Hidden Threats in Critical Infrastructure: How Léargas Protects Against Supply Chain Kill Switches

In May 2025, a Reuters investigation revealed what many of us in security have long feared: Chinese-manufactured solar inverters—deployed across the U.S. power grid—contained embedded, unauthorized cellular radios. These radios enabled direct command-and-control, bypassing local networks entirely. They functioned as silent kill switches for critical infrastructure.

This isn’t theory. It’s verified. It’s happening now.

At Léargas, we built our platform with threats like this in mind—not just phishing and malware, but deeply embedded, supply-chain-driven risks that evade traditional defenses. While you’re watching logs, we’re watching everything else.

Understanding the Threat: What Makes This Different

Unlike malware that needs phishing emails or vulnerabilities to exploit, these radios are hardware implants. They don’t rely on your firewall. They don’t care about your EDR. They connect directly to cellular towers over GSM/LTE bands—without touching your internal network.

So how do you see what never hits the wire?

That’s where Léargas, Zeek, and Suricata come in.

How Léargas Protects Against LTE-Backhauled Threats

Let’s be clear: Zeek and Suricata can’t see LTE traffic that bypasses your infrastructure. If a device is exfiltrating over 4G and doesn’t route through your switches or taps, there’s no Ethernet-based telemetry to inspect.

But that doesn’t mean the attack is invisible.

1. Behavioral Detection and Anomaly Modeling

  • Zeek creates a rich behavioral profile of devices—how often they communicate, which protocols they use, and how predictable their behavior is.

  • Suricata inspects inline traffic for changes in packet size, frequency, or protocol misuse.

If a device that normally speaks Modbus TCP every 5 seconds suddenly goes silent—but still performs operational tasks—you’ve got a ghost.

2. East-West Silence as a Signal

If that device:

  • Stops generating DHCP renewals

  • Drops out of ARP tables

  • Ceases sending telemetry via your LAN

…but you still see its effects downstream (e.g., grid output changing, breakers opening), that’s a red flag. It may have shifted to its embedded LTE interface.

3. Integrated RF and SIM Correlation

Léargas integrates well with:

  • RF sensors like Pwnie Express or SDR platforms to detect rogue cellular activity in secure zones.

  • SIM telemetry from mobile operators to correlate unauthorized IMSIs or unexpected data spikes.

While not native to Zeek or Suricata, we bring these feeds into our XDR correlation engine to flag unseen paths of communication.

Protocol-Aware OT Monitoring

Léargas has deep support for ICS/SCADA protocols:

  • Modbus

  • OPC-UA

  • DNP3

  • IEC 60870-5-104

  • PROFINET

When devices start issuing strange write commands, initiate unusual polling behavior, or change their control parameters without local network observability, we detect it—and tie it to known behavioral baselines.

Deployment: Architected for Hybrid Visibility

Recommended Integration

  • Zeek and Suricata sensors at core OT switches or between inverter VLANs and control systems.

  • Out-of-band collection via mirrored ports ensures passive capture, avoiding operational disruption.

  • Léargas XDR centrally aggregates logs, alerts, behavioral deviations, and SIM/RF intel for cross-layer correlation.

Even when the LTE modem hides in plain sight, Léargas sees the shadows it casts.

Real-World Detection Strategy

✅ What You CAN See:
SignalToolDetection Example
Loss of expected trafficZeekInverter stops sending Modbus data but still active
Protocol misuseSuricataOPC-UA write commands from read-only devices
RF activity in isolated zonesExternal (Bastille, SDR)New cellular signal detected in controlled environment
SIM data/cell connectionsMDM / Telco IntegrationUnregistered SIM initiating LTE session

Beyond Alerts: Strategic Correlation

Léargas enriches this data with:

  • Dark Web intelligence (e.g., references to compromised solar firmware)

  • Sentiment scoring across Telegram and TOR marketplaces

  • Historical anomaly detection, including prior firmware behavior baselines

Combined, this allows your SOC to respond before the device is fully weaponized.

Conclusion: You Can’t Patch a SIM Card—But You Can Detect It

Covert LTE radios are invisible to traditional tooling—but not to Léargas.
We’re not waiting for kill switches to flip.
We’re watching for the moment a trusted device starts acting like it doesn’t belong.

That’s the power of Zeek, Suricata, and a behavioral XDR built for ICS and hybrid IT/OT defense.

