OMICRON Magazine

Magazine | Issue 2 2022 IT specialists. Among the risks which our assessment brought to light were multiple unnoticed external connections, unexpected devices in the network, outdated firmware, unsuccessful RTU operations, configuration errors, and issues with the network and its redundancy protocol (RSTP). Since then, we have conducted (and improved on) many security assessments worldwide. In addition to substations, we’ve also conducted these assessments for power plants and control centers, including utilities with IEC 61850, IEC 60870-5-104, DNP3, Modbus TCP/IP, and many other IT protocols. The findings from our security assessments were always interesting and, sometimes, alarming. In the following text, I’ve highlighted some frequently occurring risks that I have encountered in recent years: OUTDATED FIRMWARE with known vulnerabilities In every security assessment, I come across outdated firmware versions. As part of our assessment, we provide a passively discovered asset inventory to the utility engineers and IT experts. We augment the asset information by importing engineering files with more details, like the software version, hardware configuration, and serial numbers. This asset inventory is a sound basis for performing vulnerability and risk analysis. 26 updates available EXTERNAL CONNECTIONS Power plants and control centers with remote connections from the corporate IT network always have the highest risk of a cyberattack. While assessing a Latin American substation network, we captured the activity of multiple clients with external IP addresses. This utility allowed their engineers to connect and configure IEDs from home using a remote connection (VPN tunnel). One finding that concerned the IT security officers was an IP and a MAC address which weren’t recognized or documented by anyone in their team. Eventually, we could track the IP address and find where this connection originated from and blocked its access to the system. Pay closer attention to potential security risks by making all connections in your network visible. Are you interested in our security assessments? Scan the code or message us at 7