ROTEC and Group-IB will collaborate to protect critical infrastructure facilities from technological risks and cyber threats

The industrial holding ROTEC JSC and Group-IB, one of the leading developers of solutions for detecting and preventing cyberattacks have entered into a cooperation agreement to ensure technological and cybersecurity of critical infrastructure facilities. The agreement was signed at the International Industrial Trade Fair Innoprom 2021 and will allow ACS and IS specialists of enterprises to observe and take proactive measures to prevent incidents caused both by service wear of equipment and as a result of cyberattacks.

Attack vector

The recent cyberattacks on the operator of the largest American pipeline, Colonial Pipeline Co., on water treatment plants in Israel and the United States, or nuclear power sector in India, clearly demonstrate not only the increased interest of the attackers in critical infrastructure, but also the relatively low level of readiness of most enterprises to confront the current cyber threats.

In the first half of 2021, the number of attacks on critical infrastructure facilities recorded in Russia was almost 3 times more than throughout 2019. Moreover, 40% of attacks on CII facilities in Russia were committed by cybercriminals, 60% — by pro-government attackers.

The motives of criminals attacking APCS may be different: equipment failure and production shutdown, industrial espionage or military intelligence. In most cases, attackers use the following three basic scenarios:

Targeted attacks typically involve socially engineered malware mailings to working machines on the corporate network. Targeted attacks on technological networks sometimes take years.

Entry from the outside perimeter involves penetration into the corporate network via web services, “hanging out on” for example, a corporate portal or mail service.

Air-gap attacks on businesses, i.e., search for “an air gap” to penetrate into physically isolated critical network segments. In this case, malware can enter the technological network, for instance, via flash drives.

Group-IB experts say that in 90% of cases, the technology segment is attacked via corporate networks, i.e., according to the first two scenarios. Therefore, solutions to ensure the security of the infrastructure of industry and production facilities should be comprehensive and capable of detecting cyberattacks at any stage. Their task is to fully control the network, monitor abnormalities and irregular network activity in APCS, record undocumented capabilities of industrial protocols, and track all activities on the network.

Besides, man-made threats cannot be ignored since up to 3,000 accidents are registered annually at generation facilities of the unified energy system, while over 45% of these take place at turbine and boiler equipment. A few hours of forced downtime due to an accident can result in losses of tens of millions of rubles for a company.

Thus, the cooperation between ROTEC and Group-IB is aimed at confronting these risks and ensuring the technological and cybersecurity of critical infrastructure facilities.

According to Alexandr Kukanov, Director for Digital Solutions and Projects of ROTEC JSC, the core product of cooperation under the agreement is represented by PRANA hardware-software package. This Russian solution developed for industrial enterprises is a predictive analytics and remote monitoring system to control the status of technological facilities. The system drastically reduces customers’ technological risks by predicting the status of machines long before an accident occurs. In addition, Threat Hunting Framework Industrial developed by Group-IB will ensure comprehensive protection for all segments of enterprises from complex cyberattacks belonging to various ranges: from both pro-government hacking groups and financially motivated cybercriminals.

As a result, productions and companies that conduct their activities in the fuel and energy sector, as well as other important infrastructure facilities, will be provided with a unique tool that combines methods of protection from various types of risks to prevent man-made accidents and financial losses associated with production shutdown caused by deliberate attacks.

The joint solution will allow specialists to take control of the entire network of the enterprise, monitor the slightest changes in the operating modes of equipment, record actions (or failures to act) taken to normalize the operation of machines, as well as any attempts to penetrate into the information infrastructure.

How it works

Any technical device may somehow fail in the course of operation. However, it can be provided with a digital model that enables the System to monitor the status of this unit during its operation and predict the likelihood of any defects by analyzing thousands of different parameters and the degree of their deviation from standard values. This particular technique forms the basis of PRANA predictive analytics hardware-software package.

PRANA analyzes the data received from equipment (3,000 signals per second from each power unit) in real time and automatically detects any deviations, ranking them depending on their significance. In contrast to the widespread APCS systems that signal malfunctions “after the fact”, PRANA makes it possible to predict accidents 2-3 months before the incident. Within a unified interface, the status of each machine (regardless of its manufacturer) and the entire enterprise as a whole can be monitored remotely using any modern tablet or PC.

Being commercially operated since 2015, PRANA hardware-software package has come into widespread use in the fuel and energy sector. Dozens of power units throughout our country, as well as at a generation facility in Kazakhstan, are being operated under its protection. Given the scale of spread of this system in Russia, it is actually recognized as an industry standard. This was largely facilitated by its versatility since PRANA supports equipment by all internationally known manufacturers without modification or additional configuration (Siemens, General Electric, Ansaldo, Power Machines, UTW, etc.). Currently, this system monitors the technical status of machines worth almost $5 billion.

“It is obvious that systems related to the intelligent management of any infrastructure, including those related to its operation and maintenance, will develop even more,” predicts Alexandr Kukanov. “Technologies are developing, the role of IT in infrastructure management is increasing year after year. And this is where the risks of cyber threats arise. Hacking of the internal information infrastructure at an energy sector facility and applying control activities to it may cause substantial losses, damage and even human casualties. Therefore, a combination of solutions to ensure technological and information security is becoming increasingly more in demand.”

According to Mikhail Lifshitz, Chairman of the Board of Directors of ROTEC JSC:

“Interdisciplinarity is becoming a characteristic feature of the era in which we live. We are no longer surprised when mathematics is used in biology, and bionics in - mechanical engineering. What we do with Group-IB is at an interdisciplinary junction, at the junction of the human and the virtual world, Internet of Things... At the same time, with the PRANA System, we also ensure protection against unintentional human errors and potential errors of machines and electronics, and Group-IB protects the world of machines and electronics from malicious human actions, so together we provide a completely unique set of products that makes driving on this bi-directional road safe.”

On the part of Group-IB, protection against current cyber threats will be provided by an integrated solution of a new class – Threat Hunting Framework (THF), and its innovative solution aimed at protecting critical infrastructure facilities - Threat Hunting Framework Industrial that makes it possible to automatically investigate incidents, identify the causes of their occurrence, link attacks with the attackers, and find out their motives.

THF Industrial creates a unified environment for specialists involved in ensuring the information security of corporate IT networks and for engineers responsible for the operation of the automated process control system (APCS) and production lines in OT (Operational Technology). The development of Group-IB is an effective technological response to both cyber threat No. 1 — ransomware programs that can instantly paralyze work and leave a company without money, as targeted attacks on technological networks by pro-government hackers.

According to Ilya Sachkov, CEO of Group-IB:

“In 90% of cases, attacks on the technology domain are carried out through corporate networks, therefore solutions that ensure the security of the infrastructure of industrial and production facilities must be comprehensive and capable of detecting cyberattacks at any stage. Their task is to fully control the network, monitor abnormalities and irregular network activity, record undocumented capabilities of industrial protocols, and track all activities on the network.”

Unlike other solutions for protecting critical infrastructure, THF Industrial provides the possibility of proactive threat hunting both within the organization perimeter and beyond it through integration with the Group-IB Threat Intelligence & Attribution cyber intelligence system. This allows automatic correlation of events and alerts associated with one attack and attributing it to the hacker group and even specific people, which is an integral part of the new paradigm of cybersecurity — proactive hunting. Using the detailed analysis of industrial protocols (Siemens, Schneider Electric, ABB, Honeywell, Emerson, etc.), engineers can create their own rules to identify abnormalities and attacks specific to their production.

Source: Energy and industry of Russia