Incident of the Month: Network scan in remote controlled systems

The recently updated IT Security Act (IT-SiG 2.0) tightens the requirements for operators of critical infrastructures. Nowadays, many remote-controlled systems can be found in the energy supply sector. In addition to renewable energy plants, these include substations and local grids as well as - in gas supply - gas pressure regulating and metering systems and compressor stations, among others.

It is not only the KRITIS regulation, which was adapted at the same time, that has recently brought more plants under the scope of the legislation. In particular, the requirement for a holistic system for attack detection opens up a new need for action. This is because network control technology and telecontrol technology must now also be explicitly integrated.

Renewable energy installations (EEA) are a potential target for faults simply because of their distance from the control center. Even if the control room can control the EEA remotely, there is only a very limited ability to detect errors and changes within the remote control technology and local grid control technology. This is because EEAs are mostly unmanned and are only sporadically checked by service technicians. And even then, the assets are rarely checked for cybersecurity issues. Quite the opposite.


Invalid messages of the OPC-UA protocol type were identified by Rhebo Industrial Protector in the network of a customer in the renewable energy sector. Investigations revealed that these originated from a newly brought in engineering laptop of a service employee.

A few weeks earlier, the service employee had been given routing rights to the OT network of the plant as part of a network upgrade. The control room concluded that the invalid messages were not safety-critical operations, but readjustments by the service employee. They flagged the message type as monitor in the Rhebo Industrial Protector interface to follow up on the operations and possible impact.

Solution: Anomaly Detection for Holistic Protection

Over the following weeks, invalid messages from the host were periodically reported. Although the communication was still not safety-critical, it unnecessarily disrupted the bandwidth utilization and thus the availability of the local network control technology. Since the work on the OT network had been completed in the meantime, the service employee was contacted. As it turned out, the employee - apparently motivated by self-interest - had started a tool from the computer that he had written himself in Python, which was supposed to detect OPC-UA speaking devices in the network. He was not aware that this could seriously disrupt OT communication. The tool was deleted and the security policies were adapted accordingly.

Still unsure? Book your Call here.