The 2025 OT Cyber Threat Report: What It Tells Us (and What It Doesn’t See) Why the shift toward process-oriented OT security is no longer optional The context: The 2025 OT Cyber Threat Report , published by Waterfall Security and ICS STRIVE, compiles incidents from 2024 that had physical consequences for operational technology systems. These are not theoretical scenarios, they’re documented disruptions where cyberattacks led to real-world outcomes: shutdowns, damaged equipment, lost revenue, and national security concerns. This year's data confirms what process-oriented defenders have long suspected: the gap between cyber visibility and physical reality is widening. And the only way to close it is by monitoring what’s actually happening at Level 0. The data: Physical consequences are rising faster than we think While the number of attacks rose only ...

In crisis mode, the water industry needs to look beyond the obvious for OT cyber security. Recent warnings by the Environment Protection Authority (EPA) and the National Security Agency (NSA) about the vulnerability of water and wastewater systems to cyber-attack, come as no surprise to industry observers. It is not hyperbole to state that with over 70% of surveyed water systems failing  to meet EPA cyber standards, the industry is in crises mode. With the increase of incidence and risk of state-sponsored attacks on critical infrastructure, incremental improvements to cyber prevention and detection tools fall short. This article will explore a different approach, based on Process-Oriented OT Cyber Security for the water industry.  It’s not a panacea for all threats, but when the industry is facing unprecedented threat, I believe it should be a core component of ...

Process-Oriented OT Cybersecurity: The Solution to High False Positives The dilemma: One of the most critical decisions a CISO will face is how to respond to an alert that is indicative of a potential cyberattack - initiate a shutdown that disrupts operations and incurs avoidable costs, or risk overlooking a genuine threat that could lead to catastrophic consequences. The False Positive Phenomenon in OT Cybersecurity In Operational Technology (OT) environments, Intrusion Detection Systems (IDS) are widely used for identifying potential threats. Here’s the problem:  IDSs generate a high volume of false positives, leading to alert fatigue and costly downtime.  For instance, according to one study on a single U.S. oil refinery, out of approximately 27,000 IDS alerts, only 76 were legitimate OT cyber incidents. This implies that over 99% of the alerts were false ...

Supply Chain Threats to Cyber Physical Systems: The Case for Process-Oriented OT Cybersecurity The story of the Trojan Horse is one of history’s most famous cautionary tales. Unable to breach Troy’s towering walls, the Greeks resorted to deception. They left a giant wooden horse as an offering, hiding soldiers inside. Believing they had won, the Trojans brought the horse into their city. Under the cover of night, the hidden soldiers emerged, and Troy fell. Not because its walls were weak, but because the real danger came from within. In today’s world of cybersecurity, the supply chain is the Trojan Horse. Trusted hardware, software, or vendor systems often carry hidden risks: compromised updates, counterfeit components, or malicious access. These vulnerabilities bypass traditional defenses and strike at the heart of critical infrastructure, putting industries like ...

Cybersecurity for industrial systems isn’t a new problem. But too often, it’s still treated like one. Most organizations have well-developed strategies for securing digital assets. But when it comes to Cyber-Physical Systems (CPS) - the power grids, water systems, manufacturing lines, and national infrastructure that depend on both digital and physical processes- cybersecurity strategies often fall short. The reason is simple: many defenses still focus almost entirely on the network layer. The result is that this leaves the physical processes themselves vulnerable to attack. The consequences are real and measurable. These aren’t just data breaches. A successful attack on CPS can result in physical shutdowns, equipment failure, and even risks to human safety. To address this, CPS protection requires a different mindset. One that acknowledges the complexity of ...

