The NIS2 directive requires owners and operators of electric and multi-utilities to include their OT networks in risk management procedures and risk analysis. The target is to determine the risk exposure of their critical processes and define appropriate mitigation measures. And this is for good reason, as the results of our vulnerability assessments at IOUs, municipal as well as public utilities highlight.
The following blog post summarizes the findings from several dozen OT vulnerability assessments and risk analyses carried out by Landis+Gyr security arm Rhebo. The Rhebo Industrial Security Assessment is conducted by Rhebo OT security experts at customers' premises both before the integration of the OT network intrusion detection system Rhebo Industrial Protector and repeatedly as part of optional service level agreements under Rhebo Managed Protection.
Methodology of Landis+Gyr OT vulnerability assessments
After initial definition of OT network and scope of assessment, the network intrusion detection system (NIDS) Rhebo Industrial Protector was integrated into the investigated OT network via mirror port switches. This required no downtime or configuration changes to the OT network and operations. After only a few minutes the passive OT monitoring started recording the entire OT communication for ten to 14 days during normal OT operation. This recording (pcap) was subsequently analyzed in detail by our Rhebo OT security experts to identify existing OT risks and create a comprehensive OT network map of all monitored OT systems and connections. The final step was the discussion of the findings and recommendations with the respective customer to improve OT security. Typically, this included the baselining of the OT communication and transfer of the NIDS to continuous operation.
All OT networks have hidden security risks
On average, 26 different risk (or anomaly) types were identified as part of the Rhebo Industrial Security Assessments. Anomaly types describe categories of detected risk that could impair security and operation. For example, in the case that "insecure firmware" was found in an OT network, this was only counted once for the present statistical evaluation, even if several different insecure firmwares were found. Therefore, the number of individual anomalies in each OT network were much higher.
The majority (74%) of the anomaly types identified can be assigned to the area of cyber security, i.e. risks that can directly impact the system security and integrity. But it’s not only security that can impair BES operations. 26% of anomaly types represent aspects of network quality and network availability, i.e. anomaly types that can lead to network failures as well as communication and subsequent operational errors.
The 10 most common OT security risks in 2023
Overall, 58 different anomaly types were identified in OT vulnerability assessments in 2023. Of these, insecure authentication methods continue to be one of the most common risks in OT networks. They differ from other insecure authentication types like non-encrypted password transmission in that the method itself is so old that it can be breached by the simplest means, even with encryption in place.
Outdated operating systems, servers, firmware, software and protocols were found in nearly all OT networks. All can indicate both a lack of patch management and infrastructures that have been in operation for 10-15 years or more containing a lot of legacy code and systems.
Successful and attempted internet communication from OT systems to IP addresses outside the company network was also detected very frequently. Factory settings of systems and misconfigurations are often the cause of this particular risk. They offer attackers the opportunity to collect information about systems used in a company's network, configurations and – in conjunction with unencrypted password transmission – system credentials.
The 5 most common OT availability risks threatening BES operation
The lack of OT visibility often results in difficulties to locate the cause of a network error. Debugging becomes a search for the proverbial needle in a haystack, even though it is part of daily operations.
For example, anomalies indicating network overload were found in all OT networks. While in IT this may only lead to bored looks during video calls, in OT it can jeopardize real-time communication and thus system availability and occupational safety.
The other four anomalies from the top 5 availability risks can also have similar effects. If a host or service is not reachable by other systems, the process could be disrupted. Misconfigured switch topology and the use of classic STP (Spanning Tree Protocol) might not pose an immediate threat but can have devastating effects when one switch fails or the spanning tree is changed, respectively. Both can cause network outages of up to 30 seconds.
For this reason, it is always worth keeping an eye on the network quality aspect when monitoring OT.
How the OT vulnerability assessment supports your NIS2 compliance
The Industrial Security Assessment by Landis+Gyr security arm Rhebo not only enables NIS2 compliance with establishing a procedure for periodic risk analysis and vulnerability assessment in OT networks. It also supports compliance with several other requirements. For more information download our eBook on “NIS2 in OT networks”.
Amongst others, the OT vulnerability assessment results help electric and multi-utility owners and operators to:
- detect and inventory all OT assets and document their properties,
- assess existing cybersecurity effectiveness (i.e. of firewalls and segmentation),
- identify existing OT vulnerabilities and security gaps,
- lay the foundation for effective incident detection and handling,
- establish basic cyber hygiene,
- to start and operator an OT intrusion detection system
(if you run a very important, i.e. critical, entity.)
Find out more about Landis+Gyr OT security offerings: https://www.landisgyr.eu/solution/cybersecurity/
