Top 5 Use Cases in OT threat detection

Pietari Sarjakivi

Pietari Sarjakivi

SVP Labs

December 21, 2020 at 12:57


Operational Technology environments are mission-critical for their owners. These cyber-physical systems control our critical infrastructure from manufacturing processes to electric grids and from food production to logistic chains. While digitalization and Industry4.0 are increasing the connectiveness of these systems, the average OT system technology in use, was not designed to be defendable against modern cyber attacks. The design principles were dependability, availability, controllability and visibility - not security.

The technology during the design days usually did not include Ethernet nor TCP/IP protocol stack which were introduced to the environment as a forced push from office integration practices. As continuous production is the most important aspect in many OT environments the security practices, like regular patching and proper segmentation, can be difficult to implement. While the processes and the state of these systems are typically closely monitored via the automation system, today’s cyber security related threat detection in OT environments is lacking.

In our Virtual HelSec #4 meetup, we published the top 5 threat detection use cases for every organization responsible for the security of OT environment. The list is based on the chapter of the upcoming revision of Automaation tietoturva -book that Jari Seppälä from Tampere University/Dependable Systems and myself have been writing. The Finnish Society of Automation will publish the book during the first half of 2021. The book will be available in Finnish.

The top 5 use cases are:

  1. Asset detection in L5-L1
  2. Visibility to management and internet connections
  3. Malware detection in L5-L3
  4. Asset detection and vulnerability monitoring in L3-L0
  5. Malware detection in L2-L0

Watch the video where Pietari explains in more detail about threat detection in OT environments and introduces the top 5 use cases. Slides are downloadable from here.