What is NIS2? The Network and Information Security Directive 2 (NIS2) is the European Union’s latest cybersecurity regulation aimed at strengthening the resilience of Critical Infrastructure. It builds upon the original NIS Directive (2016) by expanding its scope, introducing stricter security requirements, and enforcing harsher penalties for non-compliance. NIS2 applies to a broad range of sectors, including energy, water, transportation, healthcare, and manufacturing - many of which rely on Operational Technology (OT) to manage physical processes. Why It Matters? While traditional cybersecurity efforts have focused on IT systems , NIS2 makes it clear that OT environments which control industrial processes are equally critical. This matters because Level 0 systems (sensors, actuators, and controllers) are often the weakest link in industrial ...

Protecting the Grid: How Process-Oriented OT Cybersecurity Defends Against Aurora Attacks What do we know about Aurora attacks? Aurora attacks exploit vulnerabilities in the synchronization of critical infrastructure, such as generators and transformers, with the power grid. These attacks cause dangerous out-of-phase conditions, leading to mechanical stress and potentially catastrophic failures in essential equipment. What makes Aurora attacks particularly challenging is that they can evade traditional monitoring systems like SCADA, which are designed to detect more obvious threats but miss subtle timing deviations. Why Process Oriented OT Cybersecurity? Process-Oriented OT Cybersecurity offers a solution by focusing on monitoring the physical processes within critical infrastructure. Instead of just relying on traditional network-based defenses, this approach ...

The Future of OT Cybersecurity: Aligning with NIST IR with Process-Oriented Defense   Operational Technology (OT) systems are the backbone of critical infrastructure—powering energy grids, driving industrial production, and delivering clean water. While these systems were once isolated, their growing integration with digital networks has expanded their capabilities and their exposure to cyber threats. The increasing sophistication of attacks against OT environments, including ransomware targeting industrial processes and coordinated efforts by nation-states, has turned OT cybersecurity into a national security priority. The issue isn't just digital connectivity—it's the growing reliance on interconnected systems to control physical processes critical to public safety. Recent statistics reveal the severity of the challenge: 70% of industrial organizations faced a ...

KDSys Launches SigaML 2 , an Advanced Multi-Layer OT Cybersecurity Suite, in Korea SEOUL, South Korea, Dec. 19, 2024 – KDSys Co., Ltd., a leader in delivering innovative and sustainable technology solutions, is proud to announce its partnership with SIGA to officially launch the SigaML 2 Multi-Layer OT Cybersecurity Suite in Korea. This marks a significant milestone in bringing world-class OT cybersecurity solutions to Korean industries, addressing the growing need for real-time detection and response to cyber threats in critical infrastructure sectors. SigaML 2 is SIGA’s groundbreaking Multi-Layer Machine Learning Process-Oriented OT Cybersecurity suite, designed to provide CISOs with early alerts and critical Incident Response (IR) tools for managing OT cyberattacks. The suite includes: SigaGuardX , a first-of-its-kind multi-level OT cybersecurity software ...

The Big Picture: Operational Technology (OT) systems are now essential across industries like power utilities and manufacturing. But as OT reliance grows, so does its vulnerability to cyber threats. Nearly 70% of industrial organizations faced cyber-attacks in the last year, with one in four forced to shut down operations as a result. The involvement of nation-state actors is heightening the sophistication and severity of these attacks, especially in sectors critical to national security like energy and water supply. Why It Matters: Cybersecurity Preparedness : Regulatory bodies are tightening requirements for cybersecurity preparedness and incident reporting. The SEC’s 2023 Cyber Security Disclosure Rule mandates that public companies report significant incidents within four days, placing immense pressure on organizations. Financial and ...

What is Process-Oriented OT Cybersecurity? When a cyberattack is detected, tools for intrusion prevention are of limited (if any) value. That's where Process-Oriented OT Cybersecurity comes into action – during the Incident Response phase of a cyberattack. It leverages data from all levels of the Purdue Model (0–4) to monitor, detect, and respond to incidents in real time. By including Level 0 data — from the process layer where turbines, pumps, and other physical components operate — it provides an unaltered view of operations, critical for identifying attacks that manipulate data or processes undetected by higher levels. Why It Matters The Growing Threat of Cyberattack Critical infrastructure is under siege. Recent incidents, like the 2024 Halliburton cyberattack, demonstrate how vulnerabilities in OT systems can lead to devastating ...

