Noticing unusual activity on operational technology (OT) systems is a serious cause for concern. When spotted, prompt and appropriate actions should be taken to prevent harm or disruptions to critical infrastructure. In this blog, we’ll explore what unusual activity on OT systems could look like and the recommended steps to be followed to isolate, investigate, and mitigate the risks that might be associated. 

What does unusual activity look like? 

Unusual activity in operational technology (OT) systems often manifests as deviations from standard network behaviour, unauthorised changes, or inexplicable alterations in the performance of physical processes. Such irregularities can signal malicious interference, system malfunctions, or cyber threats that are especially concerning in OT environments. As these systems control critical physical operations, from water supply to power generation, even minor disruptions can have disproportionate and potentially hazardous consequences – including loss of life.  

Some examples of unusual activity in your systems might be: 

• Unapproved devices (such as USBs or laptops) connecting to OT systems or network segments 
• Multiple failed login attempts to OT devices or systems 
• Unusual patterns of network traffic, like a sudden increase in data traffic 
• Protocol deviations, or malformed network packets 
• Abnormal communication protocols not typically used in the OT environment 
• Unusual communication patterns.   

Discovery of unusual activity should be treated with concern as it may be indicative of a security breach and should be isolated, investigated, and mitigated immediately. 

Steps to take when noticing unusual traffic on OT systems 

 If you notice unusual activity on your OT systems, you should immediately address the situation to prevent potential harm or disruptions to critical infrastructure. Briefly, here are the steps you should take to isolate, investigate, and mitigate the risks that might be associated with these signs of potential security breach. 

1. Refer to your organisation’s established incident response plan (IRP)

As individual organisations respond differently to incidents, the first step you take should be to your organisation’s IRP which will outline the specific steps to take during a security incident. 

2. Notify relevant stakeholders

Immediately notify appropriate personnel or teams responsible for OT security. Maintain clear and effective communication with all relevant stakeholders, including IT and OT teams, management, and external parties if required. Transparency is crucial during incidents. 

3. Isolate

Identify and isolate affected systems to prevent the spread of the compromise further into other OT systems, disconnecting affected systems can help contain the threat. 

4. Investigate

Conduct a thorough investigation to understand the nature and the extent of the unusual activity to determine whether this incident is a false positive or a cyber security incident. 

5. Contain

Once you’ve determined a cyber security incident is true, it needs to be contained by isolating compromised systems further. 

6. Eradicate

After containment, eradicate the root cause of the incident. Affected systems should be restored to a known good state. 

7. Root cause analysis.

Perform a root cause analysis with remediation actions to prevent similar incidents from reoccurring. 

8. Update OT security policies and procedures

Incorporate lessons learned from the incident. 

9. Audit the OT environment

Look for areas of improvement to prevent similar incidents in the future. This may also include providing additional training to personnel. 

10. Ongoing monitoring

Maintain ongoing monitoring of OT systems to detect and respond to any future unusual activity promptly.  

11. Ensure compliance with relevant regulations and laws

You may be required to report your security incidents to regulatory authorities.  

12. Outsource if required

In cases where the asset owner has no capabilities to perform the recommended steps or in complex severe incidents, consider engaging with cyber security experts, incident response firms, or law enforcement agencies to insist in the investigation and resolution of the incident. 

Building a cyber-safe culture in your organisation 

Organisations that operate OT systems must prioritise the establishment of comprehensive monitoring, effective alerting, and rapid incident response protocols. These measures are crucial for the timely detection and mitigation of atypical activities. With the increasing convergence of IT and OT, cyber security must evolve into an integral component of the organisational culture, akin to the ingrained ethos of workplace safety that has developed over the past three decades. Embedding cyber security into the daily routine of every task can significantly enhance the protection of critical infrastructure and operations against emergent cyber threats and disruptions. 

OT-SAT, Secolve’s OT security awareness platform, can empower your organisation and employees to uplift their understanding of OT and OT cyber security. Get in touch with us today for a demo to find out how our video-based training on OT-SAT can help you.