involves expanding the dataset, with the objective of collecting more images of fires and smoke to enhance the model’s accuracy. Concurrently, the load testing phase will be initiated, assessing the model’s inference capacity when operating in a real camera and continuously processing real-time video streams. This process is critical to ensure that the algorithm can perform effectively without significant delays, thereby guaranteeing its practicality for real-time monitoring scenarios.
Some examples of recorded images of the AI-powered visual detection.
This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No 101075714.