OT (Operational Technology) attacks can have major real-world consequences. Globally critical seaports can be shut down, and vital gas pipelines can be shut off through IT infrastructure. But which threats are real, how do you fight them and what tools should you use? We discuss it all with Maximilian Heinemeyer, Global Field CISO for Darktrace.
Heinemeyer started at Darktrace in 2016. He quickly recognized that the company, a startup then, took a fundamentally different approach than the competition. Instead of threat detection based on ready-made signatures, Darktrace from the outset has used self-learning AI, detecting all the intricacies of each individual IT infrastructure from the ground up. It’s been called ‘Cyber AI Analyst’ by the company’s former SVP Cyber Innovation Pieter Jansen when we spoke to him last year. We wrote extensively about Darktrace’s market position in general in 2024; now it’s time to delve into a more particular use case.
As a cyber security expert, Heinemeyer looked at customer environments on a daily basis, acting as a first responder for attacks such as WannaCry. “I have seen attacks from practically every nation-state under the sun through our solution.” These included all kinds of OT and CNI (Critical National Infrastructure) attacks, where digital attack paths led to practical consequences in the real world. We’ll also use OT to refer to CNI whenever applicable throughout this piece to avoid any ambiguities.
Now, as Global Field CISO, Heinemeyer speaks with customers every day, discussing roadmaps, strategies and security issues, allowing them to appear on Darktrace’s radar. In this, he not only constitutes a point of contact from Darktrace to the end customer, but his findings also show how his company must move through a changing cybersecurity landscape. We’ve heard this notion of an ever-changing landscape often enough, but let’s delve deeper into what that actually means in the here and now.
Major consequences
A frequently heard statement, including from us, is that many of today’s infiltrations could have been prevented by simply adhering to relatively basic security practices. Now, with an ever-higher security wall to scale, the attackers are arriving with ever-steeper ladders. This is often not the case with OT attacks, in actual fact. Consider a utility facility such as Thames Water, which is said to be littered with legacy software, giving cyber attackers free rein even now. The WannaCry ransomware of 2017, the spread of which Heinemeyer experienced first-hand, had a particularly large impact on old Windows systems. The stereotype (with some justification) is a dam, harbor or coal-fired power plant with Windows 98 PCs chugging along that should never meet the end of an Ethernet cable. If public internet access ever does get established, it can have significant consequences in the real world. Although details are sparse when it comes to these incidents, the attacks on seaports in Australia and Japan show that the global infrastructure can be significantly affected without disaster recovery in place.
“It’s shooting fish in a barrel when it comes to OT attacks,” Heinemeyer says. “The only reason we don’t see more hacks is because there aren’t enough resources for the attackers.” Even in the Cambrian explosion of state actors and ransomware groups, there is more prey than this predator collective can consume. “That is quite scary when we look at the current changes in the threat landscape. With the help of AI models, especially LLMs, you can code better, and write better.” Heinemeyer is referring to both more effective malware being written with AI’s help as well as the existence of more convincing phishing emails than ever before. In other words, both the malignant software ‘product’ and the supply chain are being refined. Heinemeyer says the entire attack lifecycle is accelerated. “One attacker can now target more companies in parallel than ever before.”
He emphasizes that burying one’s head in the sand, a favorite pastime among some OT personnel, no longer works. Security through obscurity is and remains a bad idea. Heinemeyer: “I’m not saying that everyone will be hacked, but it is increasingly likely these days.” Possibly, the ostrich policy has to do with, yes, the reporting on OT vulnerabilities, including by yours truly. Ancient protocols, ICS systems and PLCs with exploitable vulnerabilities are evidently risk factors. However, the people responsible for maintaining these systems at manufacturing and utility facilities know better than anyone that the actual exploits of these obscure systems are improbable. The problem, Heinemeyer explains, is that “In almost every attack we see, [such an exploit] is not necessary at all.” There is plenty of low-hanging fruit, so why bother going for anything exotic?
An attack on OT is not always an OT attack
Even in notorious OT cyber attacks, such as the one on the US-based Colonial Pipeline in 2021, the OT nature of them is debatable. At the time, Colonial Pipeline was forced to stop its gas supply to customers due to a billing system being blocked by ransomware. No pipes were ever affected directly by threat actors. Instead, they were stopped from running due to economical considerations.
