Active Defense in OT – How to Make it Work | Episode 110

In this episode, Youssef Jad, the CTO and Co-Founder of CyVault tells us about their Active Defense which provides "intrusion prevention" deep into industrial networks, something that has long been considered as not feasible.
Picture of Waterfall team

Waterfall team

Youssef Jad Podcast 110

Available on

About Youssef Jad

youssef-jad-portrait-1Youssef Jad is the CTO and Co-founder at CyVault where he leads the Cyber Defense operations and novel R&D products. Youssef has over 20 years of experience in IT/OT/ICS/CPS/xIoX/Blockchain cyber defense, keynote speaker, consultant to Fortune 10 compagnies, and boasts impressive accomplishments such as a turnkey cyber solution for the US-Gov/DHS/FBI, offensive initiatives for cyber military units, SME for ICS4ICS, and lead of the global “WannaCry v2 Ransomware” task force.

Active Defense in OT – How to Make it Work

“…common wisdom is that you simply cannot do IPS deep into industrial networks. CyVault proves this common wisdom is outdated…”

Please note that there isn’t a transcript for this episode. Here are some of the highlights from this week’s podcast:

In this episode we look at how network Intrusion Detection Prevention Systems (IPS) can work in OT / industrial environments. An IPS is an IDS with extra functionality. A network IDS looks at each packet in the network or network connection and decides if the packet or stream of packets looks suspicious. If the IDS recognizes what looks like an attack in progress, the IDS an alert – usually to a SEIM to log the event.

An Intrusion Prevention System (IPS) does same thing – and if the attack seems serious enough, the IPS will take actions to interrupt the attack in progress. For example, some IPS systems that watch copies of network traffic on mirror ports will send TCP Reset (RST) packets back into the mirror port, targeting the TCP connection that is being used to propagate the attack. These packets cause the TCP connection to close, interrupting the flow of attack information.

While this seems fairly straightforward for IT networks, the risk of false alarm is a problem historically on OT networks. A false alarm risks shutting down essential communications and causing entire plants into costly unplanned shut-downs as a result.

Youssef Jad digs into the CyVault Dome product that addresses this issue to bring about active defense – IPS – on industrial networks. How can this be done safely? CyVault has tested attack interruption actions with industrial vendors and industrial equipment. The Dome product interrupts attacks in progress only when an engineering study has proven that such interruptions are safe – that they pose no threat to industrial operations. And the system can use old-school TCP RST packets, or more modern methods of interrupting attacks, involving interactions with the hosts and endpoints involved in the attack connections.

And if attacks are ever detected on systems or connections where outright interruption has not been proven safe, the IDS component of the solution still raises high-priority alerts. In this case, CyVault also works closely with engineering teams at the site to walk them through the investigative and restorative procedures involved in diagnosing what’s going on and fixing it.

Again – common wisdom is that you simply cannot do IPS deep into industrial networks. CyVault proves this common wisdom is outdated.

Listen in to get the full scoop.


Stay up to date

Subscribe to our blog and receive insights straight to your inbox