Rhebo GmbH offers solutions for securing digital control technology for medium and high-voltage networks. Energy suppliers and network operators can thus manage the growing cyber security risks in their critical infrastructure, especially substations, and meet the requirements of the amended IT Security Act.
The challenge: Security risks in the control technology of substations in medium and high-voltage networks
Substations and other systems in medium and high-voltage networks are largely automated and interconnected. In the energy sector, the IEC 61850 standard has become established for system integration in recent years. This enables seamless data exchange between systems that actually communicate with other different protocols (e.g. GOOSE, MMS). The standardized transmission protocol is based on the Internet standard TCP/IP. However, with the associated advantages of interoperability and transparency also comes a decisive disadvantage: the protocol is just as insecure as most other industrial protocols in substations (including GOOSE, MMS, SV, IEC-104) that it connects.
The Ukrenergo case
The standard for digital data exchange is being used more and more frequently with the ongoing modernization and new construction of energy supply systems. This makes even new substations a security risk. Even though there have been few known cases in which this vulnerability has been exploited, the Ukrenergo case from 2016 shows how vulnerable critical infrastructures are. In a concerted attack on the Ukrainian electricity supplier, attackers penetrated the company’s IT systems, moved into the network control technology over a period of several months and used the malware Industroyer for a power outage lasting several hours in parts of the capital Kyiv. This first version of the malware already had specific functions for the MMS, GOOSE, OPC and IEC61850 protocols.
Stations and facilities in the power networks therefore require special protection, as provided for by the KRITIS Regulation of the Federal Office for Information Security (BSI) and the IT Security Act.
The solution: OT monitoring and early detection of attacks
The protection of IEC 61850 networks is one of Rhebo GmbH‘s fields of activity. The company offers monitoring and anomaly detection for control technology (OT) and the Industrial IoT. Since 2021, it has been part of Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry.
Perimeter protection in substations is not sufficient
Distribution and transmission system operators often rely exclusively on firewalls and other conventional protection systems to secure their systems. Although these reliably defend against known malware, they fail in the case of previously unknown attack patterns, the use of stolen access data and the exploitation of zero-day vulnerabilities. They are also unaware of attacks and malware that can be introduced into the control technology via maintenance laptops by the company’s own team or service providers. The BSI therefore recommends a defense-in-depth approach. They assume that professional attackers will gain access to the network sooner or later and will always be at least one step ahead of the defense systems. For this reason, a multi-stage security system consisting of signature-based perimeter protection and behavior-based network monitoring should ensure that both known attack patterns are fended off and intrusions that cannot be detected by firewalls are identified at an early stage.
Anomaly detection in OT infrastructures
Rhebo customers therefore use a passive OT monitoring system with integrated anomaly detection called Rhebo Industrial Protector. Its task: real-time reporting of all anomalies that indicate cyber attacks, manipulation, scans or technical faults. This gives energy suppliers visibility and cyber security at networked sites where cyber security experts are rarely active and the OT often acts like a black box.
The IT Security Act requires all operators of critical infrastructures to implement a comprehensive intrusion detection system since this year. This system not only covers the corporate IT but also safeguards the industrial infrastructures, i.e., the OT. Rhebo’s solutions are specifically designed for industrial networks and monitor the entire OT, from central energy production to distributed energy supply systems such as substations and renewable energy facilities. Utilities (EVUs) benefit particularly from the import function for IEC61850 .scd files. These files serve as a digital twin of the entire substation in IEC61850 infrastructures, documenting all connections, devices, and functions. Importing these files into Rhebo Industrial Protector accelerates the baselining of anomaly detection and makes the intrusion detection system operational in no time.
Using existing interfaces, messages about security-relevant processes in the control technology can also be forwarded directly to a Security Information and Event Management (SIEM) system and the company’s cyber security can be integrated.
Three steps to a secure OT
Rhebo OT Security for network control technology and control technology consists of a comprehensive package for consulting, integration and management with regard to OT cybersecurity. Companies can achieve secure OT in three steps:
- Risk assessment: Cybersecurity requires transparency. Rhebo first assesses security risks and determines the security maturity level. The company then provides suggestions for measures relating to high-risk OT assets and control technology.
- Monitoring: The protection of the OT does not end at the network boundary. Rhebo’s monitoring solution meets the requirements of IT-SiG 2.0 and enables comprehensive detection of irregularities within OT networks.
- Managed security: Specialized knowledge and resources are required for OT security. Rhebo supports the operation of the monitoring system and provides assistance in analyzing and reacting to unusual events.
The result: Securing networks and detecting attacks before damage occurs
Rhebo’s defense-in-depth approach goes beyond traditional firewall technologies. The monitoring system reports all anomalies that indicate cyber attacks, manipulation or technical faults in real time. This enables companies to drastically reduce their response times in the event of security incidents and significantly improve the security of medium and high-voltage networks. Energy suppliers and network operators are now able to effectively detect and respond to cyber attacks, misconfigurations and human errors in the control technology before they cause serious damage.
