Carmen after R2D2: from observing to understanding in industrial cybersecurity

In the world of cybersecurity, it is not enough to look at network traffic: it is necessary to understand it. With the European project R2D2, the CARMEN tool has taken a qualitative leap in its analysis capacity in industrial (OT) environments. Thanks to the new functionalities incorporated, CARMEN can now detect complex threats early, even those designed to go unnoticed, offering security teams a more complete and precise view of industrial infrastructure

Before R2D2: Carmen’s vision

Before the incorporation of the R2D2 project modules, Carmen was already a consolidated and prestigious tool for network traffic analysis. However, its approach was mainly oriented to IT and, although it could detect anomalies and monitor traffic effectively, in industrial (OT) environments it had natural limitations inherent to the original scope of the tool:

• OT environments: it could not deeply interpret the most complex industrial protocols, limiting the understanding of commands, registers, and critical messages.
• IT environments: the tool detected anomalies, although correlation with possible attacks from advanced groups (APTs) required additional and manual analysis.
• Detection of APTs: effective within its scope, but with a more general approach based on known patterns.
• Asset and risk map: it offered visibility of relevant events and alerts, but impact assessment on critical assets and attack routes depended on the analyst’s interpretation.

In short, Carmen was already a solid and reliable tool, capable of observing and alerting about important events on the network. What R2D2 brought was not “starting from scratch,” but expanding its capabilities: allowing it to delve into OT traffic, interpret complex industrial protocols, correlate anomalies with advanced attacks, and also offer greater control over the asset map and its associated risk.

The impact of R2D2: Carmen learns to understand

With the incorporation of R2D2, Carmen has further enhanced its capabilities thanks to the integration of industrial dissectors and the S2TH and ADR modules. Now, the tool can deeply interpret the most critical industrial protocols, including:

• MQTT: sensor and SCADA system messages in industrial IoT environments.
• DNP3: control and monitoring of electrical systems.
• IEC104: telecontrol in industrial automation.
• ICCP: interconnection between electrical control centers.

These dissectors allow breaking down each packet into understandable fields, including commands, registers, addresses, sensor values, and critical messages.

What previously required manual interpretation or remained as diffuse information now becomes clear and actionable data.

Main benefits of this expansion:

• Accurate anomaly detection in real time, both in IT and OT traffic.
• Understanding the intent behind each message, not just its frequency or volume.
• Correlating anomalies with possible advanced attacks (APTs).
• Mapping critical assets and probable attack routes, prioritizing response according to actual risk.

In summary, with R2D2, Carmen moves from observing to understanding, evolving into a tool that not only detects what is happening, but also understands why it is happening and what impact it may have on business continuity and the resilience of infrastructures.

S2TH and ADR: advanced detection of APTs

Thanks to industrial dissectors, Carmen now understands OT traffic in detail, identifying commands, registers, and critical messages. This level of understanding serves as a basis for taking a further step in detecting sophisticated threats.

Advanced Persistent Threats (APTs) seek to infiltrate silently and remain hidden for long periods. Within the framework of the R2D2 project, the S2TH module incorporated in Carmen expands its capacity to detect and analyze these complex threats, providing a level of vision and context that was not previously available.

Among its main functions, S2TH:

• Correlates alerts with historical intelligence on APT groups.
• Calculates similarity between detected activity and known attack patterns (TTPs).
• Prioritizes critical alerts and sends them to the ADR module for risk assessment.

In practice, S2TH allows CARMEN to compare any detected anomaly with historical intelligence on known attacker groups, identifying similarities with advanced threat patterns. For example, if an industrial sensor began sending unusual commands, S2TH can indicate that this activity matches techniques used by a specific APT group, thus providing an early warning signal. Without S2TH, those same events would have gone unnoticed or would have been treated as isolated incidents, without being able to understand their strategic relevance.

Once these alerts are identified by S2TH, the ADR module evaluates how they could affect the organization, calculating the probability that an initial foothold could reach the most critical assets of the network, the so-called Key Terrain.

To do this, it analyzes the network topology and existing connections, propagating attack probabilities and clearly showing which assets are at risk. Before R2D2, this type of analysis was impossible: alerts were fragmented and a global risk could not be calculated precisely.

In summary, the ADR module takes the alerts prioritized by S2TH and transforms them into strategic and actionable information:

• Asset classification: identifies initial access points and critical assets (Key Terrain).
• Network connections: analyzes how all devices in the infrastructure communicate.
• Attack probability calculation: determines the propagation of risk from initial access points to critical assets.
• Results accessible via API: overall network risk, probability per IP, and possible APT groups involved.

For example, if an attacker manages to access an exposed device, ADR can calculate the probability that the threat reaches a critical asset and thus effectively prioritize the response, closing the detection cycle and protecting what really matters.

With this combination, Carmen not only identifies advanced threats but also evaluates their potential impact on the network, closing the full cycle of detection, analysis, and risk management to protect what really matters.

Before and after: a radical change

Results and KPIs

The deployment of Carmen with R2D2 has shown significant improvements in threat detection and management:

• Early detection of threats: signs of APTs are identified before they can cause damage to critical systems.
• Reduction of false positives: thanks to alert correlation and risk prioritization, only 1% of alerts require attention.
• IT/OT integration: complete view of the attack surface, allowing correlation of anomalies in corporate and industrial environments.
• Quick response: ADR’s probabilistic assessment allows prioritizing the most critical assets and acting before they are compromised.

Practical example: real-time simulated attack

Let’s imagine a typical industrial and corporate network: sensors that control machinery, servers that manage critical operations, and connected devices that constantly send data. To show how Carmen works, we carried out a simulated attack, step by step:

1. Network preparation: all traffic is sent to Carmen via port mirroring, without interfering with network operation.
2. Anomaly detection: in the simulated scenario, a malicious MQTT broker is introduced: a device that sends unexpected commands to industrial sensors and controllers. Thanks to the dissectors, Carmen can read these messages, understand which commands are being sent and to which device, and differentiate between legitimate (normal) traffic and suspicious activity.
3. Correlation with APTs: the S2TH module analyzes the anomaly and compares it with historical intelligence on APT groups, identifying similarities with known tactics, techniques, and procedures.
   In the simulation, the unexpected command sent by the malicious broker matches patterns used by a known group of industrial attackers. Carmen generates an alert, indicating that this could be a possible attack from a known APT group.
4. Risk assessment: From the alert and the affected device, the ADR module calculates the probability that the threat reaches critical assets (Key Terrain), evaluating propagation routes and prioritizing response.
   In the simulation, the ADR module estimates that there is an 80% probability that it could affect a critical asset and a 50% chance that it could reach an industrial control server. This information facilitates response prioritization, focusing efforts first on protecting the critical asset rather than other less relevant or impactful systems.
5. Presentation of results: through Carmen’s API, analysts obtain information about the overall network risk, probability of attack per IP, and possible APT groups involved. This allows security managers to make quick, well-founded decisions, without the need to manually interpret hundreds of isolated alerts.

Conclusion

With the R2D2 framework, Carmen has evolved from simply observing traffic to understanding it and anticipating threats. The combination of:

• Industrial dissectors
• Advanced APT detection with S2TH
• Probabilistic risk assessment with ADR

has turned Carmen into a comprehensive cybersecurity tool, capable not only of monitoring the network but also of interpreting, analyzing, and assessing risks in advance. This allows it to protect critical assets and maintain resilience in industrial and corporate environments.

What was previously incomprehensible noise is now transformed into clear, contextualized, and actionable information. With Carmen, seeing beyond ceases to be a metaphor: it is the key to anticipating threats and protecting what really matters.