The network analysis service provider Digital Forensics was assigned by an international logistics company to investigate unresolved shutdowns in several logistics systems. At three of its end customers, the logistics control systems had failed in one single stroke. Restoring normal operation took several hours to days. This resulted in contractual penalties and recovery costs for the end customers in the three-digit million range. Since the logistics company was also provider of the control systems, it had to cover these downtime costs. An initial analysis did not reveal any errors in the system software. However, active remote maintenance accesses with communication via the protocol VNC were found for the corresponding period – an indication of potential sabotage of the systems.

‍

Non-intrusive communication monitoring

Continuously monitor the communication via remote maintenance accesses without affecting infrastructure and processes.

‍

Identification of the inside attacker

Detect, document, and attribute attempts to compromise customer systems via remote maintenance access in real time.

‍

Stop serial sabotage attempts

Identify vulnerabilities and implement appropriate measures to prevent incidents in the future.

Based on initial indications of sabotage, Digital Forensics opted for long-term monitoring of the logistics company’s control communication. The analysis service provider integrated the industrial anomaly detection Rhebo Industrial Protector into the logistics company’s network to continuously analyze all communication within the Operational Technology (OT). The OT monitoring with anomaly detection reports any events in the network that could lead to system disruption in real-time. Such anomalies include both security incidents and technical malfunctions that occur in the daily operation of industrial plants. Rhebo Industrial Protector reduces the downtime risk, and detects even manipulation attempts through authorized accounts.

After several months of continuous monitoring, Rhebo Industrial Protector reported unusual communication at the suspicious remote access points. The events were recorded with all details as PCAP and were immediately evaluated by Digital Forensics. The analysis showed that »shutdown« commands were sent to the end customers from an internal corporate workstation. Due to the real-time notification of the events, the repeated sabotage action was stopped before the end customer facilities were affected. The workstation used for the sabotage was immediately located. Though the attacker could not be undoubtly identified since at that time several hundred people had access to the workstation via a universal password. Therefore, the company immediately implemented several security measures including personalized accounts, strict security guidelines and cybersecurity training to prevent future sabotage attempts.

1. Atypical VNC communication via remote maintenance access is reported and documented in real-time (Source: Digital Forensics).
2. The network map identifies a specific workstation as the origin (Source: Digital Forensics).