Möchtest du unsere Inhalte auf Deutsch sehen?

x
  • Deutsch
Weiter
x

Secure OT networks with risk and vulnerability assessment

““

Critical infrastructure (KRITIS)Energy and EnvironmentProductionService and after-salesTransport and Logistics

Solution example: Risk and vulnerability assessment in the OT network
8 minutes Reading time
Read aloud
8 minutes Reading time
Read aloud

The security of OT environments (Operational Technology) is a core element of cybersecurity in the Industrial IoT. Companies therefore need an easy entry point into OT security that creates transparency and opens up concrete options for action. A risk and vulnerability assessment, as offered by the Leipzig-based security service provider Rhebo GmbH, can be an effective first step.

A systematic assessment of OT security provides insights into assets, communication paths, and exposure. On this basis, prioritized measures can be derived that sustainably improve operational safety and cyber resilience.

The challenge: Lack of transparency in evolved OT structures

Machines, production systems, and energy infrastructures depend on networked controllers, sensors, and communication systems. Disruptions or manipulation of these systems have a direct impact on OT availability and can bring entire process chains to a standstill. In addition, there are regulatory requirements such as NIS2. The directive obliges companies to systematically assess risks, document the infrastructure in a traceable manner, and demonstrate appropriate security measures.

OT networks are generally highly complex. They consist of PLCs, HMIs, SCADA systems, industrial PCs, sensors, and many other specialized components. The systems often come from different device generations. The following examples are based on experience from multiple risk and vulnerability analyses carried out in various industrial environments and illustrate typical practical challenges. One example: at a food producer, 200 to 550 devices from around two dozen manufacturers were in operation in the OT networks at each of its four sites. Many companies face a similar situation. On top of that, documentation is scattered or outdated, and only rarely is there a single team with end-to-end responsibility for security. The biggest hurdle in OT security is therefore the lack of transparency.

In addition, in some business areas there is a mandatory expansion into the Industrial IoT that must not be interrupted—for example at a manufacturer of energy storage systems. The individual storage devices send data to the company’s headquarters and are controlled from there—an additional attack vector that must be secured.

Factors that make it difficult to maintain oversight in the OT network

Several factors make it difficult to maintain an overview of OT networks:

  • It is often unclear which assets are actually in place. Asset inventories rarely help, as they are often not up to date.
  • The different communication paths are also frequently unclear. It is unknown which systems communicate with each other overall, which protocols they use, and whether all connections are operationally necessary at all.
  • Additional risks arise from communication paths toward IT or the internet. Remote access by manufacturers or service providers also creates further attack surfaces.
  • Existing security measures are often non-transparent and poorly documented. This makes their actual effectiveness for OT security difficult to assess.

The combination of these factors means that risks are likely, but cannot be identified precisely.

The challenges at a glance

  • Incomplete or outdated asset inventories
  • Non-transparent communication paths and protocols
  • Additional attack surfaces due to IT interconnections and remote access
  • Insufficient documentation of existing protective measures

The solution: Create an up-to-date situational picture through risk and vulnerability analysis

Rhebo GmbH’s risk and vulnerability assessment provides complete visibility of all assets, enabling the planning of further measures.

Overall, the analysis has three objectives:

  1. Identification of all existing OT systems.
  2. Identification of critical communication patterns and connections.
  3. Prioritization of risks by criticality, with particular focus on systems of high operational importance and high exposure.

Many companies use the risk and vulnerability assessment as a first step to create transparency and derive prioritized measures before investing in continuous security monitoring. A key factor is that the analysis is carried out without interfering with production. To achieve this, Rhebo relies on a combination of passive methods and specialized monitoring software. Since ongoing operations always take priority, passive methods are emphasized. They observe network traffic without intervening in the systems. Active methods are used only selectively. This ensures plant stability is maintained even during a comprehensive scan.

Structured guideline for documentation and assessment

Data collection is based on the guideline of the UK’s National Cyber Security Centre (NCSC). It describes in five steps how companies can gain a better understanding of their OT networks and systems, as well as the associated risks.

  1. Define processes and responsibilities for OT documentation, consolidate sources, and validate data.
  2. Classify OT information, restrict access, and secure storage and backups.
  3. Make all assets visible through passive monitoring and categorize them by criticality, risk, and availability.
  4. Analyze connections and protocols, remove unnecessary access, and enforce secure standards.
  5. Assess external manufacturer access, define trust levels, and consistently secure insecure pathways.

