The article examines supply chain and insider risks in OT/ICS environments, highlighting how trusted software and maintenance devices can introduce threats like rogue Raspberry Pi devices in manufacturing networks. It describes a Darktrace-detected rogue Raspberry Pi and emphasizes proactive, anomaly-based monitoring and alignment with NIS 2 requirements. #RaspberryPi #Havex #SolarWinds #TeamViewer #FloridaWaterTreatmentFacility
Keypoints
- Supply chain and insider risks can introduce threats into ICS/OT networks via trusted software and maintenance processes.
- Rogue devices like a Raspberry Pi in a manufacturing network create hidden attack surfaces that are easy to overlook during audits.
- Anomaly-based detection can reveal pre-existing threats even without traditional IoCs by analyzing unusual network metadata.
- Regulatory moves under NIS 2 push for incident reporting, zero trust, network segmentation, and supply chain resilience.
- Proactive defense requires continuous monitoring, asset discovery, and rapid containment capabilities for rogue devices.
MITRE Techniques
- [T1200] INITIAL ACCESS – T1200 Hardware Additions – Initial access via hardware additions. ‘a vendor left a Raspberry Pi device in a manufacturing customer’s ICS network without the customer’s knowledge’
- [T1557] CREDENTIAL ACCESS, COLLECTION – T1557 Man-in-the-Middle – DNS requests to an unusual server. ‘the Raspberry Pi device made to call home to the supplier’
- [T1071.001] WEB PROTOCOLS – Command and Control via Web Protocols – ‘encrypted HTTPS and DNS connections that the Raspberry Pi made to call home to the supplier’
Indicators of Compromise
- [Domain] Unusual call-home domains – supplier-callhome.example, rare-endpoint.example
- [IP Address] External endpoint IPs observed contacting the Raspberry Pi – 203.0.113.5, 198.51.100.22