Cyber Security Intelligence in Critical Industrial Infrastructures

ST Radio

Cyber Security Intelligence in Critical Industrial Infrastructures

As OTD Bilişim, we are a company that focuses on cyber security intelligence in critical industrial infrastructures.



As OTD Bilişim, we are a company that focuses on cyber security in critical industrial infrastructures. In this sense, while cyber security is actually an issue that already exists in our lives, with Industry 4.0, the issue of cyber security in Industrial Networks has become very prominent.

You may be interested in :

>> 360 Degree Package Visibility [Link : https://youtu.be/buL36aup9OQ ]

>> Common OT Challenges in Industry 4 0 Transformation [Link : https://youtu.be/2O7nk32uE3I ]

>> Cyber Security Issues After Covid [Link: https://youtu.be/1quN416rfzE ]

These systems, which have been closed for years, now need to enrich these environments with IoTs due to the digitalization process brought about by Industry 4.0and the trend towards smart factories. In this sense, it has become a platform where the concept of industrial internet is used more intensively and more work is tried to be done with less people. Unfortunately, these cyber threats have now started to extend to our automation networks and we can face very serious threats in terms of cyber security.

As OTD Bilişim, we are in an intense effort to strengthen our cyber security intelligence in Turkey. We are working to protect the infrastructure of industrial companies by bringing international solutions to Turkey. We receive requests from many different sectors. Because all sectors are trying to digitalize. While trying to adapt to this transformation rapidly, cyber security is an issue that needs to be very careful.

Closed circuit networks are the soft underbelly of businesses and they have a vulnerable network structure in this sense. When you suddenly start to open these networks that have been closed for years to digitize them, unfortunately, you are faced with undesirable situations. Because they are vulnerable, facilities can be taken over, sabotaged and data stolen in an instant with very simple attacks. Or they may suffer commercial losses through ransomware attacks.

Our national borders represent our homeland, our blue homeland represents our seas, and the cyber homeland line represents a vast global network.

As OTD Bilişim, while we provide cyber intelligence on companies, we receive invitations by participating in these issues intensively in critical infrastructures and public areas in our country. We are working with them to enrich their cyber intelligence. Of course, we are in a learning period in this process. As these technologies are constantly evolving, many different attacks can mature. We have been able to see an attack in Turkey that no one else in the world has faced before. After all, considering that the internet infrastructure has reached our homes and cell phones, they can now go down to automation.

Turkey already has a national cyber intelligence center. We are experts working on this side and we provide consultancy services to companies. We help with facility modernizations. We tell them how to set up cyber intelligence in the facilities. We help them to mature their discipline there. Since there is no documentation for systems that have been closed for years - in these places we describe as shadow networks - our customers do not know where to start. We shed light and guide our customers in these areas. While making these transitions within the framework of a plan program, we support them by ensuring that they are not exposed to cyber attacks, and if there are some traces of cyber attacks inside, we detect them and close them before the incident grows. In this sense, as OTD Bilişim, we act as a service company in the sector.

OTD IT is an IT Company that Prioritizes Cyber Security Issues on IT and OT Side 

Our establishment purpose is to provide completely boutique services. In this sense, cyber security solutions are of primary interest to us. Among these, the security side of course requires service-oriented work. In order to be able to talk to our customers about security in every aspect, we definitely need to have a good understanding of our customer's network and system. For this reason, our team works in constant contact with the consulting companies. As a result of these contacts, we organically took part in many projects. Over time, in 2018, we achieved significant success in a major network auto modernization project and the Scada Security Project there. In the project we signed, we realized a very comprehensive network security project and gained very serious experience. 

In an environment where sensitivity is of utmost importance in a production facility, it requires serious responsibility to carry out both cyber security and network modernization without stopping production. We gained a lot of experience in Europe's largest production factory in a complicated infrastructure. It's what we've been doing for years. However, the digitalization process was also widely heard in Turkey in 2018. As of 2018, we have been one of the first to take a concrete step in this regard. We have and continue to visit many industrial facilities to help them understand how to take a proactive approach before an attack and how affected companies can recover quickly. In this sense, we can say that OTD Bilişim is a cyber security company that offers boutique services working on network security.


Build your IT Cyber Security Intelligence Network with Garland: Garland Technology's inline and out-of-band bypass TAPs and packet sniffers (NPB) are designed to provide visibility into Security and Performance solutions. You cannot secure what you cannot see. By eliminating blind spots, it enables you to centralize your next generation cyber security intelligence network parallel to your operational network without affecting network performance. 

