GAP analysis - security check for process IT
Network operators are required by EnWG §11 (1a) to establish appropriate protection against threats to ICT systems. This protection is provided by compliance with the IT security catalog of the BNetzA, which prescribes specific security requirements and processes, such as: Establishment of an IT security management system (ISMS) in accordance with DIN ISO/IEC 27001 or identification, assessment and handling of security risks.
In the context of these processes, the Cybersecurity Learning Laboratory conducted a practical analysis on behalf of a utility network operator to investigate in detail the security aspects of concrete telecontrol elements of a digital UW. The main objectives of this so-called GAP analysis included:
- Review of critical assets for vulnerabilities and possible security deficiencies,
- Development of possible hardening measures and secure parameterization specifications, and
- Developing a standardized methodology for security analyses of other relevant OT systems.
To ensure careful preparation and execution of this multi-layered and very detailed security review, the BSI specifications on the methodology for auditing ICS installations were taken into account during project planning.
In the initial phase of the project, the scope of the GAP analysis was defined with the client and the rules of engagement were agreed upon, which describe which audit methods may be used in which audit areas. Precise definition of such binding rules of engagement is extremely important for security analyses in the industrial and, in particular, the CRITIS sector, since the performance of some tests, such as vulnerability scans or denial-of-service attacks, can have negative effects on important control components and consequently on the underlying physical process. To ensure that the penetration methods of the GAP analysis did not have to be restricted, a test setup was provided by the client as a replica of the original system in a separate environment.
In the further preparation phase, a detailed test plan was prepared describing numerous tests to verify the security aspects of the test setup, including test objectives, methodology and tools, estimated effort and possible risks. The focus was on two major safety areas of the facility:
- Device security analysis - review of secure configuration and hardening measures and vulnerability analysis,
- Network security analysis - review of network interface and protocol security.
- In the final step of the GAP analysis, the physical aspects of security at the installation site of the equipment were reviewed.
All tools and scripts used, relevant documents, test steps and results were logged in detail, with screen captures and log files, during the execution of individual tests. The final evaluation of the results was described in a final report and presented to the client in the form of a presentation.
During the GAP analysis, the Cybersecurity Learning Lab gathered important empirical data for further optimization of the methodology for security audits. The goal here was to make the developed approach so flexible that it can be used at any time for cyber security assessments of other ICS areas and systems. The success of this project is also reflected in the fact that the client is planning a continuation of the project. In this context, the cyber security learning laboratory will test OT devices from another manufacturer that are responsible for controlling a different process section. In addition, a number of research questions were identified during the project that are highly relevant for future (partially) automated pen testing frameworks for the OT area of energy supply.