Global 24/7 Cybersecurity For Renewable Energy Resources

at
BayWa r.e. Data Services GmbH
The BayWa r.e. AG designs, builds and operates wind farms and photovoltaic (PV) parks worldwide. 99 % of technical operations management, servicing and maintenance are carried out via remote access.

Network Intrusion Detection with Rhebo support

at
Stadtwerke Bochum Netz
Stadtwerke Bochum Holding has been a reliable supply partner for all Bochum residents since 1855. Today, Stadtwerke Bochum provides around 3,600 GWh of electricity and around 2,900 GWh of gas every year. It also provides water, district heating, telecommunications products, and solutions for the expansion of e-mobility. As a modern, customer-oriented company, Stadtwerke Bochum actively addresses the requirements and challenges of the times.

Verification of Network Segmentation at German Water Company

at
Waterworks Leipzig
The German water company Leipziger Wasserwerke (LWW) is a subsidiary of the Leipziger Gruppe. With 5 water plants, the company supplies 545,000 people in the Leipzig region with fresh and high-quality drinking water. It also treats 95,000 m³ of waste water per day in 25 sewage treatment plants.

Sabotage Investigation in Logistics Companies

at
Digital Forensics GmbH
Digital Forensics GmbH is a german company specializing in forensic analysis of large-volume network traffic in industry and insurance. The company evaluates cases of damage and analyses cyber attacks. Knowledge of industry-specific protocols such as Profinet, OPC, S7 or IEC61850 as well as their evaluation form a focal point of the work.

Secure Energy Supply For Over 1 Million People

at
Thüringer Energienetze GmbH & Co. KG
TEN Thüringer Energienetze is the largest distribution network operator in the German federal state of Thuringia. Its networks reliably supply more than 1.1 million people, the domestic economy and downstream distributors with energy. TEN provides all infrastructure services for the supply of electricity and natural gas, the connection of decentralized energy resources and, as part of its services, network operation for third parties.

Real-Time Security and Continuous Improvement Of Energy Supply

at
e-netz Südhessen AG
Anchored in Darmstadt, e-netz Südhessen AG, as a subsidiary of ENTEGA AG, takes care of the secure energy supply and the functioning infrastructure for around one million people in the region - from private households to municipal facilities, operators of solar systems and wind farms to industrial companies, scientific and research institutions.

Defense-in-Depth in the OT networks

at
MEGA, der Monheimer Elektrizitäts- und Gasversorgung GmbH
As a municipal energy supplier and innovative service provider, MEGA is as much a part of Monheim as the Rhine. Personally and locally, we create a warm, bright home for the people of Monheim with a fast digital window to the world. For over 100 years, we have been helping to make Monheim am Rhein a livable and attractive city - for families and companies.

Ensuring ICS Cybersecurity of Energy Providers

at
EWR Netz GmbH
In addition to its core business as a public network operator for electricity, gas and water, EWR Netz GmbH offers many different services with its qualified employees and extensive technical equipment. Regional network operators such as EWR Netz GmbH play an important role in the energy transition, as renewable energies and decentralized generation plants are feeding more and more electricity into the networks.

Intrusion Detection & Mitigation

at
sonnen GmbH
Since 2018, Sonnen GmbH has been the first and so far only provider in Germany to connect private home storage systems to form a virtual power plant. Sonnen GmbH is building an energy system that provides clean electricity at exactly the right time and where it is needed. A system that enables cost benefits for everyone while relieving the strain on the power grid. In addition, the sonnenVPP plays an important role in the energy transition. By stabilizing the energy grids on three continents, the company is ensuring that more and more renewable energies can be connected to the grid, thus accelerating the transition to clean energy.

Dr. Jens Pittler

Technical Director
|
Digital Forensics GmbH
»Sabotage from in-house sources is very difficult to detect because the processes take place within the secured zones. With Rhebo Industrial Protector, we were able to open up a view into the control system and monitor every communication process. The storage of all anomaly details enabled us to perform a very accurate analysis and trace the incident to a particular workstation....«
To story download

Details

Initial situation and challenge

The network analysis service provider Digital Forensics was assigned by an international logistics company to investigate unresolved shutdowns in several logistics systems. At three of its end customers, the logistics control systems had failed in one single stroke. Restoring normal operation took several hours to days. This resulted in contractual penalties and recovery costs for the end customers in the three-digit million range. Since the logistics company was also provider of the control systems, it had to cover these downtime costs. An initial analysis did not reveal any errors in the system software. However, active remote maintenance accesses with communication via the protocol VNC were found for the corresponding period – an indication of potential sabotage of the systems.

Non-intrusive communication monitoring

Continuously monitor the communication via remote maintenance accesses without affecting infrastructure and processes.

Identification of the inside attacker

Detect, document, and attribute attempts to compromise customer systems via remote maintenance access in real time.

Stop serial sabotage attempts

Identify vulnerabilities and implement appropriate measures to prevent incidents in the future.

Solution

Based on initial indications of sabotage, Digital Forensics opted for long-term monitoring of the logistics company’s control communication. The analysis service provider integrated the industrial anomaly detection Rhebo Industrial Protector into the logistics company’s network to continuously analyze all communication within the Operational Technology (OT). The OT monitoring with anomaly detection reports any events in the network that could lead to system disruption in real-time. Such anomalies include both security incidents and technical malfunctions that occur in the daily operation of industrial plants. Rhebo Industrial Protector reduces the downtime risk, and detects even manipulation attempts through authorized accounts.

Implementation and findings

After several months of continuous monitoring, Rhebo Industrial Protector reported unusual communication at the suspicious remote access points. The events were recorded with all details as PCAP and were immediately evaluated by Digital Forensics. The analysis showed that »shutdown« commands were sent to the end customers from an internal corporate workstation. Due to the real-time notification of the events, the repeated sabotage action was stopped before the end customer facilities were affected. The workstation used for the sabotage was immediately located. Though the attacker could not be undoubtly identified since at that time several hundred people had access to the workstation via a universal password. Therefore, the company immediately implemented several security measures including personalized accounts, strict security guidelines and cybersecurity training to prevent future sabotage attempts.

  1. Atypical VNC communication via remote maintenance access is reported and documented in real-time (Source: Digital Forensics).
  2. The network map identifies a specific workstation as the origin (Source: Digital Forensics).

Results

PREVENTION OF FUTURE SABOTAGE ATTEMPTS

durch Identifikation und Lokalisation der internen Schwachstelle.

INCREASED CUSTOMER TRUST

through thorough event analysis and consequent mitigation measures.

DAMAGE MINIMIZATION

through fast, targeted investigation and court evidence of sabotage.

Also interesting