Unfortunately, our answers will not be very positive. Because the systems we build are actually intelligence systems. As the event-case analysis begins, we enable you to analyze where it came from, how it went, who it touched and what effects it has. We do not have any interventionist approach within automation. However, the information we collect is very valuable and it is a defense system that shows what the customer is facing by delivering the attack vectors to the customer in a very short time in order to solve the problem in the field. We cannot stop any attack in this sense. We call such systems IDS systems. There is no prevention, but with the information provided, we prevent the attack from progressing and maturing inside and prevent it from spreading to the whole facility to a large extent. This is also described as a defense. 

With the Industry 4.0 transformation, we have entered a digital process where smart factories are developing. In addition to the innovations that come with Industry 4.0, there are of course cyber risks and cyber risks that Industrial Facilities face and may face. Let's also give examples from the past.

Industrial networks are very vulnerable networks. We are talking about facilities built years ago. In Turkey, these facilities are very new, but there are also many facilities that are not new. While new facilities are being built, old technologies are also being used in some way. We are trying to somehow keep the process or old facilities alive. With Industry 4.0, every business is trying to modernize these facilities and in the process of digitalization, they are trying to make smarter production, faster, more serial and more production plans with less people. This requires them to pay attention to cyber risks.

Among the most well-known and emerging cyber systems here, ransom attacks are very serious. In fact, while these ransomware attacks are familiar to many sectors on the IT side, automation has also entered this business. Since the concepts we call ethernet and a new generation of industrial network concepts are used together here, these facilities are becoming the focus of much more intense attention as these attacks become more easily accessible to these systems. Because they are very vulnerable. They can take over these systems with very simple attacks without the need for even very sophisticated attacks. They can make very serious ransom money demands. These figures can reach very serious levels. As a result, what starts as a simple phishing attack, once you realize that the other party is a facility, the size of the ransom starts to increase dramatically. This is the first risk.

The other is sabotage terrorism. In Turkey, such terrorist attacks on many facilities towards our critical infrastructures globally can now be carried out over the internet. We witness them up close, hear about them on the internet or see them on television. That's how close they are. Attacks that can come at us. We should not be afraid, but we should take precautions. Especially critical infrastructures and energy sectors are taking very serious measures against sabotage. It is important to strengthen our security shields at the front. But automation security now also needs attention. Because the systems here are software written by the manufacturers. Because they are written based on processes of years ago, they do not have the technology to fight or detect today's advanced attacks. When you want to do this, they face very serious monetary demands, and because it is a closed system, these investments in terms of production are not made because it has been closed for years. But when cyber attacks start to come in such an effective way, it is necessary to at least increase cyber security awareness in Industry 4.0. That's what we're looking for.

Another attack method is data theft. In other words, they can get hold of your critical, crucial production - R&D data in a very simple way. Because if you don't follow the workflows in the automation processes here, if you don't monitor them like a camera, if you don't see what is accessed by whom. Unfortunately, someone can come along and steal your very valuable and qualified data and expose it.

Another type of attack is process termination. You have a very valuable line, a workbench or an oven that should not stop, and somehow the system stops it. You want to make it work and you cannot make it work. You cannot understand what is interfering. Because you don't see. This is why we say that you cannot secure what you cannot see. You have to see it first. These systems are, after all, systems with software inside. An outside eye needs to constantly monitor these systems to ensure their security. In this sense, we work like a camera that constantly monitors the automation network. While we do not interfere with the systems here, we do very in-depth packet analysis by taking out a copy of the traffic there. And we don't prevent anything while doing this. However, by providing very in-depth intelligence, we prevent the incident from escalating by bringing the intelligence to the customer immediately and very quickly.

To give an example from real events in this sense: International terrorism;

In 2015, there was a massive energy shutdown in Ukraine. It was the Black Energy Attack. All households lost power and suffered serious financial losses. Likewise, in 2017, we witnessed the WannaCry attack and the first cyber-attack on television. Many automotive companies, pharmaceutical companies were affected by this attack. Since it was a first time attack type, it was difficult to defend against it. 

As these attacks escalate into 2021, globally on January 25, a major packaging and packaging company faced a ransom attack worth nearly $30 million. The whole process was locked down and they had to stop production. If it does not pay the ransom attack, it has suffered a serious loss of prestige, which it desperately failed to do in time in its intelligence about it. 