Rhebo GmbH’s blog provides an overview of the approach (Part 1, Part 2). The first two points are preparatory steps. They provide background information to compare the collected data with the existing documentation.

Passive monitoring quickly creates a reliable situational picture

The assessment itself uses a passive, network-based monitoring system such as the Rhebo Industrial Protector, which can also monitor large OT networks. For example, a municipal electricity and gas utility used it to examine communication from and between several hundred local substations for anomalies and suspicious activity, in order to improve oversight of its internal OT network.

The Industrial Protector can be easily integrated into OT and is operational within around 30 minutes. It then records network traffic for approximately two weeks. In doing so, the passive monitoring solution registers every system that sends or receives data. This is supplemented by information such as protocols, roles, or manufacturer characteristics.

After only a short runtime, an initial network map is created. However, this is only a snapshot. Visibility of assets and connections increases over time, because recurring processes often only become apparent after some time. Updates, maintenance, or backups are just a few examples.

At the utility mentioned above, the system identified various vulnerabilities after a short time. These included outdated protocols and firmware versions as well as risky factory default settings on OT components. In addition, the utility now has clarity on how heavily the control system is utilized at certain times and where capacity bottlenecks exist.

Analysis of connections and trust zones

In the next step, the system analyzes all existing devices and connections and compares them with existing architecture or data flow diagrams. This reveals unnecessary or unexpected connections—especially transitions to IT or the internet, as well as external access to and from manufacturers or service providers. On this basis, the vulnerability analysis assesses the risk of all assets and data connections.

For example, a risk and vulnerability assessment at a chemical company identified a range of OT security weaknesses across the three production lines at one site: some devices were not running the current software, there were cleartext passwords, and insecure authentication methods were in use. In addition, the analysis detected multiple unreachable devices and various network disruptions that had previously gone unnoticed.

Protocol usage and anomaly detection during ongoing operations

In parallel, protocol usage is analyzed to identify unnecessary, outdated, or insecure protocols. These create an attack surface that can often be mitigated easily through software updates or by disabling unnecessary protocols.

Due to the extended runtime, pattern recognition in OT network traffic also becomes a central element of OT security. The monitoring system learns typical communication patterns. It can then classify recurring processes as normal behavior and deviations as anomalies, which may indicate misconfigurations, technical faults, or security-relevant events.

At a logistics company, the monitoring even uncovered sabotage attempts by employees. In a long-term analysis, the Rhebo Industrial Protector reported unusual communication activity on remote maintenance access points. A forensic analysis by a specialized service provider showed that shutdown commands were being sent to customer systems via an internal workstation. This enabled the logistics provider to effectively stop the sabotage.

The result: Clear priorities and concrete measures

Once all data points have been collected, criticality is assessed based on three parameters:

  • The business relevance of the asset.
  • Availability requirements.
  • The potential impact of an outage.

At the end of this process is a consolidated picture comprising a complete asset inventory, an overview of all communication relationships, a risk assessment, and a prioritized list of areas for action. This enables companies to decide on the next steps toward structured OT security.

The risk and vulnerability assessment is not aimed solely at typical manufacturing companies. For example, a data center operator reviewed the internal network of its building management system. It supplies power and cooling to several tens of thousands of servers, secures access to the data centers, and ensures fire protection. The security team was able to eliminate unencrypted communication, locate unreachable services, and identify outdated operating systems, firmware, and protocols.

Overall, Rhebo GmbH’s risk and vulnerability assessment delivers results that can be translated directly into measures. Additional documentation of the current OT security measures—and an assessment of their effectiveness—makes gaps visible. This turns the risk and vulnerability assessment into a starting point for introducing advanced security measures, e.g., based on the Rhebo Industrial Protector. For many organizations, the risk and vulnerability analysis therefore marks the entry point into a structured OT security strategy.

Summary of results

  • Complete inventory of all systems and roles
  • Network map covering all data flows and dependencies
  • Assessed risks and prioritized fields of action
  • Concrete recommendations on protocols, access, and segmentation

  • Related categories
  • Critical infrastructure (KRITIS)
  • Energy and Environment
  • Production
  • Service and after-sales
  • Transport and Logistics
  • Fraud and Damage Protection

    • Get our IoT Use Case Update now

    Get exclusive monthly insights into our use cases, activities and news from the network - Register now for free.