Overview
Powered by Cyber AI, the Industrial Immune System is a self-learning technology that detects cyber-threats and vulnerabilities in industrial environments. The solution works by passively learning what ‘normal’ looks like across OT, IT and industrial IoT, allowing it to recognize subtle indicators of emerging attacks which would otherwise go unnoticed.
Identifies new threats and vulnerabilities
Continuously revises understanding of ‘normal’ with no tuning necessary
Illuminates entire digital infrastructure
Gain unparalleled visibility of OT, IT and industrial IoT
Works in any environment
Protocol and operating system agnostic
Deep Coverage at Scale
By monitoring network traffic, the Industrial Immune System has direct visibility into and provides selflearning protection across everything from Basic Process (Purdue Model Level 1) through supervisory functions, business logistics and enterprise networks (Levels 4 & 5) and beyond into cloud networks and SaaS services.
Passive Monitoring
Connecting new devices to industrial networks is never straightforward and routine, as for many applications even the slightest interruption in service can be damaging.
The Industrial Immune System is connected passively to an ICS network, receiving copies of as much communication traffic as possible. It ingests copies of raw network data using the built-in port mirroring or ‘spanning’ capabilities of network switches, or using fail-safe taps, sometimes via an aggregator to bring together numerous connections in one location.
Self-Learning
Powered by AI, the Industrial Immune System protects your industrial environment from threats and vulnerabilities of all types, and adapts automatically to your specific networks. Rather than relying on blacklists, the technology works by learning ‘on the job’ and identifying emerging anomalous activity.
This self-learning capability means that the Industrial Immune System is truly protocol-agnostic and effective in any operational environment, from Modbus, to BACnet, to CIP. The Industrial Immune System works seamlessly with all manner of technologies – without interruption to regular operations.
Unified View Across OT, IT, and IoT
Through its intuitive Threat Visualizer interface, Darktrace gives security teams an instant overview of their diverse digital infrastructure, including every user, device, and controller in the network. This enables operators to proactively investigate cyber-threats and specific areas of the ICS.
The Threat Visualizer is usable at operator level as well as from IT Security Operation Centers, enabling collaboration across OT and IT security teams. The Threat Visualizer displays a graphical, real-time overview of the industrial environment and allows for in-depth investigations.
Real-World Use Case: Compromised Equipment on the Assembly Line
An unknown attacker targeted several industrial IoT devices on a leading food manufacturer’s assembly line. Equipment including baggers, slicers, and blenders were attempting to connect to external destinations and move within the corporate network. These devices lacked security approval to connect to the core IT infrastructure.
Correlating these factors in real time, Darktrace AI identified the anomalous behavior as a significant risk to the integrity of both the corporate network and the assembly line. With Darktrace’s artificial intelligence, the entire infrastructure was visualized and protected, including Industrial IoT and ICS.
The security team was able to take the compromised devices off the network, preventing the food provider’s manufacturing infrastructure from any harm and before the attacker could gain access to the core IT infrastructure.
Features
Catch today’s attackers — and tomorrow’s
Powered by self-learning Cyber AI, the Industrial Immune System identifies both fast-moving and stealthy threats in real time — regardless of whether they have been seen before.
Protecting ICS environments globally
From major manufacturing plants to power stations, transportation grids, and all other forms of critical national infrastructure, the Industrial Immune System delivers autonomous protection.
Darktrace’s technology is unique for each particular cyber-physical ecosystem — crucially, without the need for constant tuning and manual configuration.
Automated investigations
With Cyber AI Analyst, Darktrace stitches together disparate threat alerts across the digital infrastructure into a single security incident, automating the threat investigation process. It also generates natural-language reports suitable for executive review, helping to bridge the skills gap between OT and IT.
Asset management
Darktrace automatically generates a database of all devices in OT and cyber-physical environments. It identifies assets such as PLC, SCADA, HMI, IIoT, and other bespoke technologies. Asset management can be passive or active, depending on suitability.
OT Engineer Dashboard
Intuitive and easy-to-use, the OT Engineer Dashboard surfaces only the most operationally relevant alerts. It displays an optimized overview of security events, with intuitive, easy-to-use pathways that pivot to in-depth analysis and forensics.
Why the Industrial Immune System?
Cyber defense in industrial environments poses a unique set of security challenges.
The constant expansion and evolution of industrial infrastructure makes it difficult to gain visibility into a diverse range of operational technologies (OT). Decades-old ICS and SCADA systems are also often used alongside recently developed technologies, further complicating defense.
Never-before-seen threats, or ‘zero days,’ easily bypass whitelists, rules, and signatures. Historically informed methods cannot keep pace with these rapid advances in the techniques of attackers, as well as transformations in industrial infrastructure itself.
Empowering organizations to tackle these challenges, Darktrace’s Industrial Immune System leverages advanced AI to catch never-before-seen threats in real time. With its ability to defend OT systems in a technology- and protocol-agnostic capacity, self-learning AI is uniquely able to evolve as your industrial environment changes, staying one step ahead of attackers.
Darktrace’s Industrial Immune System illuminates the technology infrastructure of even the most complex cyber-physical ecosystem, supercharging efforts to ensure availability and integrity of industrial technologies.