References

  1. Reuters: Ghost in the Machine – Rogue Devices in Chinese Inverters

  2. Yahoo News: Chinese Kill Switches Found in U.S. Power Inverters

  3. Elastic: Léargas Chooses Elastic for Threat Detection

  4. Critical Path Security: Work-from-Home Security Support

Bridging the Divide: The Security Risks of IT and OT Convergence

Introduction
For decades, Information Technology (IT) and Operational Technology (OT) operated in isolation—each serving distinct purposes. IT focused on securing data, while OT managed physical processes and industrial control systems. However, as organizations pursue digital transformation (DX) and integrate Industrial Internet-of-Things (IIoT) devices, these once-separate environments are converging. While this shift promises efficiency and cost savings, it also exposes critical infrastructure to unprecedented cybersecurity risks.

At Léargas Security, we’ve seen firsthand how the expansion of the attack surface has turned OT networks into prime targets for cybercriminals, hacktivists, and even nation-state actors. This case study explores real-world vulnerabilities in IT/OT convergence and provides strategic security recommendations.

Case Study: The High-Stakes Reality of IT/OT Cybersecurity
The Incident: A Ransomware Attack That Shut Down a Nation’s Fuel Supply
In May 2021, the Colonial Pipeline—the largest refined petroleum pipeline in the U.S.—fell victim to a ransomware attack. The attackers compromised IT systems, forcing a complete shutdown of OT operations. The impact was immediate:

  1. Fuel shortages across multiple states
  2. Panic buying at gas stations
  3. Significant financial losses for businesses relying on fuel transportation.

This attack was not an isolated incident.

These events highlight a dangerous reality: OT networks, once assumed to be protected by “air gaps,” are now exposed to cyber threats through IT interconnectivity.

The Root Cause: Why OT Is a Prime Target
The primary reason OT environments are being targeted? They were never designed with security in mind. Historically, OT relied on physical isolation for protection. However, modern demands for remote monitoring, automation, and efficiency have led to cloud integration and IT connectivity.

Key vulnerabilities include:

  1. Legacy Systems Without Security Patches
    Many industrial control systems (ICS) run on outdated software that lacks modern security updates. Once connected to the internet, these systems become an easy target for cybercriminals.
  2. Inadequate Network Segmentation
    Insecure IT-OT integration allows lateral movement within a network. A breach in IT (e.g., phishing attack) can quickly spread into OT environments where it disrupts critical operations.
  3. Lack of Security Awareness in OT Environments
    Unlike IT, where cybersecurity practices are standard, OT teams are often unfamiliar with evolving cyber threats. Without proper incident response training, minor intrusions can escalate into catastrophic failures.
  4. IIoT Devices Expanding the Attack Surface
    The adoption of Industrial IoT devices means more endpoints to secure. Unfortunately, many of these devices lack robust security controls, making them an entry point for attacks.

Mitigating the Risks: A Proactive Security Strategy
To prevent devastating breaches like Colonial Pipeline, organizations must implement end-to-end OT security. 

Here’s how:

  1. Enforce Network Segmentation
    Implement strict firewall rules to separate IT and OT environments.
    Use zero-trust principles to prevent unauthorized access between systems.
  2. Conduct Continuous Monitoring and Threat Intelligence
    Deploy XDR solutions (like Léargas XDR) to detect anomalies in real time.
    Utilize behavioral analytics to spot unusual network activity before an attack escalates.
  3. Regularly Patch and Update OT Systems
    Work with OEM vendors to ensure critical updates are applied to legacy OT devices.
    Establish secure remote access policies for patching sensitive infrastructure.
  4. Train OT Personnel on Cybersecurity Best Practices
    Conduct regular security awareness training for OT staff.
    Implement phishing simulations to test readiness against social engineering attacks.
  5. Implement Robust Incident Response Plans
    Define clear action plans for responding to ransomware and malware attacks.
    Conduct regular tabletop exercises to test readiness for IT-OT security incidents.

Conclusion: Securing IT/OT Convergence Is No Longer Optional
The rapid merging of IT and OT brings undeniable benefits, but it also creates a massive cybersecurity challenge. Organizations that fail to address these risks will face disruptions that extend beyond financial losses—they will impact public safety, national security, and daily life.

At Léargas Security, we specialize in securing IT-OT environments by providing advanced threat detection, network monitoring, and cybersecurity training. Contact us today to learn how we can help protect your industrial operations from cyber threats.

