NTS Threat Detection Service | OT

Omicron Stationguard

With the increasing digitalization and the convergence of IT and OT (Operational Technology), cyber security is becoming more and more important. This fact is confirmed by the rise in cyberattacks on production and energy supply companies over the last couple of years. In order to detect these threats early enough, NTS is cooperating with the company OMICRON on Threat Detection Service | OT.

Comprehensive Security Strategy

A security concept for switchgears should encompass the whole range from the physical access control, via the digital monitoring of the access all the way to the monitoring of suspicious and non-authorized activities in the network. All this requires systems that provide a high level of security with low maintenance effort over the long term. Additionally, it should be easy to integrate these systems into the operation and maintenance processes.

Control centers and their computers; (1) are by far not the only entry points for cyberattacks on the power grid. Switchgears are attractive targets as well. The most used attack vector is the connection to the company IT; (2) remote maintenance accesses that are secured weakly. Yet compromised or infected maintenance; (3) test PCs; (4) test devices; (5) multiple numbers of known and unknown (so-called zero-day) weaknesses of OT systems additionally increase the risk as well.

A BRIDGE BETWEEN TWO WORLDS: IT & OT

Together with OMICRON, NTS supplies security solutions that master all requirements for cyber security and the smart grid. Through this partnership we build a bridge between IT and OT, and we ensure a high degree of IT and OT security thanks to cross-sectoral expert knowledge.

OMICRON is an expert for protection and control technology, and it perfectly complements the security portfolio of NTS with Omicron Stationguard. Thus, we make it possible for our customers to achieve an unprecedented level of security. The NTS Threat Detection Service | OT combines both areas of expertise and provides an integrated approach.

Thereby, all security relevant information surrounding the IT and OT infrastructure will be analyzed in real-time and correlated by the NTS Threat Detection Service in order to identify cyber security incidents as fast as possible. A specially trained NTS Defense Team analyzes all suspicious occurrences and it rates them in regard to dangerousness and urgency. Alert messages that are loaded with OT knowledge and a dashboard, that are easy to understand, assists the analysts of the Security Operations Center (SOC) to assess alerts and to react to them quickly. Thereby, the NTS Defense team and the OMICRON OT security team are in constant exchange.

We only inform you about incidents that are in fact risky, and we only intervene during serious threats. This hence results in an increased visibility of OT threats as well as in a comprehensive protection from attacks on IT and OT.

THE STATIONGUARD APPROACH

Stationguard is a monitoring solution for the detection of cyber threats and communication problems in switchgears. Switchgears and OT systems are deterministic, which means that the behaviour is clearly defined. This is also valid in exceptional circumstances such as protection incidents. Unlike the signature- and baseline-based Intrusion Detection Systems (IDS), the Stationguard is aware of the function of each individual device. Thus, it is able to create a system model of the switchgear and compare each individual network package with this live system model. This is equivalent to a so-called allowlist-approach (whitelist), where permitted behavior is described.

Everything that deviates from it, creates an alarm by default. With this approach, completely new attacks will be detected as well. Thus, not only cyber threats and forbidden activities are identified, but also problems in the automation and control technology functions. This combination of attack detection and function monitoring is also called functional security monitoring.

ADVANTAGES OF THE STATIONGUARD SOLUTION

• Simple configuration without learning stages – an instant protection
• Deep packet inspection of IEC 61850, IEC 60870-5-104, DNP3, Modbus TCP, PRP/HSR and much more
• Functional security monitoring in switchboards leads to a reliable detection of allowed activities and malfunctions
• OT/ICS asset inventory for the inventory assessment
• Low rate of false alarms: detection of incidents in the system including “maintenance mode”
• High comprehensibility of alarms, even without knowledge of the protocols
• Simple integration of alert notifications by binary contacts including a Syslog interface