December 2021 issue

GAP analysis - security check for process IT

Fraunhofer | GAP
© Fraunhofer | GAP
Fraunhofer | GAP
© Fraunhofer | GAP

Network operators are required by EnWG §11 (1a) to establish appropriate protection against threats to ICT systems. This protection is provided by compliance with the IT security catalog of the BNetzA, which prescribes specific security requirements and processes, such as: Establishment of an IT security management system (ISMS) in accordance with DIN ISO/IEC 27001 or identification, assessment and handling of security risks.

In the context of these processes, the Cybersecurity Learning Laboratory conducted a practical analysis on behalf of a utility network operator to investigate in detail the security aspects of concrete telecontrol elements of a digital UW. The main objectives of this so-called GAP analysis included:

  •  Review of critical assets for vulnerabilities and possible security deficiencies,
  • Development of possible hardening measures and secure parameterization specifications, and
  • Developing a standardized methodology for security analyses of other relevant OT systems.

To ensure careful preparation and execution of this multi-layered and very detailed security review, the BSI specifications on the methodology for auditing ICS installations were taken into account during project planning.

In the initial phase of the project, the scope of the GAP analysis was defined with the client and the rules of engagement were agreed upon, which describe which audit methods may be used in which audit areas. Precise definition of such binding rules of engagement is extremely important for security analyses in the industrial and, in particular, the CRITIS sector, since the performance of some tests, such as vulnerability scans or denial-of-service attacks, can have negative effects on important control components and consequently on the underlying physical process. To ensure that the penetration methods of the GAP analysis did not have to be restricted, a test setup was provided by the client as a replica of the original system in a separate environment.

In the further preparation phase, a detailed test plan was prepared describing numerous tests to verify the security aspects of the test setup, including test objectives, methodology and tools, estimated effort and possible risks. The focus was on two major safety areas of the facility:  

  • Device security analysis - review of secure configuration and hardening measures and vulnerability analysis,
  • Network security analysis - review of network interface and protocol security.
  • In the final step of the GAP analysis, the physical aspects of security at the installation site of the equipment were reviewed.

All tools and scripts used, relevant documents, test steps and results were logged in detail, with screen captures and log files, during the execution of individual tests. The final evaluation of the results was described in a final report and presented to the client in the form of a presentation.

During the GAP analysis, the Cybersecurity Learning Lab gathered important empirical data for further optimization of the methodology for security audits. The goal here was to make the developed approach so flexible that it can be used at any time for cyber security assessments of other ICS areas and systems. The success of this project is also reflected in the fact that the client is planning a continuation of the project. In this context, the cyber security learning laboratory will test OT devices from another manufacturer that are responsible for controlling a different process section. In addition, a number of research questions were identified during the project that are highly relevant for future (partially) automated pen testing frameworks for the OT area of energy supply.

Fraunhofer | GAP
© Fraunhofer | GAP

IT Security Act 2.0: When even small municipal utilities become KRITIS

Fraunhofer | IT SiG 2.0
© Fraunhofer | IT SiG 2.0

"With the IT Security Act 2.0 and the KRITIS Regulation 2.0, numerous companies are faced with the fact that their facilities are now considered Critical Infrastructures - and they are thus subject to further regulations. In the case of utilities, power generation is particularly affected: Whereas a threshold of 420 megawatts previously applied, it is now only 36 megawatts. So while even large onshore wind farms were previously excluded, an estimated 140 new operators in power generation now fall within the KRITIS scope with their facilities."

 

Learn more about the challenges for operators and how to implement the legislature's requirements in practice in this blog post.

New! Introducing the staff of the Cybersecurity Learning Lab for Energy and Water Utilities:

In this new section we would like to introduce you to our colleagues. Today we introduce you to Rebecca Bohn - our training coordinator. Rebecca started as a working student at Fraunhofer IOSB-AST during her studies and has now been working in the cybersecurity learning lab for energy and water supply for some time. What makes her job as a training coordinator special, she explains in this interview.
 

Training coordinator sounds exciting! What exactly do you do at the learning lab?

My job is sort of divided into 4 parts:

  • First, there is event management, I organize everything around the trainings so that they can take place smoothly. From transport, premises, training materials to catering. I am also involved in the marketing of the learning lab.
  •  In addition, I am involved in the training preparation. I assist the scientific staff in designing new training content.
  •  I am also in contact with customers, both in acquisition and support. I discuss with interested companies their acute cybersecurity concerns and which of our training content best fits their needs.
  • And one of my almost most important jobs is to be interface between all these 3 areas and make sure that all involved parties are always informed and up to date, for a good and effective collaboration.

What qualities should you have as a training coordinator?

A high level of self-organization, good communication skills, a "thinking outside the box" attitude.
 

You joined the Cybersecurity Learning Lab (LLCS) team at the beginning of last month. How do you like it so far and how have you been received?

I have been warmly welcomed, I already had contact with the learning lab in my previous HIWI job in communications at IOSB-AST and always enjoyed working with the team. I like it very much, I enjoy going to work because I consider the activities of the CS EWV learning lab as important and especially relevant for the future. I am happy to be able to be part of innovative research.
 

What are you really good at?

I am good at resource management and networking, I know who has what skills in my team and how to use them best and most efficiently to achieve a good result. 

I am a trained mediator and have the ability to listen well to people or to hear out what they need.

 

Describe LLCS at Fraunhofer IOSB-AST in three words.

Future-oriented, Innovative, Relevant.

Fraunhofer | B.A. Rebecca Bohn
© Fraunhofer | B.A. Rebecca Bohn

Christmas wishes

The year is drawing to a close. We take this opportunity to express our gratitude for your trust. We wish your family and you a peaceful Christmas and a blessed holiday. Slide well into the next year!

Are you looking for individually designed training for your company?

No problem! We offer customized in-house seminars that are individually tailored to your company or your training needs. You decide what is learned, where and when.