Nozomi Networks has announced its latest innovation: ARC Embedded - the first security sensor embedded directly within Mitsubishi Electric PLCs. This new capability allows real-time monitoring and protection at the PLC level, providing additional visibility into operational technology (OT) environments. Why it matters Solving Encryption Challenges. Traditional IDS systems are limited by encryption, making it almost impossible to monitor network traffic effectively. ARC Embedded circumvents this by collecting data directly within devices, allowing it to gather critical data without being hindered by encryption. Announcement Details East-West Traffic Monitoring: The ARC Embedded solution monitors lateral network traffic within OT environments, providing critical insights into communication patterns, configuration changes, and device health. AI-Driven ...

We’re thrilled to announce the launch of SigaML² , our innovative Multi-Layer Machine Learning Process-Oriented OT Cybersecurity suite! This solution equips CISOs with early alerts and critical Incident Response tools to effectively manage OT cyber-attack threats. ? Key Features: SigaGuardX : A first-of-its-kind software guardian utilizing advanced AI/ML algorithms. SigaGuard : A proven hardware sensor that ensures 100% reliable detection by monitoring electrical signals. S-PAS Tool : A training tool that simulates real OT cyber-attack scenarios for enhanced preparedness. As CEO Amir Samoiloff shared at the ICS Cybersecurity Conference, "Cyber attackers are becoming increasingly sophisticated. Our solution provides essential tools for CISOs." We’re also launching an Early Adopter Program for organizations to collaborate with us on OT ...

In the ever-evolving landscape of industrial systems, the year 2024 presents a unique set of challenges that demand a keen understanding of the intricate connections between machines and their environment. As we stand at the crossroads of technological advancement, the need to address unprecedented complexities in industrial operations has never been more critical. Amidst these challenges, one foundational layer emerges as the linchpin—Level 0. In this article, we embark on a journey to navigate four main hurdles expected in2024 and explore how the Level 0 advantage becomes not just a solution, but a strategic imperative for overcoming the intricacies that define this era in industrial communication. Join us as we unravel the principal challenges that define this new year and discover how listening to the machines at Level 0 emerges as a beacon of resilience in an era of ...

A new side-channel attack, dubbed RAMBO , can steal data from air-gapped systems by exploiting electromagnetic emissions from the system’s RAM. The malware manipulates RAM operations, transmitting data through electromagnetic signals that can be intercepted by nearby devices. Key Developments: RAM Manipulation : Attackers plant malware to control memory operations, generating electromagnetic signals. Range & Speed : Data can be exfiltrated up to 7 meters away at speeds of 1,000 bits per second, making it feasible for stealing encryption keys, passwords, and other critical information. Cost-Effective : Attackers only need a low-cost Software-Defined Radio (SDR) to intercept the signals. Why It Matters: Even air-gapped systems, previously considered highly secure, are vulnerable to this new technique, presenting a significant threat to ...

Peach Sandstorm, a state-sponsored Iranian hacking group, has deployed a new custom backdoor malware named "Tickler." This backdoor has been used in attacks targeting sectors like satellite communications, oil and gas, defense, and government entities in the U.S. and UAE. The attacks, observed between April and July 2024, leverage compromised Azure infrastructure to establish persistent access to victim networks, enabling extensive intelligence gathering and potential disruption. New Developments Azure Exploitation: The group’s use of compromised Azure subscriptions to control victim networks highlights the critical need for securing cloud infrastructure. These accounts were often obtained through password spraying and social engineering. LinkedIn Social Engineering: Peach Sandstorm also used fake LinkedIn profiles to gather intelligence, particularly targeting ...