Revolutionizing Security Operations: The Path Toward AI-Augmented SOCs

Exploring the Processes, Challenges, and Path Toward AI-Augmented Security Operations Centers (SOC)

Security Operations Centers (SOCs) face mounting challenges in staying ahead of increasingly sophisticated threats. At Léargas Security, our XDR platform has been designed with a focus on the Energy and Critical Infrastructure sectors, helping organizations navigate these challenges while preparing for a future where artificial intelligence (AI) transforms SOC workflows.

Here, we explore the transformative potential of AI-augmented SOCs, leveraging insights from Francis (Software Analyst) and collaborators, along with real-world case studies.

SOC Challenges in 2024

SOCs face significant hurdles that inhibit their ability to respond swiftly and effectively to security incidents:

  • Alert Fatigue: High alert volumes often overwhelm analysts, contributing to burnout and missed detections.
  • Resource Constraints: Skilled personnel shortages, coupled with the high cost of maintaining SOC infrastructures, present operational barriers.
  • Legacy Limitations: Traditional automation tools, while promising, have fallen short in scalability, adaptability, and cost-effectiveness.

AI-Augmented SOCs: Transforming Security Workflows

AI offers an opportunity to address these challenges through:

  1. Automated Alert Triage: By reducing noise, AI ensures analysts focus on the most critical alerts.
  2. Enriched Threat Data: Integrating threat intelligence into AI-driven workflows empowers faster, more accurate decision-making.
  3. Optimized Incident Response: AI enables rapid containment and remediation, reducing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

The Role of AI in XDR

At Léargas Security, we integrate AI into our XDR platform to provide comprehensive visibility and actionability across critical infrastructure environments. Key capabilities include:

  • Proactive Defense: Advanced LLMs enable predictive threat detection, shifting SOC operations from reactive to proactive.
  • Streamlined Workflows: AI assists in automating repetitive tasks, freeing analysts to focus on strategic challenges like threat hunting and compliance management.
  • Actionable Intelligence: AI-powered enrichment adds context to alerts, allowing SOC teams to differentiate real threats from false positives with greater precision.

Building Toward a Unified AI-Powered SOC

The journey to full AI integration involves overcoming barriers such as:

  • Trust and Transparency: AI solutions must offer explainable and reliable outputs to build trust with SOC teams.
  • Customizability: Enterprises require flexible systems capable of adapting to unique environments.
  • Human-in-the-Loop Models: AI should complement, not replace, human analysts, ensuring critical decisions remain in expert hands.

Léargas Security’s XDR platform addresses these challenges by integrating seamlessly with existing tools and providing intuitive AI-driven assistance, tailored to the unique needs of energy and critical infrastructure organizations.

Real-World Impact

A notable case study demonstrates the power of AI-powered SOC automation:

  • Alert Enrichment: AI analyzed anomalous activity, enriched data with threat intelligence, and flagged the incident as a high-priority alert.
  • Proactive Response: Automated workflows isolated the compromised device and generated actionable insights for Tier 2 analysts.
  • Continuous Improvement: The system updated detection rules and enriched threat intelligence repositories, strengthening defenses against future incidents.

Looking Ahead

The future of SOCs lies in hyperautomation and AI-driven workflows that combine human expertise with machine efficiency. At Léargas Security, we’re committed to driving this evolution, ensuring that organizations in the Energy and Critical Infrastructure sectors remain resilient against ever-evolving threats.

Ready to revolutionize your SOC with AI-augmented XDR? Explore how Léargas Security can transform your operations.

Learn More About Léargas Security’s XDR Platform

Léargas XDR: Elevating Canada’s Critical Infrastructure Cyber Resilience

In alignment with Canada’s Cyber Security Readiness Goals (CRGs), the Léargas XDR platform combines advanced network forensics with embedded Zeek capabilities, enhancing CI defenses against sophisticated threats. This integration equips CI operators with powerful, in-depth visibility into network activities across IT, OT, and ICS environments, supporting the CRGs’ pillars for detection, response, and governance.