We need to be proactive as if these things could happen to us. We need to take precautions with proactive approaches, taking into account that these attacks may come before they come to us. We create awareness by explaining these to our customers. We are also contacted by companies that have been under attack. Many companies from various sectors come and ask for help when they encounter such a situation. In the end, we do not have a magic wand in our hands, but with a certain experience, using our intelligence power, we understand how this attack is made, where it comes from and how it spreads internally, and we examine the anatomy of that attack. We can make a detailed report about the attack. We try to recover data and systems if they can be recovered by reverse engineering backwards.

The systems referred to here are "production systems". Unfortunately, when vital points in million-dollar facilities are hacked, very serious consequences are encountered. It is not easy to return to working conditions. We recommend taking these precautions well in advance. As we move towardsIndustry 4.0, every business will adapt to this period. But while making this adaptation, it is important to invest in cyber security. Because these attacks can touch our automation network. If we think of it as an attack towards IT, sometimes it touches automation or it can be an attack targeting automation. So it could be an attack that is really targeting you or it could be a sophisticated attack. That's why we need to develop a defense in every possible situation.

You may be interested in - HOW TO PREVENT Ransomware ATTACKS IN INDUSTRY? [Link : https://onlineteknikdestek.com/Blogdetails/1565?culture=tr ]

Why are industrial networks easy targets? Very well-known international production companies say they have been subjected to cyber attacks. How is this happening? Even banking sectors were exposed to attack? Let us try to clarify these issues. 

We are in the 5th generation cyber attack era. In other words, people with very advanced attacking capabilities that are beyond five eras, when they attack you, they definitely try to neutralize you directly with targeted attacks. They are trying to get some kind of commercial gain from you. Or they are trying to sabotage you.

And yet, imagine that they are very well equipped. But the networks we currently use and operate are just as old systems. When we go back, there are industrial facilities in Turkey that work with old software such as Windows XP and Windows 7. We visit many facilities and do analysis. Unfortunately, this is the picture we always see. You cannot update the systems there like you update the operating systems on our new generation computers. Unfortunately, even the patches for these systems are too old to be updated. Everything works on old operating systems. They work in a chain reaction. You cannot say, "Let me update one". Since this is a holistic process, all software is interconnected. For that reason, these systems have always been left behind for years because we cannot touch them easily. Now, while you are trying to modernize these systems by putting different sensors there with IoTs to digitize them, unfortunately, very simple attacks with malicious intentions can neutralize you very quickly in these ways. But when such an attack comes in, it doesn't attack as soon as it comes in, it hides itself. They can collect data inside for a certain period of time.

If we complete the facility analysis in one month, malicious software infiltrated by an attack completes it in three months, five months. They complete your entire operation by seeing it. Once they have achieved their goal, they are on high alert, ready for an effective attack. They lock you up in an instant and you face the same problem at every point of your facility and you become reactive. Therefore, very simple methods, such as a USB, a guest network connection, the virus on the computer of the maintenance company coming from outside reaching inside without being aware of it, lock automations. And it doesn't matter how many safety shields there are at the front. Because they enter your automation through physical conditions.

Today, even in the pandemic, we had to suddenly bring remote connection methods, which we are not used to at all, to our most valuable automation. Everyone had to work remotely. We had to experience many examples of this very quickly. We had to do it even if we didn't want to. Because people could not work. When this became an important factor, security became a secondary issue. The moment you put security to the  second plan, the risk actually occurs. In this sense, when we work with many international companies, even if we know how robust their firewalls are at the front end, when we move a little bit towards automation, we see that the picture is the same. Therefore, modernization and security of automation networks are very valuable for every business. We support them in this sense. 

In the Industry 4.0 process, Industrial Control Systems (ECS) and Automation networks are being modernized and a transformation is in question. What are we doing in this transformation process? How do we conduct Cyber Security Intelligence and Cyber Security Analysis in Industrial Facilities? As an authorized distributor of SCADAfence and GARLAND Technology manufacturers, let's briefly talk about how it is useful in solving the problems you mentioned in EKS infrastructures.

As OTD Bilişim, we participate in plant surveys and analysis studies in order to respond to Industrial Control Systems. Our customers invite us. After providing certain security needs and certificates, our teams go to the field, conduct reconnaissance and analysis and collect information. What are the conditions inside. We try to understand them. Because this information does not come to us fully from our customers, we need to enter the facility. These analyzes can be done under physical conditions. Subsequently, if our customers need facility network modernization, we offer them consultancy services on these issues from both a network perspective and a security perspective.