We are thrilled to announce that our cybersecurity solutions have been recognized and honored in multiple categories at the prestigious 2024 Cybersecurity Excellence Awards! We are immensely proud to share that our innovative products have been selected as winners in the following categories: Critical Infrastructure Security Category : Our flagship solution, SIGA, has been acknowledged for its exceptional performance in safeguarding critical infrastructure from cyber threats. With SIGA, we are committed to ensuring the resilience and security of vital systems that form the backbone of modern society. Best Artificial Intelligence (AI) Threat Detection Category : SigaGuard, our cutting-edge AI-powered threat detection system, has been recognized for its unparalleled ability to identify and neutralize cyber threats in real-time. Leveraging advanced AI algorithms, ...

Unveiling the resurgence of Web-Based PLC malware and the imperative need for Level 0 monitoring in Industrial Cybersecurity Introduction: In the ever-evolving landscape of cybersecurity threats, researchers from Georgia Tech have recently uncovered a potential game-changer: Stuxnet-style web-based malware targeting Programmable Logic Controllers (PLCs). This discovery may sound like old news, as we all heard of the notorious Stuxnet attack before. However the discovery should raise quite a few alarm bells, as the industry never fully equipped itself with the tools to address this unique type of malware, which only got stronger and more sophisticated with time. The industry should prompt a reevaluation of industrial cybersecurity measures to stay ahead of the curve, measures that also address the often-overlooked risks associated with false process sensor data, further ...

Yossi (Konstantin) Tarnopolsky, Director of Technology Alliances and APAC BD, at Radiflow One of my favorite movies, "Blackhat" ( a 2015 film directed by Michael Mann), opens with a powerful narrative in which a cyberattack targets a nuclear power plant in Hong Kong. While fictitious, this attack reveals significant weaknesses in critical modern infrastructures. The attackers use a variety of tactics to intentionally break into the plant's Supervisory Control and Data Acquisition ( SCADA ) system. They cleverly change settings in the Human-Machine Interface (HMI), which go unnoticed by the engineers, leading to a failure in the cooling system. Eventually, this results in a sudden overheating crisis that culminates in an explosion leading to plenty of chaos. There was a lot of foresight in the “Blackhat” movie. Today, nine years later, not only the energy sector, but ...

Microsoft Azure customers worldwide now gain access to SIGA’s unique level 0 technology for enhancing OT Security in industrial and critical infrastructure to take advantage of the scalability, reliability and agility of Azure to drive application development and shape business strategies. [Tel – Aviv, Israel— February 19, 2024]  SIGA – Elevating OT cybersecurity to Level 0 , today announced the availability of SigaGuard in the Microsoft Azure Marketplace , an online store providing applications and services for use on Azure. SIGA customers can now take advantage of the productive and trusted Azure cloud platform, with streamlined deployment and management. At SIGA, our commitment to safeguarding critical infrastructure is underpinned by our innovative approach to cybersecurity. Specializing in Level 0 monitoring, the lowest level of the Purdue model for ...

In an era where the landscape of cybersecurity is perpetually evolving, I firmly believe that the pillars of continuous learning and unwavering collaboration are indispensable in maintaining a step ahead of emerging threats. It is with a profound sense of duty and an eagerness to contribute that I announce my new advisory role at SIGA, a vanguard in fortifying Level Zero OT resilience, serving as their Director of North America Sales. This opportunity resonates deeply with my commitment to national security, a commitment that was profoundly shaped by my experience within the Pentagon during the September 11 attacks. My role at SIGA arrives at a critical juncture in history– echoing from recent warnings from the FBI Director about state-sponsored hackers poised to "wreak havoc" on our essential services, including water treatment facilities, electrical grids, and oil & ...

In the ever-evolving landscape of industrial systems, the year 2024 presents a unique set of challenges that demand a keen understanding of the intricate connections between machines and their environment. As we stand at the crossroads of technological advancement, the need to address unprecedented complexities in industrial operations has never been more critical. Amidst these challenges, one foundational layer emerges as the linchpin—Level 0. In this article, we embark on a journey to navigate four main hurdles expected in 2024 and explore how the Level 0 advantage becomes not just a solution, but a strategic imperative for overcoming the intricacies that define this era in industrial communication. Join us as we unravel the principal challenges that define this new year and discover how listening to the machines at Level 0 emerges as a beacon of resilience in an era of ...

