In 2023, Landis+Gyr security arm Rhebo conducted operational technology (OT) vulnerability assessments and risk analyses at several dozen Investor-Owned Utilities (IOUs), as well as Municipal and Public Power utilities. Our results, as shown below, reinforce the need for utilities to conduct regular vulnerability assessments to better understand their security risk exposure and establish appropriate mitigation measures.
Risk Categories
On average, 26 different risk (or anomaly) types were identified as part of Rhebo’s Industrial Security Assessments. Anomaly types describe categories of risk – such as insecure authentication methods or unusual communication patterns – not individual occurrences within the category. For example, if the risk type "insecure firmware" was found in a network, it was counted once, even if several different firmware elements were found to be insecure. Therefore, the number of individual risks/anomalies in each network could be much higher than the number of types/categories of risk detected.
The majority (74%) of identified anomaly types were classified as cybersecurity, i.e. risks that can directly impact the security and integrity of the system. The remaining 26% of anomaly types detected are operational, representing aspects of network quality and availability. These anomaly types can lead to network failures, as well as communication and subsequent operational errors.
Most Common OT Security Risks
Overall, 58 different anomaly types were identified in the vulnerability assessments conducted by Landis+Gyr in 2023.
Of these, “insecure authentication methods” continues to be one of the most common risks in OT networks, with many utilities using methods so old they can be breached by the simplest means, even with password encryption in place.
Outdated operating systems, servers, firmware, software, and protocols were found in almost all the networks. These findings can indicate a lack of patch management, as well as pointing to infrastructures that have been in operation for 10 years or more, that contain a lot of legacy code and systems.
The assessments also detected frequent successful and attempted internet communications from OT systems to IP addresses outside the company network. Often, this vulnerability comes from using factory settings and misconfiguration of systems, offering attackers the opportunity to collect information about the systems used in a company's network and their configurations. Potentially – in conjunction with unencrypted password transmission – this may allow cyber attackers to obtain system credentials.
Operational Risks for Utilities
In addition to the top security risks, the vulnerability assessment detected network overload conditions posing potential operational risks. In some areas of utility business functionality, this can be an inconvenience, resulting in slow downloads or glitchy online meetings. For utility operations, it can jeopardize real-time communications and impact systems availability and occupational safety. For this reason, it is always worth keeping an eye on network quality when monitoring operational technology.
Landis+Gyr’s OT vulnerability assessment supports utilities in identifying and addressing top security risks, helping them to:
- Identify their cyber systems
- Identify existing vulnerabilities
- Detect malicious code, active vendor remote access sessions, and unauthorized vendor-initiated remote connectionsDetect malicious code, active vendor remote access sessions, and unauthorized vendor-initiated remote connections
- Detect security policy breaches like unauthorized access, incorrect routing, and direct external access to cyber systems
- Detect publicized vulnerabilities and outdated firmware, illegitimate port use, and unauthorized access via new hosts
Leave a comment