Attivo Networks Blogs

Attivo Networks Announces Real-Time Cyber Attack Detection for SCADA Devices

By: Carolyn Crandall, Chief Marketing Officer, Attivo Networks

I am pleased to share that today Attivo Networks® announced a new release of its deception-based Attivo BOTsink® solution that provides continuous threat detection on Industrial Control Systems (ICS) SCADA devices used to monitor and control most manufacturing operations as well as critical infrastructure such as natural gas, oil, water, and electric power distribution and transmission systems around the world.

SCADA systems had originally been designed to monitor critical production processes without consideration to security consequences. Security had been generally handled by keeping the devices off the network and the Internet using “air gaps” where malware could only be transmitted by the thumb drives used by technicians. However, today vulnerable SCADA systems are increasingly being connected to the corporate IT infrastructure and Internet, making them easily accessible to a remote attacker. Examples of this would be the Sandworm malware that attacked Telecommunications and Energy sectors, Havex malware that infected a SCADA system manufacturer, and BlackEnergy malware that attacks ICS products manufactured by GE, Siemens, and Advantech. These attacks primarily targeted the operational capabilities of these facilities. With the increased malicious and sophistication of malware, concerns are now escalating to fears of an irreversible disaster.

With this announcement, Attivo is extending its inside-the-network threat detection, which has been available for enterprise networks, public, private, and hybrid cloud environments, to now also cover SCADA devices. Attivo will provide upstream and downstream threat detection for business, process controls, and field sensors. Organizations will now have real-time visibility into reconnaissance and stolen credentials attacks, and will gain visibility to external, insider, and third party threats as they move laterally through the network. Regardless of whether the malware originates from a USB device, from clicking an a phishing email or other point of access, Attivo will set the traps and provide the visibility required to quickly detect and stop an attack.

How it works:

Deception is a different and highly effective solution for protecting SCADA environments, since it does not rely on knowing the attack signatures or patterns, and it also does not need to monitor all traffic to look for suspicious behavior. Deception also does not require software to be loaded or maintained on the SCADA device. Instead, deception techniques are used to confuse, delay, and redirect the enemy by incorporating ambiguity and by misdirecting their operations.

Lured to the Attivo deception engagement server, the attacker will be tricked into engaging and believing they have succeeded in their attack. The deception server has a contained “sinkhole” so that once engaged, the attack can be studied without risk of additional harm. Once the attacker engages, there is no way of hiding. Their IP address is immediately identified, and attack forensics created so that an actionable, substantiated alert can be sent to enable prompt blocking, quarantining, and remediation of the infected device. Additionally, a port can be opened to communicate with the Command and Control to get additional information about their methods, tools, and techniques.

Alerts occur in real-time based upon the detection of an attacker. All alerts will provide forensics with the substantiated, actionable detail required to identify the infected device, identify the attacker IP, and methods and tools. Since alerts are based on actual engagement and provide the attack detail, security operations individuals can quickly and confidently address the quarantining of a device and remediation of the attack.

The Attivo threat intelligence dashboard installs with the software, provides the ability to customize settings, and gives a centralized view of all alerts. From the dashboard, drill down into specific threat detail is provided. Additionally, IOC, PCAP, STIX, CSV and other reporting formats can be created to share the attack information detail. Third party integrations with SIEM solutions– Splunk, ArcSight, and QRadar are provided along with integrations with popular firewalls to automatically block, quarantine, and remediate infected devices.

It is no longer a matter of “if” an attack will occur on an IACS for critical infrastructure. A modern day security approach now assumes the network has been breached and accepts that even the best security prevention systems have gaps, and attackers will get into the network. It is now highly recommended to have an active defense program that includes prevention and inside-the-network threat detection. A defense-in-depth approach based on layered prevention security is a good approach, but adding a next line of defense that can reliably detect zero-day signature-less attacks, stolen credential, and insider/3rd party threats greatly reduces the risks of catastrophic damage and/or the exfiltration of company data. Whether you choose to start by protecting only your most critical devices or choose to turn your entire network into a ubiquitous trap, the Attivo dynamic deception platform provides a fast, reliable, and cost-effective solution to detect and defend against malicious cyber attacks.

Additional information on ICS- SCADA Threat Detection:

Dynamic Deception for Industrial Control and Automation Systems White Paper
Press Release

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

4 × 4 =

Ready to find out what’s lurking in your network?

Scroll to Top