OT-IT security

Artificial intelligence and utility cyber defence – tackling OT-IT convergence

A machine learning-based solution from Darktrace is designed for real time detection of security threats to OT and IT systems.
Published: Fri 15 Feb 2019

Machine learning and artificial intelligence are being applied increasingly in the energy sector in three essentially distinct areas. One is for predictive purposes such as weather forecasting, using past and current datasets to predict future patterns on varying time scales.

Another is for management applications such as energy efficiency and demand response.

The third, of a more detective nature, is for monitoring of data streams to pick out variances from determined ‘normals’ as indicative of a current or emerging problem. One application where this is being applied is asset monitoring and preventive maintenance. Another, which is attracting growing interest is cybersecurity, with one novel solution from Israeli company CyActive – subsequently acquired by PayPal – incorporating biomimicry to generate future malwares which can then be guarded against.

Another participant in this space is Darktrace Industrial, which was founded out of the University of Cambridge in 2013 with the intention to combine mathematical and security expertise in a solution to protect critical infrastructure. Initially the business was focussed on IT systems but from about a year ago there has been a noticeable upturn in demand for protection also of the OT systems.

“OT-IT convergence is here and now when it comes to protecting systems the OT is inseparable from the IT and vice versa,” says Darktrace Director Andrew Tsonchev in an Engerati webinar.

Cyber security challenges

Tsonchev comments that some of the challenges for OT and IT security protection in utilities include the mix of technologies of different ages or protocols, both open and proprietary, the large number of endpoints and the siloed approach to protection with at least half of organisations in his experience having separate OT and IT security teams and those teams not always solely dedicated to security.

Moreover, the protections must be of the same level, he notes. “The control system may be well protected, but ultimately it is only as secure as the IT devices which may be running an out of date Windows system.”

Indicating that OT and IT is a complex task to protect technologically, and requires the right people in the right places, Tsonchev says that Darktrace’s machine learning and artificial intelligence-based solution is designed to cut through the challenges as well as to better support a disaster recovery.

“We liken it to the innate immune system, which adapts itself to each person’s body,” he says. “The way to stop threats is to have a tailored understanding of what ought to happen and what is happening in the environment you are interested in. With machine learning you can build a model of every device and user in that environment and with that it is then possible to detect any deviations, whether these be a performance issue or malfunction or any form of attack on the system.”

He adds that the approach also is passive and non-disruptive and provides real time visibility across the system to enable a rapid response. For example, a field team can be directed to a known location in the event of an equipment failure.

“We take a very wide approach to what counts as a threat and it’s not just about stopping malware, although that is a very important part of it. We regard a threat as anything that has the potential to disrupt the normal operations of the system.”

Utility use cases

In addition to describing in the webinar how Darktrace’s solution is implemented within the utility, including the possibility to run it on the OT and IT systems independently but provide a combined visualisation, Tsonchev presents some findings from its use.

Among these are that over 63,500 in-progress threats have been detected. Examples include worms and ransomware, an unusual PLC reprogramming, an IT device with unauthorised access connecting to an interface and actions of disaffected or negligent employees.

In one case anomalous data transfers were detected when a worker attempted to move confidential information to their home network.

In another, anomalous communications and transfers were detected when an external server infiltrated a SCADA network with the apparent intention of exfiltrating sensitive data.

“Securing OT and IT is the next frontier in cyber defence and we believe the only way to address it is to take an agnostic approach,” Sonchev comments in his conclusions. “With internet of things devices proliferating, all need to considered a risk factor.”