In 2023, Landis+Gyr security arm Rhebo conducted operational technology (OT) vulnerability assessments and risk analyses at several dozen Investor-Owned Utilities (IOUs), as well as Municipal and Public Power utilities. Our results, as shown below, reinforce the need for utilities to conduct regular vulnerability assessments to better understand their security risk exposure and establish appropriate mitigation measures.
On average, 26 different risk (or anomaly) types were identified as part of Rhebo’s Industrial Security Assessments. Anomaly types describe categories of risk – such as insecure authentication methods or unusual communication patterns – not individual occurrences within the category. For example, if the risk type "insecure firmware" was found in a network, it was counted once, even if several different firmware elements were found to be insecure. Therefore, the number of individual risks/anomalies in each network could be much higher than the number of types/categories of risk detected.
The majority (74%) of identified anomaly types were classified as cybersecurity, i.e. risks that can directly impact the security and integrity of the system. The remaining 26% of anomaly types detected are operational, representing aspects of network quality and availability. These anomaly types can lead to network failures, as well as communication and subsequent operational errors.
Overall, 58 different anomaly types were identified in the vulnerability assessments conducted by Landis+Gyr in 2023.
Of these, “insecure authentication methods” continues to be one of the most common risks in OT networks, with many utilities using methods so old they can be breached by the simplest means, even with password encryption in place.
Outdated operating systems, servers, firmware, software, and protocols were found in almost all the networks. These findings can indicate a lack of patch management, as well as pointing to infrastructures that have been in operation for 10 years or more, that contain a lot of legacy code and systems.
The assessments also detected frequent successful and attempted internet communications from OT systems to IP addresses outside the company network. Often, this vulnerability comes from using factory settings and misconfiguration of systems, offering attackers the opportunity to collect information about the systems used in a company's network and their configurations. Potentially – in conjunction with unencrypted password transmission – this may allow cyber attackers to obtain system credentials.
In addition to the top security risks, the vulnerability assessment detected network overload conditions posing potential operational risks. In some areas of utility business functionality, this can be an inconvenience, resulting in slow downloads or glitchy online meetings. For utility operations, it can jeopardize real-time communications and impact systems availability and occupational safety. For this reason, it is always worth keeping an eye on network quality when monitoring operational technology.
Landis+Gyr’s OT vulnerability assessment supports utilities in identifying and addressing top security risks, helping them to:
Find out more about Landis+Gyr OT security offerings.