Heinemeyer is not overly concerned about state actors abusing some obscure protocol and having to physically dig a hole to exploit it and, somehow, disable a nuclear facility through the most convoluted lateral movements imaginable. Rather, he’s worried about utilities with “shoddy internet connections and default credentials”. These companies are becoming more vulnerable by the day due to attackers being equipped with automatic scanners and AI-driven tooling. What is ‘scary’, in Heinemeyer’s words, is this ‘insecure by design’ approach.
Heinemeyer notes that, thankfully, there are indeed signs of improvement among OT teams. According to him, great strides have been made in the areas of asset management, the elimination of CVEs, as well as in monitoring, detection and response. About five years ago, professionals relied more on hype cycles, where famous scenarios such as Stuxnet drew most of the attention and sucked the oxygen out of the room for more realistic concerns.
Given the increasing threat, is the new focus on common best practices enough? We have already concluded that vulnerabilities should not be judged solely on the CVSS score. They are an indication, certainly, but a combination of CVEs with middle-of-the-range scoring appears to have the most serious consequences. Heinemeyer says that the resolve to identify all vulnerabilities as the ultimate solution was well established from the 1990s to the 2010s. He says that in recent years, security professionals have realized that specific issues need to be prioritized, quantifying technical exploitability through various measurements (e.g., EPSS). “The consideration that is almost always missing is the local context. Why should I focus on a vulnerability with a CVSS score of 10.0 if the system in which that vulnerability is located has no business impact?” This is why the Colonial Pipeline attack was so dangerous, as it showed that rickety IT solutions can directly impact the feasible use of critical (in this case OT) systems.
It is therefore important above all to find the real attack paths and bottlenecks; in other words, stop an attacker where it counts. That is why Darktrace’s solution enters an IT system “like a child”, prodding at whatever it comes across. It investigates how employees really interact with the IT infrastructure. Which protocols are used in this specific environment? The conclusions drawn by the Darktrace tool, by the way, always remain locally stored with the customer. This way, a security solution does not become a data privacy problem. The analysis thus revolves around practical behavior, which should clearly show which processes need to be protected and where the potential weaknesses lie.
This is a different philosophy than the ‘known bad’ threat intelligence approach adopted by other cybersecurity vendors, says Heinemeyer. “With that approach, you first have to find an attack going on at a customer.” The signals of this specific attack are then shared with all other customers, who should from that point on be protected. “That has never really worked,” is the verdict of Darktrace’s Global Field CISO. “The very idea that you can find every attack before it affects someone else is unfeasible. And you’re always behind the curve.” He also says that attackers can simply change their signature with ease to once again fly under the radar.
Sharing data
Darktrace is, therefore, not interested in global threat data intelligence, which is built on sharing customer data and giving attackers no breathing space. Instead, Darktrace will detect an anomaly if, say, a user suddenly starts scanning the entire OT network, uploads 20 gigabytes of data to a public website, and uses admin credentials for the main controller. Anyone not normally doing this will draw instant suspicion if detected, and Darktrace has set out to draw such a conclusion as early as possible.
Naturally, Darktrace must be able to access an organization’s data. How easy is that? We ask this for a multitude of reasons. For example, company data is constantly siloed, and the IT setup of an OT player is often a proliferation of legacy, niche tooling and demarcated systems with limited access. CISOs tell Heinemeyer they have far too many solutions in their IT estate. They want to platformize.
Platformization
Coincidentally, security players are also jumping on this particular bandwagon, as we discussed at length at the end of last year. Darktrace is ambitious in this area, and Heinemeyer claims that the company’s tool can cover practically the entire digital estate of a company, including those of rather uniquely infrastructured OT players. (What’s more, the power plant in Drax, England, was the very first Darktrace customer.) After a week, Darktrace shows results based on the data that the customer shares – which, again, won’t leave their premises.
Heinemeyer indicates that customers should be able to choose the best of breed. Darktrace, for example, can be set up to only run within the OT environment, with compatibility for other solutions. He also notes that various defense domains can be separated, such as identity security, observability and the security of endpoints or cloud workloads. “They are all different data areas. You want to combine them in a system that can understand how these tools work together. That could be Darktrace, but it could also be something else.”
