Equipment, cables and piping as found inside of a modern industrial power plant. Industrial zone, Steel pipelines, valves, cables and walkways

George Thorogood had a hit in the 80s with “Bad to the Bone,” which also appeared in several popular movies including Terminator 2: Judgment Day, Lethal Weapon, The Color of Money — and the remake of Parent Trap.

But today we’re talking about Behavioral Anomaly Detection (BAD).

Unlike the subject of George’s song, BAD is good — because it detects zero-day threats where traditional signature-based approaches fail.

Why is BAD Good?

BAD works by looking for suspicious or unauthorized activities (behaviors), rather than known IoCs like malicious files or DNS queries.

And that also makes it superior for detecting fileless malware and Living Off the Land (LOTL) Tactics — for which we don’t have IoCs.

It turns out that CyberX has the only patent in the world for IoT/ICS-aware behavioral anomaly detection. CyberX’s agentless platform uses an innovative approach called Industrial Finite State Modeling (IFSM) to quickly spot baseline deviations by modeling IoT/ICS networks as deterministic sequences of states and transitions.

Compared to traditional baselining algorithms that were designed for IT networks — where the behavior is primarily non-deterministic — this approach enables faster detection of threats, with fewer false positives and a faster learning period.

As a result, defenders can quickly detect attacks in the early stages of the kill chain — before adversaries can shut down or blow up your facilities — by continuously monitoring the network for suspicious or unauthorized activities, rather than by looking for static IoCs.

What is LOTL?

LOTL refers to attackers’ use of standard admin tools — like RDP, WMI, PowerShell, PsExec, and Mimikatz — to compromise systems and move around networks.

Using legitimate tools “allows attackers to blend into victims’ networks and hide their activity in a sea of legitimate processes.”  Another advantage is that use of these tools is typically not recorded in logs, making it harder for traditional SIEMs to detect them.

And of course there are no telltale malware files stored on disk that can quickly be identified by predefined signatures.

LOTL Moves into IoT/ICS

Sneaky LOTL tactics aren’t restricted to IT networks anymore.

In the TRITON attack on the safety systems of a petrochemical facility, for example, attackers leveraged RDP and Mimikatz credential-stealing malware to pivot from the IT network to the OT network.

Then, they downloaded a purpose-built ICS RAT into the safety controllers using a standard PLC logic update function that OT engineers themselves use from time to time — which is a great example of attackers employing LOTL tactics in an IoT/ICS context.

The attackers were also helped by the fact that there was confusion about who was really responsible for OT security in the plant — the OT equipment vendor (Schneider Electric), the systems integrator who built the plant, the OT team that ran the plant, or the IT security team?

What NIST is Saying About BAD

“Cybersecurity attacks directed at manufacturing infrastructure can be detrimental to both human life and property … BAD mechanisms support a multifaceted approach to detecting cybersecurity attacks against ICS devices on which manufacturing processes depend, in order to permit the mitigation of attacks.” NIST

Most of us know that the National Institute of Standards and Technology (NIST) develops cybersecurity standards that have been adopted worldwide. And you may have also heard about the National Cybersecurity Center of Excellence (NCCoE), a NIST center for demonstrating standards-based approaches to cybersecurity.

In its 94-page report describing the benefits of BAD for OT environments, the NCCoE says that “Cybersecurity is essential to the safe and reliable operation of modern industrial processes” and that “BAD involves the continuous monitoring of systems for unusual events or trends, [looking for] evidence of compromise, rather than for the attack itself.”

Don’t worry, you don’t need to read the entire report. We’ve summarized the report in an executive summary you can download here. The report is also useful in mapping the NIST Cybersecurity Framework (CSF) to the capabilities provided by BAD.

How NIST Tested BAD

Working with CyberX and other technology providers such as OSIsoft, NIST implemented a testbed environment for demonstrating how BAD detects IoT/ICS-specific threats.

The project also showed that, when implemented using passive monitoring, BAD can deliver these benefits without impacting the performance or reliability of IoT/ICS systems and networks.

As you can see in the diagram below, NIST’s BAD testbed was designed to simulate production environments for both continuous manufacturing (process control) and discrete manufacturing environments.

NIST testbed for both continuous manufacturing (Process Control System or PCS) and discrete manufacturing (Collaborative Robot System or CRS) environments (courtesy: NIST)

15 ICS Threat Scenarios Devised by NIST

NIST devised a series of ICS-specific threat scenarios against which CyberX and other platforms were tested.  The full report shows how each platform displayed the alerts for each scenario, and why each scenario is important. It also shows the steps that were required to install and configure each platform.

Example of real-time CyberX alert for one of the NIST threat scenarios, showing rich contextual information enabling SOC analysts to quickly investigate and respond to threats. Note that the command flagged in this alert is similar to the LOTL commands used in the TRITON attack to deploy a back-door to the safety PLC.

Here are the 15 scenarios against which CyberX was tested. Whichever solutions you are using to secure your IoT/ICS network, you should make sure they can detect them:

  1. Unencrypted HTTP Credentials Are Detected on the Network
  2. Unauthorized Secure Shell Session Is Established with an Internet-Based Server
  3. Data Exfiltration to the Internet via DNS Tunneling
  4. Data Exfiltration to the Internet via Secure Copy Protocol
  5. Virus Test File Is Detected on the Network
  6. Unauthorized Device Is Connected to the Network
  7. Denial-of-Service Attack Is Executed Against the ICS Local Area Network
  8. Data Exfiltration Between ICS Devices via User Datagram Protocol
  9. Invalid Credentials Are Used to Access a Networking Device
  10. Brute-Force Password Attack Against a Networking Device
  11. Unauthorized PLC Logic Download
  12. Unauthorized PLC Logic Update – CRS
  13. Unauthorized PLC Logic Update – PCS
  14. Undefined Modbus Transmission Control Protocol Function Codes Are Transmitted to the PLC
  15. Unauthorized Ethernet/IP Scan of the Network

Get the Executive Summary

CyberX has developed an executive summary of the NIST report that explains the benefits of BAD; how to address the NIST CSF via BAD; and how CyberX’s agentless platform detected 15 ICS threat scenarios in NIST’s testbed environment (with screenshots of CyberX alerts).

You can download it here.


CyberX wishes to thank NIST’s National Cybersecurity Center of Excellence (NCCoE) for inviting CyberX to participate in this important project. In particular, we’d like to thank the authors of the report: James McCarthy and Michael Powell from the NCCoE Information Technology Laboratory; Keith Stouffer, CheeYee Tang, and Timothy Zimmerman from the Intelligent Systems Division Engineering Laboratory; William Barker from Dakota Consulting; and Titilayo Ogunyale, Devin Wynne, Johnathan Wiltberger from The MITRE Corporation.