Embedded Zeek for Network Forensics
Zeek, embedded in Léargas XDR, provides high-fidelity network traffic analysis, capturing, categorizing, and correlating event data. This functionality is essential for CI operators facing complex, state-sponsored and ransomware threats, as Zeek offers layer-by-layer inspection of network traffic. Zeek’s robust protocol analysis generates rich logs that detail communication flows, behaviors, and patterns, making it ideal for:

  • Real-Time Threat Detection: Léargas XDR continuously processes Zeek’s data to detect anomalies, malware patterns, and threat behaviors associated with TTPs (Tactics, Techniques, and Procedures) identified by frameworks like MITRE ATT&CK.
  • Incident Investigation and Response: Zeek-generated logs provide detailed forensics that support rapid incident analysis. The ability to drill down into packet-level data allows security teams to identify lateral movement, pinpoint initial compromise, and map out the full scope of an attack.
  • Compliance and Data Governance: Network data logs support compliance with CRG mandates on privacy leadership and data governance, providing a clear record of all network communications and aiding in regulatory audits.

Léargas XDR’s Integrated Approach
Beyond Zeek, Léargas XDR enhances CRG-aligned capabilities through AI-driven monitoring, centralized log storage, and automated response actions. These components provide Canadian CI operators with a scalable, adaptable solution that streamlines the achievement of CRGs, including effective threat detection, cross-sector resilience, and enhanced governance.

By embedding Zeek into its platform, Léargas XDR not only meets but exceeds CRG recommendations, establishing a fortified defense mechanism essential for Canada’s critical infrastructure.

Securing Critical Infrastructure with Léargas: A Game-Changer in Cybersecurity

In today’s digital age, safeguarding critical infrastructure is more crucial than ever. However, many organizations are grappling with cybersecurity challenges due to limited budgets, insufficient staffing, and outdated solutions. Enter Léargas-a comprehensive SaaS cybersecurity platform designed to address these pressing issues and revolutionize how critical infrastructure is protected.

Continue reading

Enhancing Cybersecurity in the Renewable Energy Sector: A Comprehensive Solution from Leargas Security

As the US renewable energy industry expands, it faces increased risks from malicious cyber actors aiming to disrupt power generating operations, steal intellectual property, or ransom critical information. The FBI’s recent Private Industry Notification highlights the urgency for robust cybersecurity measures in this sector. At Leargas Security, we are committed to safeguarding this crucial industry with our comprehensive, scalable cybersecurity platform.

Continue reading

Léargas XDR – Defending America’s Critical Infrastructure

In 2014, the pressing need for a comprehensive cybersecurity solution to the vulnerabilities faced by nearly 900 electric cooperatives was acknowledged by the U.S. Department of Energy (DOE). Understanding that the integration of Extended Detection and Response (XDR) solutions in electric cooperatives has become increasingly important in recent years, Léargas was driven to create a versatile and cost-effective platform. As these cooperatives digitally transform and adopt modern technologies, they also become more vulnerable to sophisticated cyber threats. These potential attacks not only pose a risk to the integrity of the cooperatives’ data, but also threaten the stability of the electrical grid that powers our communities.

Continue reading

The Crucial Role of Zeek-based Platforms like Leargas Security XDR in IT and OT Environments

The fusion of Information Technology (IT) and Operational Technology (OT) ecosystems is increasingly becoming integral in today’s enterprises. As the cyber threat landscape continues to evolve, posing intricate and sophisticated attacks, organizations are turning to advanced security solutions such as Leargas Security XDR. This potent platform, built on the robust Zeek framework, offers an all-in-one approach to securing IT and OT environments, providing vital insights and capabilities that help businesses stay ahead of potential threats. This article will delve into the significance of Zeek-based solutions like Leargas Security XDR with an emphasis on OT protocol analysis including DNP3, Modbus, and S7.

Continue reading

Revolutionizing Energy Cooperatives: The Value of Leargas Security XDR

As the globe becomes progressively dependent on digital systems and automation, cybersecurity has evolved into a pressing issue for all organizations. This trend is not just applicable to major corporations or tech firms; it is equally relevant to entities like energy cooperatives. Given their key responsibility in delivering vital services to communities, these cooperatives cannot afford to overlook the importance of robust cybersecurity measures.

Continue reading

Leveraging CIRCL’s AIL Framework and Leargas Security XDR Platform for Effective Breach Discovery and Management

As the digital landscape expands, so does the complexity and magnitude of cybersecurity threats. This shift has led to the development of sophisticated cybersecurity tools designed to detect, manage, and respond to potential security breaches. Two such tools making waves in the cybersecurity field are the Computer Incident Response Center Luxembourg (CIRCL) Analysis Information Leak (AIL) framework and the Leargas Security Extended Detection and Response (XDR) platform.

Continue reading