Why we don’t use network traffic anomaly detection in OT-BASE

OT-BASE is our strategic software product that helps customers to build a reliable and safe IIoT, and to ensure that IT/OT convergence is efficient and smooth rather than a culture clash. In many respects, the technology that we use in OT-BASE is quite different from the offerings in the crowded market niche of OT network traffic anomaly detection (with companies such as Claroty, Nexdefense, SecurityMatters and Nozomi). This is based in a conscious design decision which is explained in this post.

What’s wrong with anomaly detection?

If you have studied OT anomaly detection technology like we have (as a matter of fact, we had introduced our own, now obsolete product to the market back in 2006) you are already aware that one of its biggest practical problems is false positives. But that’s only the surface. As any OT security expert can tell you, anomaly detection reduces the OT security problem to one tiny aspect: Trying to identify cyber attacks in live wire traffic.

Even if that would work with 100% accuracy (it doesn’t, for reasons that would deserve a blog post in its own right), would it be all you have to do as somebody responsible for OT security? Or wouldn’t you still want to identify and minimize vulnerable software products and configurations, infiltrations via USB sticks and laptops? Wouldn’t you want to reduce your attack surface by hardening systems and protocols rather than putting all eggs into the anomaly detection basket? And finally, wouldn’t you want to introduce cyber security aspects into system design when planning new installations?

Most likely you would, and so do we. That’s why we chose a different approach.

Context beats content

The National Security Agency (NSA) is the global leader in SIGINT. If this organization with their virtually unlimited technical capabilities moves away from content analysis (of intercepted communications), it should tell you something. Maybe they had found a new secret sauce that just produces better results, with less effort? That secret sauce is metadata, or context. It’s also what we use in OT-BASE.

Think of OT-BASE as a CMDB on steroids that allows you to analyze complex and hybrid relationships between digital devices, their network associations, installed software, users who interact with them, geolocation, and physical process characteristics (safety, logistics dependencies etc.). Or to put it differently, it allows human experts to develop and then analyze a high fidelity model of their digital OT infrastructure. While this comes with a wealth of tools for automation (software agents, network monitoring gear etc.), the ultimate resource in this game is not some collection of undocumented artificial intelligence algorithms but the human subject matter expert, both from the OT and the IT side. In the meantime, ICS engineers use the same data set for troubleshooting and system documentation. System designers use it to specify new OT architectures. Project engineers use it to verify conformance with the specs during FAT and SAT. And so on.

A more reliable way to detect cyber attacks

Such a system model also allows you to detect cyber-physical attacks as they unfold. We do this by focusing on the artifacts produced by an attack (unauthorized configuration change) rather than trying to identify “bad”, malicious packet content as it flies by. This way, we can eliminate false positives, because unauthorized configuration change is always something that needs to be acted on, no matter if it was caused by a cyber attack or by a sloppy engineer who didn’t bother to follow configuration change procedure.

The other benefit is that, since context is transparent, you know right away the criticality of the event AND can start processing indicators of compromise by collecting matching patterns from all other facilities in your fleet. A workflow for incident management is actually built into OT-BASE.

Beyond the drama

But OT-BASE does much more for you. Let’s be honest, cyber attacks against OT are completely overhyped. The recent frenzy of venture capitalists storming into OT security was not due to strongly increased market demand, it is due to the fact that the IT security market is largely taken. Therefore, venture capital is moving from downtown to the suburbs, producing a set of solutions for which few customers believe they have a matching problem.

What IS a quickly growing problem in the real world, and a market opportunity at the same time, is the rapid growth of the IIoT. And that’s where OT-BASE comes in again. Ask yourself what an organization needs to do if they plan to extend their number of digital devices on the plant floor by an order of magnitude, and as a consequence, face an exponential increase in data traffic. In a nutshell, such an organization which bets competitiveness and prosperity on the reliability of this hyper-complex infrastructure better have a solid plan on how to CONTROL all significant parts of it — hardware configuration, software configuration, network architecture, users, process and business criticality –, beginning in the planning stage. That’s what we do in OT-BASE.

To learn more about OT-BASE, ask for our comprehensive brochure and a web demo.




Another nuclear power plant adopts the RIPE OT Security Program

Finnish nuclear operator Fennovoima has adopted the RIPE OT Security Program for their Hanhikivi-1 nuclear power plant.

The step is significant because the reactor is presently in the planning stage. By incorporating the RIPE Program in the planning phase, Fennovoima assures that OT security is done right from the beginning instead of getting bolted on after commissioning. Vendors and contractors are bound to cyber policy from day one, and system designers follow secure design guidelines and documentation procedures.

Hanhikivi-1 features the new AES-2006 reactor with a thermal power of 3200 MW and an electrical output of 1200 MW. The new build will act as a reference design for other nuclear power plants using this reactor type.

Fennovoima isn’t the first nuclear facility to use RIPE in order to protect against cyber attacks and become compliant with regulation. Other nuclear facilities using the RIPE OT Security Program are:

Loviisa Nuclear Power Plant

  • Operator: Fortum
  • 2 units with VVER-440 pressurized water reactors (1000 MW electrical output)

Olkiluoto Nuclear Power Plant

  • Operator: TVO
  • 2 units with VVER-860 boiling water reactors (1740 MW electrical output)
  • 1 unit with EPR pressurized water reactor (1600 MW electrical output)

Posiva Final Nuclear Waste Storage

  • Operator: Posiva
  • The world’s first final nuclear waste storage

However, the RIPE OT Security Program isn’t just used in the nuclear sector. Presently, RIPE is used to protect more than 1000 plants in the chemical industry, the pharmaceutical industry, and in the electric power industry.

