top of page

​

IoT2.png
IoT3.png
IoT1.png
IoT4.png
IoT5.png
IoT6.png
IoT7.png

While you will not might not be implementing these mitigations yourself, you play a crucial role in:

  • Recognizing how they work.

  • Monitoring the effectiveness of these mitigations.

  • Raising Alerts when a mitigation may be failing.

  • Supporting incident response and post-incident analysis.

​

By using the MITRE ATT&CK framework as a roadmap, you can implement more targeted and effective mitigation strategies for IoT and OT environments.

​

As a cybersecurity analyst monitoring IoT and OT environments, you need a keen eye for specific anomalies and patterns that could indicate malicious activity. Here is a breakdown of what you should be on the lookout for, categorized for clarity:

​

1. Network Traffic Anomalies:

​

  • Unusual Source/Destination IPs:

What to look for: IoT/OT devices communicating with unexpected external IPs, especially those associated with known malicious actors.

Why: Could indicate command-and-control (C2) communication or data exfiltration.

​

Unexpected Protocols:

What to look for: IoT devices using protocols outside their normal operations (e.g., an IP camera communicating via Modbus). OT devices talking via HTTP when the communication should be through a control protocol.

​

Why: Could indicate an attacker attempting to establish a backdoor channel or use a known protocol vulnerability.

 

Abnormal Traffic Volume:

What to look for: Sudden spikes or decreases in traffic from/to IoT/OT devices, especially if the volume is outside expected baselines.

Why: Could indicate a denial-of-service (DoS) attack or exfiltration of large amounts of data.

 

Unusual Ports:

What to look for: Devices communicating over unexpected ports, especially those associated with remote access or malicious activity.

Why: Could indicate unauthorized access attempts, backdoors, or data transfer.

 

Protocol Violations:

What to look for: Malformed or unusual protocol messages (e.g., Modbus requests with invalid function codes).

Why: Could indicate attempts to exploit vulnerabilities in the protocol itself.

 

Broadcast/Multicast Anomalies:

What to look for: Unexpected increases in broadcast or multicast traffic from IoT/OT devices, particularly if they are not typically using them.

Why: Could indicate reconnaissance activity or DoS attacks.

 

gress Traffic with High Bandwidth:

What to look for: High outbound bandwidth that is sustained over a period of time from an unexpected IP or device

Why: Could be exfiltration of data?

 

2. Device and System Anomalies:

​

Unusual Logins/Account Activity:

What to look for: Failed login attempts, access from unfamiliar locations, and new accounts created, especially on critical OT systems.

Why: Could indicate brute-force attacks, compromised credentials, or unauthorized access.

 

Configuration Changes:

What to look for: Unexpected modifications to device settings, firewall rules, or user permissions, particularly on critical devices.

Why: Could indicate an attacker attempting to bypass security measures or gain persistent access.

 

Firmware Changes:

What to look for: Unexpected firmware updates or changes in device firmware versions.

Why: Could indicate malicious firmware being installed or an attempt to downgrade the firmware to a vulnerable version.

 

Process Anomalies:

What to look for: Unexpected processes running on IoT/OT devices.

Why: Could indicate malware running on the device.

 

Resource Utilization:

What to look for: Spikes in CPU or memory usage, especially when there’s no legitimate reason for it.

Why: Could indicate a DoS attack, crypto mining, or malware running on the device.

 

Unexpected Reboots/Crashes:

What to look for: IoT/OT devices unexpectedly rebooting or crashing.

Why: Could indicate a DoS attack, malware infection, or a compromised system.

 

Clock Changes:

What to look for: Unexpected changes in the device or system clock.

Why: Could be an attempt to avoid time-based security mechanisms or obscure forensic analysis?

 

Hardcoded Credentials:

What to look for: Credentials hardcoded in the device or application firmware.

Why: Provides an easy entry point for attackers.

 

Unsigned Code/Applications:

What to look for: If the company has an application or executable whitelisting, process, unsigned code or applications are always a red flag.

Why: Could indicate an unauthorized malicious application being executed.

 

3. OT-Specific Anomalies:

  • PLC Logic Changes:

 

What to look for: Changes to PLC program logic or configuration without proper authorization.

Why: Could indicate an attacker attempting to manipulate a physical process.

 

HMI Modifications:

What to look for: Changes to HMI screens, graphics, or displayed values without proper authorization.

Why: Could indicate an attacker trying to mislead operators or manipulate the process.

 

Alarm Suppression:

What to look for: Suppression of alarms or warnings.

Why: Could indicate an attacker attempting to hide malicious activity or process manipulation.

 

Process Variable Changes:

What to look for: Unexpected or unauthorized changes to process variables (e.g., valve positions, temperature settings) outside of normal operating ranges.

Why: Could indicate an attacker attempting to disrupt or damage the process.

 

Data Historian Anomalies:

What to look for: Unusual gaps in data logs or modifications to data history.

Why: Could indicate an attacker attempting to hide evidence of malicious activity.

 

Security Tool Alerts:

​

IDS/IPS Alerts:

What to look for: Alerts triggered by intrusion detection/prevention systems, particularly for OT protocols.

Why: Could indicate an ongoing attack or reconnaissance activity.

 

SIEM Alerts:

What to look for: Alerts generated by a SIEM platform, focusing on IoT/OT specific alerts.

Why: Indicates suspicious activity detected by the security-monitoring platform.

 

Endpoint Detection and Response (EDR) Alerts:

What to look for: Alerts generated by EDR products, particularly on IoT devices or workstations with access to OT systems.

Why: Indicates malicious software running on the endpoint.

 

5. User Behavior Anomalies:

Access outside Normal Hours:

What to look for: Users accessing IoT/OT systems or data outside of their normal work hours.

Why: Could indicate compromised user accounts or malicious activity.

 

Unusual Access Patterns:

What to look for: Users accessing systems or data that they do not normally access.

Why: Could indicate privilege escalation or a compromised user account.

 

Multiple Failed Accesses:

What to look for: Many failed attempts to access system resources with one or more user accounts.

Why: Could indicate a brute force attack or a compromised user account.

 

6. Supply Chain Anomalies:

Device from Unknown Vendor:

What to look for: Devices from unknown vendors installed or connected to the network.

Why: Could indicate a supply chain compromise or shadow IT practices.

 

Firmware Outdated on New Devices:

What to look for: Newly installed devices that are not running the latest version of their respective firmware.

Why: Could indicate pre-compromised devices.

 

How to Effectively Monitor:

  • Establish Baselines: Understand normal network traffic, device behavior, and user activity.

  • Centralized Monitoring: Collect logs and alerts from all relevant systems in a central location (e.g., SIEM).

  • Alerting Rules: Create specific alerting rules for IoT/OT environments, focusing on known attack patterns.

  • Stay Informed: Keep up-to-date on the latest IoT/OT threats and vulnerabilities.

  • Continuous Improvement: Continuously refine your monitoring and detection capabilities based on new threats and lessons learned.

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2023 by IT SERVICES.  Proudly created with Wix.com

bottom of page