OMICRON’s investigation reveals widespread cybersecurity gaps in operational technology (OT) networks in substations, power plants, and control centers around the world. Based on data from more than 100 installations, this analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyberthreats.
The findings are based on several years of implementing OMICRON’s intrusion detection system (IDS) StationGuard into protection, automation, and control (PAC) systems. This technology, which passively monitors network traffic, provides deep visibility into real-world OT environments. The results highlight the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures.
Connecting IDS on PAC system (circle indicates mirror port)
StationGuard deployments are often performed during security assessments, which uncover vulnerabilities such as unpatched devices, insecure external connections, weak network segmentation, and incomplete asset inventories. These security weaknesses were often identified within the first 30 minutes of connecting to the network. In addition to security risks, the assessment also uncovered operational issues such as VLAN misconfigurations, time synchronization errors, and network redundancy issues.
In addition to technical shortcomings, the findings point to organizational factors that contribute to these risks, including unclear responsibility for OT security, limited resources, and departmental silos. These findings reflect growth trends across the energy sector. IT and OT environments are rapidly converging, but security measures often haven’t kept up. How are utilities adapting to these complex risks, and what gaps remain that could leave critical systems at risk?
Why does your OT network need intrusion detection?
The ability to detect security incidents is an integral part of most security frameworks and guidelines, such as the NIST Cybersecurity Framework, IEC 62443, and the ISO 27000 standard series. In substations, power plant control systems, and control centers, many devices operate without a standard operating system, making it impossible to install endpoint detection software. In such environments, discovery functionality must be implemented at the network level.
OMICRON’s StationGuard deployments typically use network mirror ports or Ethernet TAPs to passively monitor communications. In addition to detecting intrusions and cyber threats, IDS technology also provides important benefits, including:
Visualize network communications Identify unnecessary services and risky network connections Automatically create asset inventory Detect device vulnerabilities based on this inventory
Assessing risk: the methodology behind the findings
This report is based on many years of IDS installations. The first installation dates back to 2018. Since then, hundreds of installations and security assessments have been performed at substations, power plants, and control centers in dozens of countries. The findings fall into three categories:
Technical security risks Organizational security issues Operational and functional issues
In most cases, serious security and operational issues are discovered within minutes of connecting the IDS to the network.
Typically, sensors were connected to a mirror port on the OT network (often a gateway or other critical network entry point) to capture critical communication flows. In many substations, bay-level monitoring was not necessary because multicast propagation provides traffic visibility elsewhere in the network.
Hidden devices and asset blind spots
Accurate asset inventory is essential to protecting complex energy systems. Creating and maintaining such directories manually is time-consuming and error-prone. To address this, OMICRON used both passive and active methods for automatic asset discovery.
Identification of passive assets relies on existing system configuration description (SCD) files, standardized in IEC 61850-6, that contain detailed device information. However, passive monitoring alone proves to be insufficient in many cases, as critical data such as firmware version is not transmitted through normal PAC communication.
Active queries for device information, on the other hand, leverage the MMS protocol to retrieve nameplate data such as device name, manufacturer, model number, firmware version, and possibly hardware identifiers. This combination of passive and active technologies provided a comprehensive asset inventory throughout the installation.
Examples of device information available through SCL and MMS active queries
What are the most common technical cybersecurity risks?
OMICRON’s analysis identified several recurring technical issues across energy OT networks.
Vulnerable PAC devices:
Many PAC devices were found to be running outdated firmware that contained known vulnerabilities. A notable example is the CVE-2015-5374 vulnerability. This allows a denial of service attack against the protected relay with a single UDP packet. Although a patch has been available since 2015, many devices remain unpatched. Similar vulnerabilities exist in the GOOSE implementation and MMS protocol stack, creating additional risks.
Dangerous external connections:
In some installations, undocumented external TCP/IP connections were found, and in some cases there were more than 50 persistent connections to external IP addresses within a single substation.
Unnecessarily insecure services:
Common findings include unused Windows file sharing services (NetBIOS), IPv6 services, license management services running with elevated privileges, and unsecured PLC debug functionality.
Weak network segmentation:
Many facilities operated as a single large flat network, allowing unlimited communication between hundreds of devices. In some cases, even office IT networks were reachable from remote substations. Such an architecture greatly expands the scope of a cyber incident.
Unexpected device:
Untracked IP cameras, printers, and even automated devices frequently appeared on networks without being documented in asset inventories, creating significant blind spots for defenders.
Human factors: Organizational weaknesses in OT security
Beyond technical deficiencies, Omicron also observed recurring organizational challenges that exacerbate cyber risks. These include:
Functional boundaries between IT and OT teams Lack of dedicated OT security personnel Resource constraints restrict implementation of security controls
In many organizations, IT departments are still responsible for OT security. This model often struggles to address the unique requirements of energy infrastructure.
In case of operational failure: Substation functional risks
The introduction of IDS has also revealed a series of operational issues that are not directly related to cyber threats but still impact system reliability. The most common ones are:
VLAN issues were the most frequent, with VLAN tagging of GOOSE messages often being inconsistent across the network. RTU and SCD mismatches broke communication between devices and in some cases prevented SCADA updates. Time synchronization errors can range from simple misconfigurations to devices operating in the wrong time zone or default timestamp. Network redundancy issues related to RSTP loops and misconfigured switch chips caused severe performance degradation in some installations.
These operational weaknesses not only impact availability, but can also amplify the impact of a cyber incident.
Feature monitoring related alert messages
What can utilities learn from these findings?
Analysis of more than 100 energy facilities highlights the urgent need for robust, purpose-built security solutions designed for the unique challenges of operational technology environments.
With deep protocol understanding and asset visibility, StationGuard solutions give security teams the transparency and control they need to protect critical infrastructure. A built-in whitelist detects even the slightest deviation from expected behavior, and signature-based detection identifies known threats in real-time.
The system can monitor both IT and OT protocols such as IEC 104, MMS, and GOOSE, allowing utilities to detect and respond to threats at every layer of the substation network. By combining StationGuard with features such as automated asset inventory, role-based access control, and seamless integration into existing security workflows, organizations can increase resiliency without disrupting operations.
To learn more about how StationGuard is helping utilities close these critical security gaps, please visit our website.
station guard solution
Source link
