It is not only with the 2021 update of the IT Security Act of the Federal Republic of Germany and the BSI orientation guide for the use of threat and intrusion detection systems that German energy companies face the challenge of setting up an end-to-end intrusion and threat detection system. Such a system must also provide visibility into all operational systems and detect and report any form of compromise in real time.
The challenge: Global, location-independent threat and intrusion detection on critical distributed IIoT assets
The energy transition and the development of the smart grid require powerful storage systems to store and distribute the electricity generated by renewable energy. While the energy management and functional monitoring of the individual smart storage units is centralized, they are sometimes located in the most remote places in the world. This makes not only maintenance planning and troubleshooting a real challenge. Installation in remote locations also exposes critical IIoT assets to physical access and cyberattacks.
As one of the leading providers of modern energy storage systems and renewable energy solutions, sonnen GmbH focuses on the cyber security of its products. The challenge here is that the privately and commercially used energy storage systems are usually integrated into the local home network of the end customers. These networks are easily accessible to attackers and do not have a dedicated alarm system for attacks on industrial processes. Targeted attacks can therefore result in individual assets being damaged. In a system of identical networked devices, the risk also increases significantly that the fleet will be taken over and abused as a botnet, for example, or shut down in an orchestrated manner.
The energy storage systems installed by sonnen worldwide should therefore be equipped with an industrial threat and intrusion detection system that detects and fends off cyberattacks and malfunctions already on the edge device – the local energy storage system. The goal was to block and isolate attacks before they could spread to the central platform or other storages.
The solution: Endpoint Detection & Response for globally distributed energy storage systems
Rhebo GmbH in Leipzig sees it as its mission to ensure both cybersecurity and the stability of OT and IIoT infrastructure in industrial, energy and water companies. As the only German company on the market, it supports those responsible for increasing the cyber security, productivity and availability of their plants and ensuring the digital transformation of their industrial processes.
The concrete solution approach is that the lean solution Rhebo IIoT Security (formerly Rhebo IoT Device Protection) can be integrated into the storage systems’ controllers, making the monitoring functionalities available directly on-site at the edge.
This was also the case with sonnen. The deep, down to the last bit analysis of the communication on and between the individual endpoints creates a system of threat and intrusion detection, as required by law.
Rhebo IIoT Security monitors all communication on and between sonnen energy storage systems via deep packet inspection and detects any deviation from authorized and expected communication behavior. Deviations are identified as an anomaly, evaluated and reported to the central control room. For example, this also detects attack patterns that exploit zero-day vulnerabilities or backdoors, i.e., that are not detectable by classic signature-based security mechanisms. Security-relevant communication changes are also actively blocked via the safety automation functionality. This means that not only is there threat and intrusion detection, but also attack prevention. Attacks and tampering are carried out directly on the affected IIoT device – regardless of whether the storage system is located in a home in the middle of Berlin or in an inaccessible desert. So it’s a true automated intrusion detection & protection system (IDPS) for global IIoT security.
In addition to behavioral analysis, local interfaces such as web interfaces and the system logs are also continuously monitored. Standard interfaces and open-source technologies also allow the smooth transmission of anomaly data between the plants and the central control station.
It is also essential that users do not have to be IT specialists, because the expertise is already integrated into the IIoT solution through the functionality of the system. So it is “only” about the core question of every responsible person: Is there a problem or not? Rhebo also provides full support in answering this question through its Managed Detection & Response Service. sonnen GmbH can thus focus entirely on its core business.
The result: Local threat and intrusion detection and spillover avoidance
Rhebo IIoT Security continuously monitors the behavior of the complete data communication on and between the sonnen energy storage systems used worldwide. More than 50,000 sonnen energy storage systems are now secured via Rhebo IIoT Security and new ones are being added every day.
The solution identifies, analyzes and reports cyber attacks, malware and technical error conditions in real time. Not only does this give the security team daily visibility to security-related events on the energy storage systems. The maintenance team can also proactively plan their maintenance activities through the additional monitoring for technical error conditions. Individually configurable security policies also allow automated response to critical events.
Rhebo IIoT Security not only enables custom configuration of cybersecurity mechanisms without expensive unused overhead. By containerizing the software, rollouts and updates can be implemented quickly and centrally without having to send additional maintenance personnel to the sites. Standard interfaces to common analysis tools such as Elastic Stack, Splunk or QRadar are another advantage for integration into the existing IT security ecosystem.
The possible applications of this solution are far-reaching building automation, and robot control, up to complete energy supply systems.
Rhebo provides simple and effective cybersecurity solutions for network control, telecontrol and distributed industrial assets in energy companies, critical infrastructures and industrial enterprises. The company supports customers throughout the entire OT security journey from initial risk analysis to managed OT monitoring with anomaly and threat and intrusion detection. Since 2021, Rhebo has been part of Landis+Gyr AG, a leading global provider of integrated energy management solutions for the energy industry with around 5,000 employees in over 30 countries worldwide.
Rhebo is a partner of the Alliance for Cyber Security of the Federal Office for Information Security (BSI) and Teletrust – IT Security Association Germany. As a trustworthy IT security company, Rhebo is an official bearer of the “IT Security Made in Germany” and “Cybersecurity Made In Europe” seals of approval.