1. AI that continuously learns ‘self’– no tuning necessary
- Because Darktrace AI understands the normal ‘pattern of life’ across unique industrial environments, it can detect sophisticated threats by spotting subtle deviations
- Policy rules and whitelists constantly require ‘tuning’ to filter out excessive alerts and false positives, and cannot continuously learn as the network expands or evolves, instead requiring manual configuration
- The Industrial Immune System continuously learns as your infrastructure evolves at scale, no maintenance needed
- The Industrial Immune System achieves this all autonomously, contextualizing behavior within the broader OT environment in an entirely self-learning fashion, without any necessary tuning
- The Industrial Immune System analyzes behavior, not content, which allows it to spot and stop anomalous incidents regardless of the source of the threat or the specific technology compromised, be it PLC, SCADA, HMI, or any novel integration (e.g., IIoT) or workflow innovation (e.g., ICSaaS)
With the constant evolution of OT systems, and their convergence with IT systems, attacks that reach industrial environments by first targeting peripheral systems are becoming increasingly mainstream. It has never been more important than now to move beyond siloed security applications and historically informed defense strategies.
2. Detecting ‘zero days’ and other novel threats
The Industrial Immune system detects threats in a protocoland technology-agnostic capacity, drawing upon self-learning AI algorithms to identify emerging threats in their nascent stages:
- The Immune System passively learns normal across your bespoke industrial environment, identifying emerging attacks based upon this evolving understanding, rather than prior indicators of threat
- Legacy approaches in OT environments, by contrast, fall into the same pitfalls as historically informed approaches in IT systems, namely, using past attacks to unsuccessfully defend against tomorrow’s threats
- Historically informed methods to securing OT are blind to never-before-seen threats, that is, ‘zero days’
- Darktrace’s AI instead uses unsupervised machine learning to identify all unusual activity, and automatically ranks these by severity in its intelligent presentation of security incidents
Though other technologies may use AI to enhance the speed and scale of their historically informed methods, these fail to detect sophisticated and novel threats. Simply put, the Industrial Immune System learns the DNA of your technology infrastructure, achieving defense to a degree of depth and breadth that legacy methods can’t match.
OT Threat Find: Advanced ICS Attack at International Airport
Without a list of known exploits, company assets, or firmware versions, Darktrace’s Industrial Immune System recently detected every stage of a simulated state-of-the-art attack at an international airport. Had the attack been allowed to continue, it could have caused significant operational disruption to the airport.
The attack spanned multiple days and targeted the Building Management System (BMS) and the Baggage Reclaim network, with the attackers utilizing two common ICS protocols (BacNet and S7Comm). The attackers also leveraged legitimate tools in order to evade traditional, signature-based security tools.
Legacy security tools failed to pick up on this activity. Darktrace’s deep packet inspection, however, was able to identify unusual commands used by the attacker within those ‘normal’ connections. Darktrace’s Cyber AI Analyst was also able to perform a real-time automated investigation and accordingly recommend further steps for action.
3. Unified view across entire industrial environment—PLC, SCADA, HMI, and other emerging infrastructure
Achieving visibility throughout industrial environments has become an incredible challenge.
First, many forms of IT/OT convergence go unnoticed by human teams, often leaving the door open to attackers. The increasing convergence of cloud and OT systems leads to similar security weaknesses, as does the introduction of IoT devices into broader cyber-physical ecosystems, such as IIoT.
The Industrial Immune system provides a unified view by processing all traffic on a granular level in a protocol and technology agnostic capacity. Deployed passively so as to not disrupt critical operations, Darktrace’s Industrial Immune System works seamlessly across different technology protocols and types, providing unparalleled visibility.
The Threat Visualizer, Darktrace’s user interface, intelligently presents a three-dimensional representation of network topology in real time—across PLC, SCADA, HMI, IIoT, and other technologies that comprise many of today’s unique industrial environments. Cyber AI Analyst’s automated investigations and actionable insights are also available, and seamlessly integrate into the Threat Visualizer alongside other desired integrations.
4. Cyber AI Analyst augments humans, supercharging defense
Combining the precision and flexibility of human expertise with the scalability of AI, Darktrace’s Cyber AI Analyst bridges the knowledge gap between specialists in IT and OT security, augmenting humans.
OT engineers are often unfamiliar with cyber security, while IT security experts are often unfamiliar with industrial technologies. Cyber AI leverages supervised machine learning to mimic the human intuition of its leading cyber analysts, including alumni from top intelligence organizations alongside teams of other world-leading experts.
Channeling this wealth of talent with advanced mathematics, Cyber AI analyst continuously investigates all security incidents, reducing time to triage of threats by 92% as it undertakes its automated investigation in order to jumpstart remediation and response.
Caught in the Wild: Zero-Day APT-41
A world first, Cyber AI Analyst leverages supervised machine learning to mimic the intuition of the leading analysts and intelligence alumni. By conducting automated investigations, the innovation cuts down triage time by 92%, dramatically reducing ‘time to meaning.’
Cyber AI Analyst caught a nation-state sponsored advanced persistent threat—zero-day APT-41—without any prior knowledge of the threat. This investigation was fully automated, and, crucially, occurred before any attribution or prior threat intelligence was even available. By stitching together disparate security incidents into an overarching narrative, Cyber AI Analyst was able to escalate this incident and convey the progress of the novel attack in executive friendly one-click reports.
