With EKANS, a malware appeared at the beginning of the year that also aims to shut down specific industrial processes. The malware only affects Microsoft Windows systems. But with the abundance of Windows-based systems active in OT as well as the convergence of IT and OT, EKANS has the potential to disrupt industrial processes by taking over OT-specific software on those systems.
A Common Case: Infection of an OT Database Server
For example, if an OT database server is infected, the functionality of the control software active in the OT will be disrupted. Examples of affected systems are Proficy iFix, ThingWorx, Sentinel, GE Fanuc Licensing, VMWare, Nimsoft, Honeywell HMIWeb, Bluestripe, SolarWinds, FLEXNet, MS SQL Server. Of course, the activities of EKANS will leave traces in the OT communication pattern. This allows localizing the trigger and preventing disruptions.
EKANS vs ICS Monitoring
EKANS activities can be identified by ICS monitoring and anomaly detection. The mechanism here is identical to erroneous or manipulative interventions in the process communication. Using deep packet inspection technology (DPI), such changes are detected in real-time at the lower level of the data packets. Thus, even modified functions or commands can be analyzed to identify anomalies.
Identifying Attempted Disruptions in OT Communication
At a manufacturing company, for example, the anomaly detection repeatedly detected commands for process disrupts in the communication pattern. These were atypical for the communication between the components within the OT. In particular their frequency and timing were suspicious. Using the forensic data, the operators could immediately reproduce both the source and the communication path. As it turned out, a maintenance worker - who had administrative rights on the source system for his tasks - had initiated the erroneous communication and thus risked a chain reaction. The situation could be rectified immediately so that no production downtime occurred. With malware such as EKANS, this threat detection process would be triggered in a similar way.
Protection of ICS and IoT from Malware and Error States
With the ICS monitoring solution and anomaly detection by Rhebo both industrial control systems (ICS) and connected IoT devices are safeguarded against cyberattacks, malware and technical error states. Even disrupts by increasing zero day malware, which is unknown to firewall and antivirus blocklists, can be discovered by the continuous monitoring of the entire network communication. Anomaly detection and automated threat prevention ensure integrated cybersecurity of industrial automation networks and distributed IoT devices.