Scenario: Manufacturing plant receives remote service, importing malware in the process.
Good service technicians are hard to find. Often travel costs bear no proportion to the expenses incurred in the production plant.
An operator has quality problems with a newly delivered component in his machine park. After completion of the work the component's commissioning engineer is already on another construction site in China. The operator requests that the commissioning engineer dials into the system with his service laptop via a secure VPN access from the hotel and carries out the work subject to warranty.
On first sight, the quality problems appear to be solved. What the operator does not know yet: the service laptop of the commissioning company is infected with an APT (Advanced Persitance Thread). This APT begins to spread throughout the operator's network, using a DNS relay to transmit the collected data to its "Command & Control Center". After 4 months, the attacker decides to sell the data to the operator's main competitor - another month later, the attacker is tasked by the competitor to significantly damage the operator's production facility. The attacker changes the setpoint values of the production line and at the same time falsifies the actual quality-relevant values, causing products not in conformity with the specifications to be sold. The resulting damage to the company's image is enormous, with costs for recall and repair becoming prohibitive.
If the operator had secured his OT network by using anomaly detection, such as IRMA, he already would have known on first contact of the APT with the "Command & Control Center" that something unplanned was going on. In addition, the use of IRMA provides an ideal knowledge base for the detailed configuration of industrial firewalls, so that availability and security can be applied at an excellent quality level.