AI, AI, AI
Heinemeyer has some criticism for competitors in this area. “There is a lot of AI washing going on,” a marketing ploy that works well for anyone who engages in it. This has an adverse effect on the end user. Darktrace’s State of AI Cyber Security report from 2024 shows that security professionals have a poor level of understanding with regard to exactly what AI is doing in their IT environments. “If you are a professional, you want to know when to use your saw and when to use your jackhammer.” Without knowledge of how the software works, a security team cannot grab the right equipment, he says. For example, every security professional must be able to distinguish between a supervised machine learning tool, a natural-language copilot or a self-learning (i.e. unsupervised) solution such as that of Darktrace. The level of knowledge doesn’t have to go much further than that, Heinemeyer says, but some foundation is required.
In the twelve years that Darktrace has existed, explaining what it does has been challenging. In the early days, when AI wasn’t nearly as much of a known quantity, the solution was explained as the immune system for one’s enterprise. Now, Darktrace lives by the adage of ‘show, don’t tell.’ As soon as organizations see what Darktrace’s machine learning is capable of (and it can be tested for free), they realize its value, Heinemeyer says.
Less knowledge needed?
This brings us to an interesting issue. AI is cited far beyond the realm of security in how it may reduce the expertise required for a particular task. Someone who previously wrote mediocre emails can appear more polite and engaged (and thus, more professional) thanks to an artificial co-pilot. We could go on and on with examples. But do these tasks also lower the skillset required for security personnel, especially for specific niches such as OT? Does Darktrace take away all the difficult work?
The main advantage of Darktrace is the reduced noise, which is especially beneficial for security teams with an attack surface that is too large to manage in detail. This higher signal-to-noise ratio lowers the access barrier for SOC operators. One can still go to great lengths to track down certain oddities in one’s own IT system with Darktrace’s tools, but users won’t have 150 alerts fired at them every day. This may mean fewer specialists with extensive resumes are needed.
This is a godsend for any OT environment. “If you thought it was difficult to find a good SecOps person, good luck finding an OT security specialist,” says Heinemeyer. “Every company competes with each other, so they’re not going to find the solution by hiring the right people.” He admits that technology is not a silver bullet here but a contributing factor to the formula for success. And since only 11 percent of organizations are considering spending more on personnel nowadays, finding enough suitable employees is impossible.
OT/IT separation
Heinemeyer does not see a clear blueprint or best practice for separating OT and IT. “If you think you are safer with a separate OT security team and an air-gapped environment, that may be better than artificially involving IT personnel more.” These two worlds sometimes speak completely different languages, he says.
However, Heinemeyer believes it is conceivable and, in many cases, desirable to at least allow OT alerts to land in IT environments. This would still close off OT environments to attackers but would leave a centralized overview (the well-known ‘single pane of glass’) of digital security. The expertise of IT personnel would then help, for example, by detecting anomalies in the OT systems and understanding when these are signs of a cyber threat. The OT side would then be the one to know precisely what the impact or cause of these anomalies is, but they would not be overwhelmed by a multitude of alerts.
Conclusion: AI to (not) understand
We have noticed that the Darktrace approach, already twelve years old, is a good fit for combating technology’s increasing complexity and speed. Attacks can physically affect the world, and this is more than ever the case due to greater connectivity. So far, we have discussed OT as a world in which IT encroaches. However, this convergence is a point of discussion for every OT organization, and sometimes, it is simply not the right way to go. The fact that in OT, extraordinarily technical and (to most) inscrutable processes take place does not bother unsupervised machine learning one iota. Darktrace only measures the deviations from the norm, but it does so with a level of detail that humans just can’t keep up with.
There is no other option but to rely more heavily on technology to keep an organization safe. Otherwise, you’re stuck competing for a shallow workforce pool that can’t fill the ocean of vacancies. OT security is a moving target; not every security solution will work well with it. The advantage of Darktrace is that more and more organizations need to be protected, partly due to the AI-driven decisiveness of attackers. It just so happens that AI can also act defensively for a more even match-up.
Also read: Darktrace acquisition by Thoma Bravo for 5 billion is finalized