NZ power generator Trustpower uncovers dodgy protocols in supplier tech

The flaws masked alerts as suspicious traffic, and its previous security technologies offered little visibility into what was happening in its network.

industrial power plant hacked skull and crossbone pixels security breach power plant by jason black
Jason Blackeye, Modified by IDG Comm. / Thinkstock

New Zealand power company Trustpower discovered flawed implementations of protocols used by operational technology (OT) suppliers that generated alerts as suspicious traffic in its network monitoring system.

The company recently deployed Nozomi Networks’ Guardian system to monitor some 1,200 devices across 40 locations in its power generation and distribution network: hydroelectric plants, switchyards, communications facilities, data centres and operations centres.

Devices monitored include programmable logic controllers, remote terminal units, high voltage protection devices, switches, routers and firewalls and some 130 workstations and servers.

Trustpower’s delivery manager, Marty Rickard, told Computerworld New Zealand that Guardian had enabled Trustpower to visualise and understand the information flowing in its OT network, and uncover the flawed protocol implementations. “It appears … the developers have chosen to use an implementation or features that, while completely workable, may not subscribe to the letter of the protocol specification,” he said.

Rickard declined to name the suppliers or the protocols used, but he said Trustpower had made the suppliers aware of its findings and as a result had improved its relationships with suppliers. “While I cannot divulge our tactics or strategy, I can say that we have built rules to filter out noisy devices and devices which are triggering alerts based on mis-implemented protocols.”

Rickard said the company had deployed Nozomi Networks’ Guardian because Trustpower’s previous security technologies offered little visibility into what was happening in its network. “In addition to visibility, [Guardian] was intended to provide deep packet inspection of protocols that are not necessarily understood by other security appliances,” he said. “The use of IDS signatures, Yara rules [a way of identifying malware by creating rules that look for certain characteristics], Stix [Structured Threat Information Expression, a structured language for describing cyber threat information so it can be shared, stored, and analysed in a consistent manner] indicators and integration with firewall appliances were other attractive features, many of which are in use currently.”

He said also that Trustpower was looking at using data gathered by Guardian for predictive maintenance and data analytics, but these projects had not yet progressed beyond proof of concept.

Trustpower’s head of technology, Matt van Deventer, said the use of Nozomi Networks’ technology had enabled the company to meet New Zealand’s Voluntary Cyber Security Standards for Industrial Control Systems Operators (VCSS-OCS). “Maintaining and exceeding these standards is a key priority for Trustpower.”

Copyright © 2020 IDG Communications, Inc.

  
Shop Tech Products at Amazon