In an unprecedented joint alert, the FBI, CISA, NSA, EPA, and INCD warn of a significant cybersecurity threat targeting the water and wastewater sector. The Iranian Government Islamic Revolutionary Guard Corps (IRGC) is reportedly behind a surge in malicious activities, putting critical infrastructure at risk. The IRGC-affiliated cyber group, "CyberAv3ngers," has persistently targeted Unitronics Vision Series programmable logic controllers (PLCs). Their attacks extend beyond the water sector, impacting energy, manufacturing, and healthcare. Since November 2023, CyberAv3ngers has exploited default credentials in Unitronics devices, leaving anti-Israel defacement messages. The affected organizations span multiple U.S. states, necessitating urgent action. The alert advises organizations, especially those in critical infrastructure, to follow the provided mitigation ...

Attack Scenario 1: (Un)authorized Access Cyber menaces do not stem solely from the outside. Insiders who are granted access or hackers who obtain legitimate credentials can pose a serious threat to the most critical & vulnerable assets. These attacks will most likely go by undetected by standard detection tools since no malicious code or virus is used. SIGA’s ability to monitor process behavior directly from level 0 offers the ultimate method for the security of critical infrastructure regardless of the attack vector. SIGAGUARD is a tailored detection solution for such attacks, which ensures that the most valuable assets are being protected at all times. Attack Scenario 2: Under the Radar - IT/OT ransomware attacks Ransomware attacks are on the rise, which may leave OT environments at the mercy of hackers. Even during an IT based ransomware attack, without ...

Following the recent assault of the “Volt Typhoon” group on US infrastructure, it’s time for us to talk about living-off-the-land (LOTL) attack techniques that hackers use and how Level 0 can outsmart them. “Volt Typhoon” is a Chinese state-sponsored malicious actor, preparing the ground for future world crises, through the development of powerful hacking capabilities to cause serious disruptions to opponents, whether in North America or Asia. Microsoft has released a fascinating article (link below) about this group’s attack techniques, from data collection to exfiltration all the way towards achieving valid credentials to gain access into the system and establish their living-off-the-land strategy. Microsoft’s report addresses serios issues in terms of exploitation, where signature-matching solutions fail to protect critical infrastructure from ...

The National Institute of Standards and Technology (NIST) released a guide for Operation Technology (OT) Security outlining the main risks associated with failure of OT systems as well as best practices for protection of such critical systems. As NIST acknowledges, organizations’ most critical processes rely on OT, which makes them highly vulnerable to cyberattacks, with harsh consequences - from significant losses due to downtimes, through social unrest due to the lack of essential resources like electricity or water, all the way to severe threat to human lives.  This further demonstrates the alarming aftermath such attacks could bear, forcing organizations worldwide to act upon such threats and implement security methods to prevent these negative forecasts from becoming a reality. In section 5.3.6 NIST discusses the importance of considering the Purdue Model’s lowest ...

Come join SIGA during Hannover Messe 2023 (17-21 April)! Our VP Sales, Amir Kandell and our DACH Sales Manager, Markus Stadelhofer will attend the event and will be happy to meet you all there to discuss the importance of Level 0 monitoring.  

Manufacturing application brief

OT vulnerabilities are here to stay. The security policies we thrive to implement are those which allow us to learn how to live with them and manage them, without putting (too many) limitations on our productions. One of the rising threats in the past few years is OT ransomware attacks. Just last week, CMMC, the Canadian Copper Mountain Mining Corporation,  disclosed  that it shut off their manufacturing operations in the mills due to a ransomware attack. We all remember the Colonial Pipeline attack that also left its mark on the market. That’s why it’s very surprising to learn, that these two ransomware attacks and others similar to them, were not even OT or ICS related, meaning they did not specifically target the control systems or the manufacturing environment at all. In fact, there was no evidence in real time that the attack ever "crossed the line" and impacted the OT ...

