Incident of the Month: Security vulnerabilities at an electricity operator

When it comes to network security, many critical infrastructure operators think primarily of perimeter protection. However, you never know what is going on inside the network until it is monitored from the inside.

Security gaps at a glance

An electricity grid operator asked us to uncover insecure authentication methods on their network. Rhebo Industrial Protector decodes traffic from a variety of industry-specific protocols, as well as IT protocols. It also reports logins that use insecure methods. For example, weak hashing methods or plain-text passwords can be detected.

Invalid messages of the OPC-UA protocol type were identified by Rhebo Industrial Protector in the network of a customer in the renewable energy sector. Investigations revealed that these originated from a newly brought in engineering laptop of a service employee.

Unencrypted FTP login

In the case at hand, it was discovered that a workstation regularly logged on to an FTP server via script in order to download log data there. The login was not encrypted. An attacker in the network could read the user name and password and use them to log on to the server in question. The FTP account was also privileged and had extensive write access. A compromise would have far-reaching consequences for the security of supply of the power grid operator.

Solution: Anomaly Detection for Holistic Protection

Over the following weeks, invalid messages from the host were periodically reported. Although the communication was still not safety-critical, it unnecessarily disrupted the bandwidth utilization and thus the availability of the local network control technology. Since the work on the OT network had been completed in the meantime, the service employee was contacted. As it turned out, the employee - apparently motivated by self-interest - had started a tool from the computer that he had written himself in Python, which was supposed to detect OPC-UA speaking devices in the network. He was not aware that this could seriously disrupt OT communication. The tool was deleted and the security policies were adapted accordingly.

Still unsure? Book your Call here.