When needs such as cyber intelligence network installations come to the forefront, just as there is a need to put physical cameras everywhere in the facility under physical conditions, if there is a need to see everywhere 24/7, automation now needs to be constantly monitored as a network. So we build an intelligence network for every packet that passes through here and determine whether the traffic circulating inside is business traffic or unwanted suspicious activities from inside or outside and deliver it to our customers. We provide trainings for these. We teach how to interpret this cyber intelligence. In this sense, we participate in segmentation studies between automation and IT. The important thing here is to be able to write north-south traffic disciplines in a good way. Because we have very little knowledge on the automation side of the network, where everything on the IT side is documented.

To write the disciplines between the two, you need to learn the downstream network. When we were asked a lot: "Do you have a cyber intelligence center?", we decided to establish such an intelligence center this year. In this sense, we are conducting such a study with our business partners. Just like the financial sector and such SSO centers, we will now be able to conduct cyber intelligence of automation networks in industrial facilities and we will be able to monitor them 24/7 and provide information in case of suspicious activities. We do this through counseling and care services. 

While we provide cyber intelligence here, it is very important to collect data from the field. One of the most important issues here in industry 4.0 is data collection. If you take your data well and analyze the subject called Big Data very well, it will be very useful for you. Because the real valuable part is Big Data. That is what we are building this intelligence on. We collect this data in the field that has never been collected before, but is important, and take it to the cyber intelligence center.

As OTD Bilişim, we use the TAP solutions of Garland Technology, of which we are the distributor. We also send the data we receive from here to SCADAfence for analysis. SCADAfence is ultimately a cyber security platform that works inside the facility. We install all the technology inside the facility. There is no data output whatsoever. There are some precautions against cloud systems because there is already a lot of qualified data. In the end, we provide cyber intelligence to the customer with GARLAND Technology and SCADAfence by analyzing all these critical data inside by advocating that the data remains inside.

The most important issue in doing so is real-time proactivity. In order to achieve this, we need to get the data you have from the field very well and analyze it. Thanks to this in-depth artificial intelligence and package system on SCADAfence, we can analyze the details inside a package very well and provide very advanced intelligence while never interfering with automation. We do not disrupt or interfere in any process there. That's why SCADAfence is a successful manufacturer of SCADA solutions  and ranks number 1. That's why it is so preferred. Because its data is very consistent. It can share a maturing attack very quickly with less inaccurate analysis and more realistic data. You can see very clearly the type of attack, who it extends to, when and what it does. This is an important benefit. In this sense, it quickly exhibits proactive approaches. Our customers and we support them all the time.

For which sectors do we recommend these solutions? Which sectors are more threatened by cyber attacks and what precautionary measures should these companies take? How do we license SCADAfence and Garland Technology solutions? How do we position the product? Is critical data going to a cloud?


Four main sectors are important for us in the sectoral sense. Manufacturing sector, automotive sector, pharmaceutical sector, food and beverage sector. Many companies such as space defense industry, chemical industry, glass industry, cement industry can be included among the sectors. We discuss cyber security issues with every business that has scada automation systems and industrial control systems in its environment.

Our second main area is "critical infrastructures". These are more international. It is important for us to protect against attacks on critical points of a nation. These infrastructures, such as a water treatment plant and a water authority, which are very important for human life, need to be protected. By monitoring the systems in these places, "is someone out there playing with the chemical values of the precious minerals there, or not, changing them or not?" We can keep intelligence on them. By sending them instantly to the center, "is there a manipulation?" We are trying to prevent incidents that will affect human life.

Similarly, smart cities. We will see this as 5G technology comes into our lives. This intensity will increase significantly and every device in our homes will become smart. We will slowly start to establish serious networks with IoTs. Telecommunications and data centers will come to the fore here.

Another sector is the energy sector. We are holding meetings with many companies in this field and they all have different expectations. But more importantly, we try to analyze this data very quickly to see if there is an attack inside. Building management systems include airports, hospitals, hotels and data centers. When we look at it, every business, every facility using SCADA needs cyber security in this digital transformation process. We are able to offer them this cyber security and SCADAfence with GARLAND Technology.

As for licensing, we license according to the number and size of IPs in the automation network and the size and volume of the factory. There are many international projects in Turkey. Companies with many locations globally come to us and can get this service as a centralized solution. We can offer this both as a license and as a service. We offer both as opportunities. The products work completely in their own environment. It does not go to the cloud in any way, all the data stays inside. We analyze all traffic there, it is a completely closed system. In critical infrastructures, no one wants data to get out. That is what we are paying attention to.

