Unlocking the Power of Threat Hunting in OT Environments

In today’s ever-evolving digital landscape, industrial systems and critical infrastructures are more exposed than ever to cyber threats. Since the arrival of the Industry 4.0 paradigm, both Information Technologies and Operational Technologies (IT and OT) coexist, and APT groups and cybercriminals take advantage of vulnerabilities in either of these two technologies to cause damage to these industrial infrastructures or to the society itself, which relies on them.


Threat hunting is a complex process carried out by cybersecurity experts to detect the presence of the above-mentioned Advanced Persistent Threats (APTs). This process usually entails inspecting network traffic, analyzing user and application logs, and correlating all that heterogeneous information in search of indications of the presence of any threat or potential vulnerability in the system.

CARMEN, the tool developed by S2 Grupo in collaboration with Spain’s National Cryptologic Centre to identify compromises by APTs, is one of the tools cybersecurity experts can use in the threat-hunting process. CARMEN covers both IT and OT traffic, providing comprehensive threat visibility that enables early detection of vulnerabilities and anomalies in industrial control systems. Proactive threat detection in OT environments enhances overall security, improves incident response, and minimizes operational disruptions. Furthermore, it enhances asset visibility, inventory management, compliance adherence, and cost reduction. Ultimately, this adaptation future-proofs security measures, ensuring the safeguarding of critical infrastructure in our ever-evolving digital landscape.


As part of the R2D2 project, S2 Grupo has begun expanding CARMENs capabilities for analyzing OT traffic by developing new capabilities for data ingestion and threat detection. These developments will include the creation of new specific protocol dissectors for CARMEN, such as MQTT, ICCP 60870-6/TASE.2, IEC 60870-5-104, or Modbus, as well as new pre-processing and aggregation capabilities to reduce the amount of information to be processed and its inner variability. These developments will enhance CARMEN’s ability to carry out a more in-depth analysis of network traffic at different levels and to improve its detection capabilities, including both signature-based and anomaly-detection-based methods.

Additionally, new capabilities aimed at APT and zero-day threat detection using Machine Learning techniques are being developed for CARMEN within the scope of R2D2. This approach is based on modeling and characterizing tactical and operational intelligence, allowing for the comparison of suspicious actions. This way, APT groups can be clustered based on the tactical and operational intelligence they employ when attacking a system. As a result, when anomalous behavior is observed and detected, it’s possible to match this behavior against each APT group cluster, assess the possibility of being under an attack carried out by one of the APT groups in these clusters, and raise an alert. Furthermore, this approach allows for alerting cybersecurity analysts about other actions typically associated with these APT groups so that they can search for any of these actions if they haven’t been noticed before or be prepared for the next stages of the attack.

This developmental milestone and new feature have received substantial acclaim, especially at events like the Navaja Negra Conference, held in Spain in October 2023. The enthusiastic approval from both attendees and experts underscores the significance of this advancement in threat-hunting technology.

Further information:

Ugo Stecchi (Project coordinator)

This project has received funding from the  European Union’s Horizon Europe research and innovation programme under grant agreement No 101075714.