NEW TECH: ICS zero-day flaws uncovered by Nozomi Networks’ analysis of anomalous behaviors

Andrea Carcano’s journey to co-founding a security company in the vanguard of defending critical infrastructure began at a tender age.

Related: Why the Golden Age of cyber spying is here

Carcano hacked a computer screen at age 14, and that got him intrigued by software controls. He went on to earn a masters degree in cybersecurity, during which time he won a scholarship from the European Commission to craft a proof of concept attack against an industrial control system (ICS.)

“I said at the time, ‘OK, this is cool, someone is paying me to develop malware,” Carcano told me. “So I decided to keep going. I saw a huge gap, and I got really passionate about this topic. I started on my PhD, and at the very beginning focused on the offensive side. But I quickly moved to the defensive side and spent all of my academic career focused on how to protect critical infrastructure.”

PhD in hand, Carcano spent three years in the field helping a large oil-and-gas company tighten ICS security for operations in different corners of the world. In 2013, he co-founded Nozomi Networks aiming to deliver a more holistic and efficient way to defend industrial controls of all types.

I had the chance to visit with Carcano at Black Hat USA 2019. For a full drill down, give a listen to the accompanying podcast. Here’s what I came away with:

Ready-made attack tools

Vulnerability research and outright attacks on industrial controls has shifted dramatically over the past 10 to 15 years ago. When Carcano first began working in the field, only a handful of the top nation-states were actively involved in sponsoring this type of activity, and they tried to do it  as quietly as possible.

Today, for a variety of reasons having to do with geo-political affairs and the evolving cyber underground, things are much different. The state-sponsored hacking groups are still in business. But they are part of a thriving cottage industry that has arisen around finding, selling and testing fresh ICS vulnerabilities. And not just of power plants and utilities, but also in the firmware and software that run manufacturing plants of all types and sizes, Carcano told me.


“At the very beginning there were just a few specific groups trying to take advantage of a complete lack of cybersecurity for industrial control systems,” he says. “Today, if you’re able to join some the active hacking community, you will see there are tons of people talking about the potential ways to hack an industrial control system. And it has become very easy to find a piece of malware already built and ready to be used for a potential attack. Ten years ago, that was not possible.

“So right now, the landscape is changing. Even if you are not a government, you have the instruments for taking a piece of malware and building a potential attack against critical infrastructure. So that’s why the potential risks are bigger now than before.”

Visibility lacking

Pumps, valves, turbines and the other basic parts of industrial plants are all too ripe for hacking.

Operational technology, or OT, has traditionally been siloed from the information technology, or IT, systems that came to dominate the corporate workspace. OT systems where thought to be protected by the fact that they were “air-gapped” from IT systems.

But, of course, IT and OT have converged. Digital devices have increasingly become connected to OT systems; and so the air gap has all but vanished. Today, companies are just coming to grips with the stark lack of visibility into their legacy OT systems, especially when it comes to how OT systems tie into the IT side of the house, Carcano says.

Meanwhile the threat actors are paying close attention to this, too. But the bad guys are several steps ahead. They’ve begun to move proactively to flush out — and take full advantage of — the fresh attack vectors arising from the intersection of OT and IT systems.

As a general rule, the industrial control hacks that do get publicly disclosed have mainly been about testing weak points, probing for footholds and generally maneuvering to get the strategic upper hand against a rival nation-state. This includes the Stuxnet hack of Iranian nuclear plant, as well as a rash of attacks on Saudi power companies.

The big exception: Russia’s successful campaigns to trigger widespread electricity shutdowns in the Ukraine. Companies today are particularly worried about insider attacks focused on OT systems, Carcano says. And concerns are spreading to small and mid-sized facilities, as well, across industries not usually considered a direct part of critical infrastructure.

“Right now, anyone can easily create a virus, so even small companies need to pay attention to this topic,” Carcano says. “Gaining visibility in infrastructure someone built 30 or 40 years ago is absolutely something we believe in. You cannot protect what you don’t see.”

Youthful passion

For its part, Nozomi has introduced technology that provides visibility of OT systems in context with what the plant’s operations are designed to output.

“We learn the physical process by applying a neural network and artificial intelligence,” Carcano says. “If we see something that is outside of what we learn about standard behaviors, we are then able to raise an alert and identify if there’s a bad actor trying to do something in the critical infrastructure.”

Beyond gathering and leveraging intelligence about anomalous behaviors, the company has set up  Nozomi Networks Labs as a research center and tasked a team of security analysts to keep pace, if not get ahead of, the threat actors who are in the hunt for fresh attack vectors.

“We’re one of the main companies out there that has identified the majority of zero- vulnerabilities, related to OT” Carcano told me. “If today you go to the US ICS-Cert, you’d see that Nozomi is one of the companies that has discovered the most ICS zero-day vulnerabilities.”

I applaud Nozomi, not just for innovating smarter ICS security solutions, but especially for dedicating resources to this counterintelligence, if you will, and especially for sharing useful intel for the greater good.

Youthful passion blossoming into substantive endeavors is a good thing. We’re going to need a lot more of it to make things as secure as they need to be. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: