Detecting Threats and Anomalies in OT Environments: The Basics

When it comes to maintaining operations in critical infrastructure organizations, knowing what’s going on in your environment is a non-negotiable. It’s a crucial part of maintaining uptime and reliability and staying ahead of potential problems.

Detecting potential threats and anomalies is important for cybersecurity, but it’s also key for spotting operational and safety risks. Using different detection types and methods can make it easier to plan for preventative actions and respond quickly to existing problems because you will better identify a broad range of potential issues.

This article will cover the basics of different methods used for anomaly and threat detection and their application in OT/ICS environments.

A (Non-Comprehensive) List of Detection Types

In (very) simplified terms, most detections can be broken down into one of two types: static and dynamic.

Static detections, as the name implies, rely on static techniques and methodologies used for detecting threats. This tends to look like analyzing files, code, and configurations to identify indicators of potential threats and vulnerabilities. Generally, interacting with or executing the files or other items being examined won’t be necessary.

Examples of static detection methods include:

• Signature-based detection – Evaluates code, files, and other items to identify any predefined signatures indicating potential compromise.
• Static code analysis – Examines the source code to identify potential vulnerabilities, errors, or insecure coding practices.
• Configuration analysis – Evaluates files, system settings, devices, or even applications to search for misconfigurations, weak settings, or other deviations from prescribed standards.

Dynamic detection, on the other hand, involves actively interacting with or executing files, code, or whole systems to observe what happens. Analysts focus on observing specific behaviors or runtime of these executions.

Examples of dynamic detection methods include:

• Sandboxing – Involves running files or code in isolated environments to observe any behavior and interactions to identify suspicious behavior or other unintentional effects.
• Behavioral analysis – Focuses on analyzing behaviors of devices, applications, or systems for actions or deviations from normal behavior that could indicate misconfigurations or other issues.
• Network traffic analysis – Examines traffic patterns, protocols, and communication flows for deviations from a baseline that could be caused by anomalies or other issues.

There can be some overlap in these detection types in terms of what analysts are looking for, and the distinction is often in the method they take to conduct that analysis.

Modeling is another method of threat detection that’s been getting more attention. Threat detection models can come in the form of statistical models, machine learning models, and more. Essentially, modeling utilizes a mathematical approach to threat and anomaly detection by using a baseline and calculating the risk that any deviations from this baseline may present.

Do All Detection Types Work in OT?

Short answer: no. As with everything related to every unique industrial and OT-based infrastructure, it depends on the nature of the environment.

Static detection methods, for example, are relatively quick and simple to implement if analysts have known signatures or other indicators available to them. Static methods are also typically non-intrusive, since interactions with systems aren’t usually required.

On the other hand, static methods are limited to any known threats and can produce a large number of false positives without proper context. What looks like a misconfigured PLC, for example, might just be part of the way that environment operates.

Dynamic detection methods can detect threats without prior knowledge based on behavior during analysis and can provide alerts to any actions happening in near real-time. But given the interactive method of dynamic detection methods, they might be slow or resource-intensive, making them difficult or even impossible to run in OT environments.

Modeling detection methods can proactively identify any deviations from baselines, making it easier to detect potential threats and anomalies early on. Models can also be updated and adjusted as needed based on changes in the environment. The problem, however, is that building an effective model can take a significant amount of time. And, there could be a massive amount of historical data needed to establish and maintain an accurate baseline, making it unsuitable for smaller teams or environments without a lot of domain-specific knowledge and resources.

There’s No Silver Bullet for Detection

Despite what we all want (and what some marketing material might indicate), there is no single detection method that works all the time across the board.

Whether your team needs to focus on static signature-based detection methods or dynamic behavior modeling largely depends on the complexity of your environment and how you want to use the information.

In most cases, the most effective threat and anomaly detection approach incorporates multiple techniques with the knowledge and awareness of their respective strengths and shortcomings.

Also, remember that as your team begins to implement various detection methodologies, it’s important to start with those that are simple to implement and utilize quickly.

Trying to build a model for the first go, for example, isn’t likely to be worth it. It will take a significant amount of time, effort, and resources before the model can even be used effectively. And, OT environments are often so specialized to perform the operation they were built for that static detection methods could yield more accurate and useful data faster than model-based detections.

This is just the tip of the iceberg, and we haven’t even touched on agentic detection methodologies (yet). We’ll go over the steps to implement various detection methodologies in your environment in a future article. For now, it’s important to note that any successful project requires visibility into your environment and an in-depth understanding of the OT assets you’re working with.