Frost and Sullivan together with Applied Risk have published an eye-lighting report regarding the methods to be implemented by critical infrastructures in their Operational Technology (OT) environments in order to ensure cyber resilience to prevent the catastrophic consequences a cyber-attack on these essential businesses might have. The report starts with a quick overview on the many challenges OT systems are facing, from individual malicious actors to nation-funded organizations, critical infrastructure organizations worldwide are struggling with a varied-front cyber war, forcing them to constantly fortify their cyber resilience. The discussed report sets-out 6 main essential habits critical organizations should pay attention to: On top of the above main principles for OT cybersecurity, the report states that above-all organizations must set the seal on their ...

As cyber threats are growing ever-more intense and frequent, it's time for organizations worldwide to learn from the past and implement best practices to ensure they can act upon these cyber-attacks and prevent them. From Ukraine and Saudi Arabia all the way to the United States, no one is fully immune, and attackers are taking advantage of that. Eventually, anything that can be programmed can be hacked, and so operators are left to solve an almost impossible issue- how can they protect something that can be hacked whenever? A cyber-attack is not a question of "if" but a question "when", and even though operators cannot fully prevent these attacks, they can ensure they possess the best tools to deal with such breaches quickly and effectively to minimize the attack's consequences. By capitalizing on Level 0, operators can gain unparalleled visibility into their critical ...

SIGA participated at INTECH 2022, a leading industrial conference, gathering leading national and international organizations to showcase the latest and most advanced solutions' for protecting and improving their production. SIGA's Israel salesperson, Yair Botbol, met with key figures from various local industries to show how SIGA's Level 0 monitoring solution can promote cyber resilience to a whole new level.

ARES's CEO Jürgen Weiss spoke to the Energie Report  magazine and told them about the many solutions they offer, amongst he discussed SIGA's unparalleled offering for promoting OT cybersecurity. Check-out the full online Energie Report  magazine here (Mr. Weiss's interview is on pages 12-14): Webpaper (report.at) Is your organization cyber resilient? No? Contact Us - SIGA (sigasec.com)  

SIGA's CRO, Amir Gil spoke at ICS 7th edition held on the 20th of November. Mr. Gil discussed the importance of monitoring the process level in order to detect cyber-attacks that will otherwise go unnoticed. He demonstrated how Level 0 can make a difference and provide operators with unmatched situational awareness to act upon cyber threats quickly and effectively. SIGA's many installations have proved that what SIGA sees in unseen by other solutions, allowing organizations to capitalize on the information coming directly from their critical assets to gain full visibility and promote their cyber resilience to a whole new level.

SIGA participated at the Smart Production Solutions (SPS) conference in Germany along with our great partner, Phoenix Contact. SIGA's DACH sales manager, Markus Stadelhofer along with SIGA's Sales VP, Amir Kandell were delighted to meet key players from many industries and showcase how Level 0 can promote cyber resilience to a whole new level.

SIGA’s CEO, Amir Samoiloff attended a unique roundtable gathering water experts from across the US to discuss the many challenges faced by the industry. SIGA is honored to collaborate with water companies to ensure they gain visibility directly from Level 0 to protect their provision of this scarce resource.

HMI’s Can be Fooled! Detect anomalies before they damage your critical assets. SIGA’s Parallel Reference Monitor (PRM) provides multi-level real-time monitoring, revealing otherwise undetectable Level-0 attacks BACKGROUND Current security methods for industrial control systems are beginning to evolve and include network-level security, some use of firewalls, unidirectional diodes and protected gateways. This vulnerability and common operational constraints lead to very limited solutions, at best. Therefore, the SCADA’s controller level, or Level 1 as it is called in the Purdue Model (e.g., PLC, RTU, etc.) can be compromised in various scenarios.   An attacker has taken control of a critical process while a perfectly normal operational status is reflected on the HMI and other levels. The attack is allowed to continue undetected because the control ...