Advanced Detection and Threat Management for IT and OT

In the NEWS project, TNO, the Ministry of Defence and partners developed a decentralised monitoring system for cyber threats on naval vessels. Reduced onboard staffing requires a system that can independently detect, filter and prioritise threats.

TNO designed both a demonstrator and an architecture for collecting, filtering, analysing, storing and distributing log data from military networks. The solution includes:

• Incident-specific response measures
• Three clearly defined onboard cybersecurity roles focused on people and processes
• Exploration of scalability to other defence domains

The Dutch Tax Authority (Belastingdienst) manages large volumes of sensitive data, making it a target for cybercrime, espionage and financially motivated attacks. TNO conducts research on large, real-world datasets in collaboration with the Security Operations Centre (SOC). Developed innovations:

• Anomaly detection: identifying workstations with abnormal communication behaviour
• Device identification: uniquely identifying devices based on hardware characteristics
• Multi-stage attack detection: linking multiple steps within a cyber kill chain
• DNS tunnel detection: identifying data exfiltration and command-and-control traffic via DNS
• LLM-supported advisory: using large language models for automated analysis and recommendations for SOC analysts

In a separate programme, TNO is developing a proof of concept for ransomware detection, focusing on anomaly detection in file shares. This approach uses changes in Shannon entropy - a measure of data predictability that increases when files are encrypted - creating an additional line of defence.

This TNO report explores how digital technologies such as Digital Twins and Cyber Ranges (pdf) (in Dutch) can support the Dutch water sector in addressing complex infrastructure challenges. It helps water authorities and drinking water companies identify and understand cyber risks in critical infrastructure at an early stage, strengthening resilience against cyber attacks on water management systems.

Rule-based systems detect known attack patterns (signatures) and therefore only identify known threats. Anomaly detection establishes a baseline of normal behaviour and flags deviations, including zero-day and targeted attacks without known signatures.

OT systems prioritise continuity of physical processes over information security. They often run on legacy protocols, are rarely patched due to uptime requirements, and are incompatible with standard IT security tools. A cyber attack that disrupts an operational system can have immediate physical consequences.

Shannon entropy measures the predictability of data. A normal file has a certain entropy values. When ransomware encrypts files, entropy rises sharply because encrypted data is statistically random. Monitoring entropy changes in file shares allows early detection before all files are affected.

DNS tunnelling is a technique in which attackers hide data within DNS traffic, for example to exfiltrate information unnoticed. Because DNS traffic is often not blocked by firewalls, it is widely used for covert communication between malware and command-and-control servers. Detection requires statistical analysis of DNS traffic.

These methods are primarily designed for organisations with Security Operations Centres (SOCs) and critical IT and/or OT infrastructures, including energy companies, water utilities, government bodies, financial institutions, defence organisations and critical national infrastructure providers. The approach is applicable to any organisation that prioritises cybersecurity.

Commercial SIEM and EDR solutions provide standard rule sets for broad applicability. TNO develops detection algorithms tailored to the specific data and context of the organisation, strengthening and complementing rule-based solutions.

Organisations gain documented detection algorithms tailored to their environment, insight into configuration issues, and improved network hygiene. The approach also raises employee awareness of current threats. The short-cycle methodology enables organisations to continue independently without ongoing dependence on TNO.