Contact The Langner Group today to find out how to jump-start your OT security effort with a proven and trusted standardized solution.



Energy giant Fortum rolls out RIPE OT security program to fleet of 400 power plants

In 2014, energy giant Fortum selected The Langner Group’s RIPE Program to provide a robust, comprehensive program for managing the cyber security of its nuclear power plants. Fortum was so impressed by the positive results they achieved in their most critical facility that they have selected the RIPE Program to be their OT security standard for their nearly 400 power generation facilities in seven countries.

Fortum’s cyber security manager Tomas Nystrom on the decision to go global with RIPE:

“By implementing the RIPE Program, we created a standardized documentation system with consistently applied solutions, clear policies, standard operating procedures, and training. Most importantly, we had a way to measure our progress on every element. In doing so, we not only identified and corrected configuration issues, we are now able to quickly troubleshoot and perform root cause analyses, saving us hundreds of hours of engineering time.”

Read the full story here (PDF).




Two Steps to IIoT Security Nirvana

Yes, of course this is a simplification, but just because it’s obvious, does not mean it’s wrong.

You can indeed begin your journey to IIoT security nirvana by adopting this simple two-step strategy. While the details matter, this simple two-step strategy can help you quickly discern what is helping you on your journey or what is a distraction or worse, a complete waste of your time.

Step 1 – Get a complete and accurate system inventory that includes hardware and software. Furthermore, capture the meta data as well. Meta data can also be described as the context. For example, where exactly is that system/device located? What is its function? This additional information is important for trouble shooting and maintenance as well as security, that you can never discover by using deep packet inspection. How can you possibly secure something that you don’t even know exists? Automated discovery tools can help accelerate the process, but at some point you’ll have to roll-up your sleeves and do a full walkdown if you really want to know what you have. After all that work, it would certainly make sense to implement some kind of change control so your investment of time and effort is not wasted.

Step 2 – Produce complete and accurate network and data flow diagrams. Admittedly, this will take significant time and effort. In some cases, it may even require reverse engineering the network because it has grown organically over time to the point where you are no longer sure what is connected to what. Furthermore, if you can already admit that you are not sure what is connected to what, then you certainly don’t understand system dependencies. The network diagrams help you see connections between systems while the data flow diagrams help you see the interdependencies. Just like the system inventory, the network and data flow diagrams are critical to efficient trouble shooting and maintenance as well as better security. Similar to capturing a system inventory, automated tools can help, but you will have to fill-in the blanks yourself.

If you can just focus on these two steps, then so much of your other work can build on a solid foundation. Not only that, but this repository of system information also supports the process of knowledge transfer as you bring on new engineering staff. How refreshing would it be to have a measure of confidence in the system documentation when faced with an unexpected plant trip?

The Langner Group can provide you with the configuration management database (CMDB) that can support your journey to IIoT security nirvana and it’s called myRIPE. The myRIPE software has many additional capabilities that can make your journey much easier and faster. Contact us today at for an online demo and see what myRIPE can do for you.




From metadata to model-driven OT security, or why you don’t really need content

From all the OT security startups in the last couple of years, the vast majority focuses on network monitoring, trying to identify malicious packets in realtime. No matter if you look at Dragos, NexDefense, RadiFlow, SecurityMatters (to name just a few), their basic technology is deep packet inspection, even when it is called more fancy names like “deep protocol behavior inspection”. In this niche, the terms of the trade are PCAP (packet capture) files, IP addresses, and anomaly detection.

However, this trend, if it is one, may be driven more by the capability of software developers to use Snort rather than by the technology’s demonstrated great success in spotting cyber-physical attacks (the more sophisticated ones will never show up in wire traffic). Even more puzzling, the deep packet inspection game with its obvious self-limitation to network packets is anything but logical. Let’s examine why. Read more »



What is the one thing engineers need to be reminded of?

I cannot even tell you how many times I have seen the Wizard of Oz. It was a family tradition in an era with only three television channels and the programming was still mostly black and white. So, forgive me if I see the parallels. Unlike the fairy tales of my youth, the current fantasy of connecting everything to everything may not have a happy ending. But, if it is to be a happy ending, it’s the engineers that will lead the way. Perhaps, like Dorothy, some have forgotten that they’ve always had the power.

Read more »



The five top reasons why spreadsheets are a bad choice for OT system inventories

A majority of asset owners tries to keep track of their OT infrastructure using spreadsheet applications such as Microsoft Excel. We explain the severe limitations of this approach for today’s complex digital environments. Read more »



RIPE 16 to be released in two weeks

RIPE, the Robust ICS Planning and Evaluation Program by The Langner Group, is continually improved based on real-world customer feedback. We produce new versions annually. The new version, dubbed RIPE 16 (16 instead of 2016), will be released at the beginning of May. Here are some of the highlights. Read more »



RIPE NIST CSF Profile for OT



Reader’s Digest Version of the Ukraine Story

ICS-CERT published an alert on the Ukrainean power outage based on a series of interviews that representatives of the US government had conducted in Ukraine. Here’s a reader’s digest version. Read more »

Older posts «