Rhebo Industrial Protector for German distribution grid operator

The grid operator needed to update its cybersecurity system. Company made three essential demands on the modern security strategy for its network control system: the solution was to monitor all control and supervisory network technology, provide compliance to the German IT Security Act, as well support ISO 27000 initiatives.

Challenges

• Gain complete transparency of network control technology. All communication, configuration, and
  communication relationship as well as any changes to these within the control and supervisory networks must made completely visible while the firewalls only monitor the access perimeter of the control network.
• Detect misuse of remote access points. Misuse of a VPN access point or incorrect entries during remote maintenance should be reported immediately to the control center in order to effectively mitigate malfunctions.
• Minimize remaining risks of cyber attacks.A continuous network condition monitoring shall mitigate cyber security risks remaining because of incomplete databases of the security service providers (i.e. firewall providers) and delayed updates (due to operational restraints).

Another requirement was the support of the IEC 60870-5-104 protocol for complete monitoring of transmission contents in the control network as well as the seamless integration to their existing control centers. By means of a direct connection to the control system, all anomaly data should be available in real-time for the evaluation within the framework of existing monitoring processes. The basic prerequisite for the installation was the completely non-intrusive and passive functionality of the solution in order to avoid malfunctions due to false-positives.

Solution

Rhebo Industrial Protector comprehensively and non-intrusively monitors the communication in process control and network control systems. Any event that can lead to disruptions are detected and reported by the automatic anomaly detection. Such anomalies include both security incidents and technical malfunctions that occur in everyday telecontrol operations.

Ultimately, Rhebo Industrial Protector ensures plant availability, data integrity and thus longterm security of supply operations. The automatic recording of all communication data when an anomaly occurs enables detailed forensic analysis of incidents. Furthermore, Rhebo Industrial Protector supports compliance with reporting obligations under §8b (4) of the German IT Security Act.

Rhebo Industrial Protector was installed within the grid operator‘s four central access points to the control and supervisory networks,providing a complete picture of all communication processes between the control system and all telecontrol systems within each of the substations. The sensors for data collection were installed
non-intrusively and passively via network taps. The operation of the control system continued without interruption during the installation.

Outcome

Using Rhebo Industrial Protector, the distribution grid operator reached its complete communication and device relationship transparency within control and supervisory networks goal. As an integral part of the ISMS, the industrial anomaly detection not only supports the network operator to increase the cyber security of the network.
It also provides the means to comply with legal and normative requirements according to the German IT Security Bill as well as the DIN ISO 27001, DIN ISO 27002 and the ISO/IEC 27019 standards.