You may be interested in : Colonial Pipeline attack [Link]: https://onlineteknikdestek.com/Blogdetails/2107?culture=tr

What are 5th Generation Advanced Cyber Attacks? Let's give examples of advanced attacks. Why is proactivity so important? We started to hear about ransom attacks quite often. How should this be dealt with, is paying the ransom a cure? What should business owners do about these issues? What exactly do we mean by "you don't secure what you can't see"?

We are in the 5th generation of advanced cyber attacks. Ransomware is one of them. When a type of attack that no one has ever encountered before suddenly knocks on your door and walks in, you don't know what you are facing, you don't know how to defend yourself (your facility). Since you have never been in such a situation, there is no documentation. To give examples of these attacks: ransomware attacks. A Wanna Cry attack is a very important ransomware attack, for example... Many businesses were locked down. Even with the security devices they had, they took a lot of time to solve the incidents and in the meantime suffered serious monetary losses. So proactivity is very important.

These products of ours (SCADAfence and GARLAND Technology), while examining these traffic that we classify as suspicious activity without the need for any signature-based thing while doing cyber intelligence, it evaluates everything that is outside your basic working conditions inside as suspicious activity. With the cyber intelligence there, you can very quickly decide whether it is an attack vector or not. This is a very important factor. When you become reactive, the facility is lost or sabotaged and there is a fire and an explosion. To avoid this, we recommend proactivity, watching from the front.

How do we fight ransomware attacks? We need to take precautions beforehand to prevent this attack, thinking that it could happen to us. We need to protect our network with advanced software such as SCADAfence that can detect ransomware attacks. In this sense, the advanced artificial intelligence on SCADAfence can bring together many different attacks and synthesize whether there is an attack from the movements inside. In this way, you prevent the attack from encrypting your critical data before it matures inside. Some businesses come to us after facing a ransomware attack. The ransom is paid before we're even contacted. Unfortunately, even though it has been paid, they still haven't solved the problem. We strongly discourage this: "When faced with such an attack, don't pay the ransom, reach out to the right people".


We propose to fight proactively. Do we interfere with the running critical infrastructure? What kind of intelligence can we provide at the time of a cyber attack to combat these attacks?

It is very important to be proactive. In order to fight for cyber security in critical infrastructures, it is necessary to establish this cyber intelligence in advance. It is necessary to watch like a camera, to be prepared "as if" an event will happen even if it doesn't, and to constantly analyze and anatomize the attack when it comes. In this field, in the case of cyber intelligence, once you have made the relevant installation in your facilities, when we or someone else comes, they can fight against cyber security very quickly with the data they receive from here.

It can be likened to this: "Remove the anti-virus from your computer and we will inject you with a virus. You will waste a lot of time trying to figure out what this virus on the PC is doing. You cannot yet develop a defense for those who are struggling against it. Because you don't know what you are up against." Automation is like this... There is not the slightest security software on any device inside. They are completely vulnerable systems and once an infection gets in, it spreads very dramatically inside. While you are treating one, ten of them get infected. As a result, the longer you delay your defense, the more machines you lose. So if you take a proactive approach and get out there and understand what you are up against, you will lose fewer machines and protect most of the plant.

We are not cutting anything here. And when there is an attack, we cannot prevent it. However, when we tell you the type and variant of the attack, you make your tackling power effective in that direction and you end the attack very quickly on the field with less losses. Then you do cyber intelligence and say how did this happen and start taking measures to prevent it from happening again. 

5G technology will soon enter our lives. Cyber security will be much more important in 5G infrastructures of Industrial Facilities. How do we offer solutions here? 

5G technologies are seriously coming our way. 5G will be very important in industrial networks. Currently, no license has been issued in Turkey yet, but there are very serious studies in this sense. 5G technologies have started to be installed in certain companies. When the licenses are activated, we will start using them. This will bring a very big change in our lives. Think of it like this: "the meters in your home will start to manage many different industrial devices simultaneously from the center and there will be no need to go to the field". With such a technology, data flows will be coming very quickly to data centers and operators centrally. Big Data will be accumulating there. We are in a position to offer cyber intelligence in these areas with 5G technology and we are making our investments accordingly.

Don't be afraid, be prepared. These attacks are at our doorstep, but it is very important to be proactive. 

For more information, please visit our blog: https: //onlineteknikdestek.com/blog?culture=tr

Halten Sie Ihre Informationen auf dem neuesten Stand

Abonnieren Sie den Newsletter, um über die aktualisierten Informationen von OTD Bilişim informiert zu werden.