Details
Initial situation and challenge
Each year, EWR Netz GmbH supplies around 230,000 customers with over 1.8 million MWh of electricity, 64,000 customers with 1.2 million MWh of gas and 15,000 customers with 7,200 TmÑ of water. One of the most urgent challenges for grid management, plant operation and maintenance is the shift towards renewable energies. In particular, the heterogeneity and decentralisation of plants and the expansion of the industrial control system are creating new risks for supply. EWR Netz GmbH is therefore actively shaping the secure and stable development of a modern, digitalised and renewable energy supply. With the support of security service provider Corning Services GmbH, the energy supply company had renewed its entire ICS in 2018 and 2019. State-of-the-art technology and the use of the IEC 60870-5- 104 protocol will continue to guarantee the trouble-free operation of electrical devices for their customers. EWR Netz GmbH pays particular attention to the security of its ICS. The requirement was a dedicated security system that protects the ICS holistically against disruptions. Vulnerabilities, known and novel attack patterns, as well as misconfigurations, defects and technical error states should be detected reliably and quickly.
Close existing vulnerabilities
Conduct risk analysis according to ISO 27001 ff. for the entire ICS, check segmentation, identify and evaluate vulnerabilities.
Detect attacks and malfunctions
Continuously monitor communication within the ICS (IEC104) at value level in order to detect and eliminate changes at an early stage before disruptions occur.
Locate and mitigate technical error states
Detect and locate defects and misconfigurations in equipment to initiate maintenance before equipment fails.
Solution

Risk analysis
Rhebo Industry 4.0 Stability and Security Audit
- Analysis of assets and communication structures;
- Risk assessment for cybersecurity and stability;
- Definition of mitigation measures.

ICS monitoring with anomaly detection
Rhebo Industrial Protector
- Continuous ICS monitoring;
- Real-time identification and evaluation of cyber attacks, vulnerabilities, malware and error states;
- Compliance with industry standards and regulatory requirements.

Implementation and findings
At the beginning, Rhebo and Corning Services carried out a Rhebo Industry 4.0 Stability and Security Audit at EWR Netz GmbH. Over a period of three weeks, the communication within the ICS was recorded using the ICS monitoring Rhebo Industrial Protector, and later analysed and evaluated. The visualisation of the assets and communication patterns showed a very well maintained ICS. However, the risk analysis identified various anomalies such as vulnerable firmware, unrequired protocols and conspicuous communication behaviour as well as various anomalies related to repeated transmission problems. The sources were later corrected by the I&C System department. The detailed monitoring of the ICS, the extremely good traceability of incidents, and the combination of cybersecurity and operational stability convinced EWR Netz GmbH to permanently integrate Rhebo Industrial Protector. Since then, the ICS monitoring solution passively monitors the entire communication within the network. Any change in the communication that indicates a risk to cybersecurity or process stability is reported to the control center in real-time.
- The network map visualises all assets in the ICS with their properties and connections.
- For each host, details such as protocols, connections, and anomalies are displayed in real-time.
- Rhebo Industrial Protector also reports insecure operations such as scans and unencrypted passwords.