South Coast Water District

South Coast Water District was already a customer of Darktrace’s enterprise security solutions covering their network, email, apps, and endpoints. However, the IT team wanted to extend its visibility into operational technology (OT) assets to fill a major network security blind spot.

Additionally, the SCWD team intended to increase visibility and analysis with the addition of new OT security tools, boosting efficiency when the IT and OT teams collaborated. Historically, the OT team was focused on the maintenance and operation of OT devices associated with the public water system infrastructure, and the IT team would only get involved with OT if something went wrong with the IT infrastructure supporting the OT networks (firewalls, switches etc.). The two teams would meet monthly to coordinate security, but in most cases, the meetings were unproductive because the two teams had no collaborative tools or means to visualize and understand the connectivity and security of the shared infrastructure.

Before extending Darktrace’s coverage, the OT engineers were skeptical of deploying a security solution across OT assets, as it might infringe on the continuity of critical systems. However, through working with Darktrace’s OT cyber engineering and architecture team the passive nature of the technology was explained, and fears of disruption were quelled.  

“Within the first ten minutes of deployment, Darktrace / OT identified two networking issues that the OT and IT teams were unaware of previously. This made it possible to convince the OT team to allow us to deploy across the entire OT environment, as the Darktrace solution wasn’t intrusive and provided huge value to the IT team and OT teams,” said Bryon Black, IT manager at South Coast Water District.

Once Darktrace / OT was fully deployed, both the IT and OT teams benefited from having unified visibility of the OT network and they now seamlessly collaborate to share intelligence, helping them work together. Moreover, the IT security team now has oversight of the whole operation, gaining a better understanding of the activity and alerts that appear around the OT assets.

“It has always been about visibility and connecting the dots where we would never see it previously,” Black said. “Rogue devices on the network? Now we know about it. Previously we would never see that.”

Deploying within sensitive OT environments

South Coast Water District’s operations span a diverse array of assets, including 13,000 water system asset connections, a wholesale water facility, and groundwater resources, each presenting unique security challenges. With a significant portion of OT assets and distinct SCADA systems in play, it confronts the challenge of balancing sensitive OT assets and remote sites with maintaining a strong security posture.

Darktrace / OT is purpose built for industrial organizations. In its unified view of both IT and OT environments, it can deploy devices into any environment whether IT, DMZ, OT, cloud, or all the above, providing local monitoring no matter where the OT infrastructure is.  

Additionally, because the AI-powered analysis of traffic is performed onsite, it has no requirement for external connectivity or adjustments to segmentation to ingest threat intelligence data. As a result, Darktrace / OT is capable of monitoring the OT network without infringing on operations.

Continuous monitoring of IT & OT

In today’s threat landscape adversaries are taking advantage of any attack surface, using several entry points to launch attacks then pivoting to critical systems. It is well known that attacks targeting OT often start in the IT environment and laterally move to OT networks supporting and controlling physical operations. The increased sophistication of threat actors calls for continuous monitoring of all the assets at an organization, because threats tend to emerge in off hours and traverse multiple environments including email, SaaS, cloud, and OT.

The IT team now has high confidence that it can see what is happening even if it can’t pay attention to it every second of the day. Darktrace AI works around the clock functioning as a extension of the SCWD team to detect anomalies at machine speed. The IT team can now have a larger presence at the company despite only having a few members.

“Continuous monitoring over every area means I can take a second to breathe,” Black said.  

Simulated phishing for cyber risk readiness

With Darktrace actively watching over the network and OT assets, the IT team has become more proactive with its approach to security. Utilizing Darktrace / Proactive Exposure Management, the team runs simulated phishing campaigns.  

“The phishing campaigns we simulate with Darktrace are extremely realistic,” Black said. “It feels like a sophisticated exploit. It also helps us meet our cyber awareness KPIs for our IT team where we measure the click rate on these simulated phishing emails.”

Increased efficiency managing alerts

The IT team saw a tremendous improvement in reducing the time-to-meaning of security events with Darktrace’s AI-augmented investigations using Cyber AI Analyst. When threats are detected, Cyber AI Analysts triages them at machine speed.  

“Instead of looking at all the data everywhere, Cyber AI Analyst tells you where the issues might be so you can figure it out,” Black said.

The AI tremendously reduces the number of alerts that require the team’s attention and gives it all the information it needs to determine how to act.  

“When there is a breach, we are not at ground zero,” Black said. “We don’t have to dig through firewall logs and go through a rabbit hole across multiple networks, people, and machines figure out what went wrong. Instead, we have those logs, and we can figure out exactly what happened.”  

The team reports that while it would previously have taken three hours to figure out the severity of an alert,  Cyber AI Analyst has decreased that time to merely 20 minutes.