CYBERSECURITY FAQ

What's the Difference Between Threat Detection and Anomaly Detection in OT?

CYBERSECURITY FAQs

What's the Difference Between Threat Detection and Anomaly Detection in OT?

Perhaps the biggest difference between IT and OT security is that in industrial environments we must account for both cyber and operational risk, including process risk. In fact, operational anomalies unrelated to a cyber threat are far more common.

In industrial environments, especially critical infrastructure, large-scale cyberattacks make headlines, but it’s things like equipment malfunctions, misconfigurations, resource usage spikes and hazardous process deviations are much more likely to threaten production, or worse. For instance, in a chemical plant, an alarm might be triggered if a pressure sensor detects values outside safe operating thresholds, prompting an immediate shutdown to prevent an explosion. Until investigated, It could indicate a malicious actor has tinkered with the value, or it may be operator error. In either case, the threat is real. Operators and managers must be able to detect both threats and anomalies — intrusions, unwanted behavior and equipment failures —and respond quickly.  

Generically, an anomaly is anything that diverges from baseline performance or appearance. In manufacturing and other industrial environments, that could be unstable process values, incorrect process measurements and misconfigurations that could lead to malfunction or downtime.For this reason, a pharmaceutical plant typically monitors communication between control systems and field devices to detect abnormal readings or commands that could disrupt production or safety protocols and ensure batch quality. Such process anomalies may also indicate a cyber threat.

To ensure security, reliability and high availability, industrial environments need comprehensive risk monitoring that combines rules-based threat detection with behavior-based anomaly detection. 

Rule-based Detection

Rule-based detection is efficient for detecting threats where the indicators are easily observable and identifiable. This method can also be used to detect known, non-malicious anomalies, such as spikes in resource usage or an unexpected surge in traffic.

A subset of rules-based detection, signature-based detection is a fast, efficient way to detect malicious activity or unauthorized access in network traffic. It relies on pre-defined rules or conditions to identify unique, known, attack patterns in network traffic — signatures — and match them against a database of known threats. Each signature includes indicators of compromise (IOCs) such as filenames, hashtags, URLs and IP addresses. While efficient, signature-based detection only works for known threats (such as documented CVEs) and only if the indicators are easily observable and identifiable as a potential match. 

To identify known malware, signature-based detection methods use YARA rules and packet rules to match file and packet signatures, respectively, and fire an alert when a match is detected. 

Behavior-based Anomaly Detection

Operational anomalies — as well as unknown threats, including zero days — can’t be detected using rules. The best way to detect them is with continuous monitoring using deep packet inspection (DPI) to read industrial protocols in network traffic and compare current behavior against a baseline.

ICS networks are relatively static compared to enterprise networks, where devices are constantly being added and removed, so establishing accurate baselines and recognizing deviations from them is much easier. However, it can’t be done without sophisticated machine learning to learn the normal behavior of process variables collected from network traffic. Once baselines are established, behavior-based anomaly detection can be used to flag traffic patterns outside of set thresholds as well as abnormal sensor readings and flow parameters.

Threat and Anomaly Detection Using the Nozomi Networks Platform

The Nozomi Networks platform has the most sophisticated detection engine available for OT/IoT environments. It combines rule-based and behavior-based techniques to detect and limit the impact of every threat in your environment, from resource spikes to zero-days, without overwhelming analysts and operators with false positives.  

To detect known threats, the Nozomi Threat Intelligence feed provides aggregated threat research and analysis as well as detailed information on threat indicators including YARA rules, packet rules, STIX indicators, threat definitions, a threat knowledgebase and vulnerability signatures. Our sensors and platform are continuously updated with the latest emerging malware and IOCs specific to industrial processes and IoT devices. This includes our own OT/IoT-specific research as well as integration with CISA’s Known Exploited Vulnerabilities Catalog, MITRE ATT&CK® Matrix for ICS mappings and Mandiant threat intelligence.

Nozomi Threat Intelligence

To detect anomalies, The Nozomi Networks platform relies on machine learning to learn your industrial network’s communication patterns and establish a baseline of normal behavior. It then continuously monitors your environment to identify any changes in communication or process variable values that could indicate the presence of a cyber threat or a risk to reliability.

Specifically, our sensors use DPI to parse more than 250 industrial protocols and provide the granular data needed for robust behavioral analysis. Using this method, we can extract detailed asset information such as make, model, serial number and firmware/OS version of devices including industrial controllers, workstations and servers. Our sensors can detect:

  • Policy violations such as PLC program/firmware downloads, uploads and modifications, and execution of a PLC start/stop command on the network
  • Equipment malfunctions such as loss of communication links, link resets, re-transmission errors and health status of SNMP configured device
  • Misconfigurations such as unauthorized protocols, PLC read errors due to invalid register address and malformed SCADA packet errors

Perhaps the biggest difference between IT and OT security is that in industrial environments we must account for both cyber and operational risk, including process risk. In fact, operational anomalies unrelated to a cyber threat are far more common.

In industrial environments, especially critical infrastructure, large-scale cyberattacks make headlines, but it’s things like equipment malfunctions, misconfigurations, resource usage spikes and hazardous process deviations are much more likely to threaten production, or worse. For instance, in a chemical plant, an alarm might be triggered if a pressure sensor detects values outside safe operating thresholds, prompting an immediate shutdown to prevent an explosion. Until investigated, It could indicate a malicious actor has tinkered with the value, or it may be operator error. In either case, the threat is real. Operators and managers must be able to detect both threats and anomalies — intrusions, unwanted behavior and equipment failures —and respond quickly.  

Generically, an anomaly is anything that diverges from baseline performance or appearance. In manufacturing and other industrial environments, that could be unstable process values, incorrect process measurements and misconfigurations that could lead to malfunction or downtime.For this reason, a pharmaceutical plant typically monitors communication between control systems and field devices to detect abnormal readings or commands that could disrupt production or safety protocols and ensure batch quality. Such process anomalies may also indicate a cyber threat.

To ensure security, reliability and high availability, industrial environments need comprehensive risk monitoring that combines rules-based threat detection with behavior-based anomaly detection. 

Rule-based Detection

Rule-based detection is efficient for detecting threats where the indicators are easily observable and identifiable. This method can also be used to detect known, non-malicious anomalies, such as spikes in resource usage or an unexpected surge in traffic.

A subset of rules-based detection, signature-based detection is a fast, efficient way to detect malicious activity or unauthorized access in network traffic. It relies on pre-defined rules or conditions to identify unique, known, attack patterns in network traffic — signatures — and match them against a database of known threats. Each signature includes indicators of compromise (IOCs) such as filenames, hashtags, URLs and IP addresses. While efficient, signature-based detection only works for known threats (such as documented CVEs) and only if the indicators are easily observable and identifiable as a potential match. 

To identify known malware, signature-based detection methods use YARA rules and packet rules to match file and packet signatures, respectively, and fire an alert when a match is detected. 

Behavior-based Anomaly Detection

Operational anomalies — as well as unknown threats, including zero days — can’t be detected using rules. The best way to detect them is with continuous monitoring using deep packet inspection (DPI) to read industrial protocols in network traffic and compare current behavior against a baseline.

ICS networks are relatively static compared to enterprise networks, where devices are constantly being added and removed, so establishing accurate baselines and recognizing deviations from them is much easier. However, it can’t be done without sophisticated machine learning to learn the normal behavior of process variables collected from network traffic. Once baselines are established, behavior-based anomaly detection can be used to flag traffic patterns outside of set thresholds as well as abnormal sensor readings and flow parameters.

Threat and Anomaly Detection Using the Nozomi Networks Platform

The Nozomi Networks platform has the most sophisticated detection engine available for OT/IoT environments. It combines rule-based and behavior-based techniques to detect and limit the impact of every threat in your environment, from resource spikes to zero-days, without overwhelming analysts and operators with false positives.  

To detect known threats, the Nozomi Threat Intelligence feed provides aggregated threat research and analysis as well as detailed information on threat indicators including YARA rules, packet rules, STIX indicators, threat definitions, a threat knowledgebase and vulnerability signatures. Our sensors and platform are continuously updated with the latest emerging malware and IOCs specific to industrial processes and IoT devices. This includes our own OT/IoT-specific research as well as integration with CISA’s Known Exploited Vulnerabilities Catalog, MITRE ATT&CK® Matrix for ICS mappings and Mandiant threat intelligence.

Nozomi Threat Intelligence

To detect anomalies, The Nozomi Networks platform relies on machine learning to learn your industrial network’s communication patterns and establish a baseline of normal behavior. It then continuously monitors your environment to identify any changes in communication or process variable values that could indicate the presence of a cyber threat or a risk to reliability.

Specifically, our sensors use DPI to parse more than 250 industrial protocols and provide the granular data needed for robust behavioral analysis. Using this method, we can extract detailed asset information such as make, model, serial number and firmware/OS version of devices including industrial controllers, workstations and servers. Our sensors can detect:

  • Policy violations such as PLC program/firmware downloads, uploads and modifications, and execution of a PLC start/stop command on the network
  • Equipment malfunctions such as loss of communication links, link resets, re-transmission errors and health status of SNMP configured device
  • Misconfigurations such as unauthorized protocols, PLC read errors due to invalid register address and malformed SCADA packet errors