Detect OT CyberThreats in Miniature Replicas

Interview with Sascha Schimmler, Senior Manager Offensive Application Security DACH at NVISO

Most companies have already established effective protective shields for their IT systems. In the field of operational technology (OT), however, the situation is often quite different. Realistically replicated test environments – such as those created by NVISO GmbH for the hydroelectric power plant of Austrian energy company Verbund – can detect vulnerabilities at an early stage.

Sascha Schimmler, Senior Manager Offensive Application Security DACH at NVISO GmbH, explains what companies with critical infrastructure need to know in an interview.

Mr Schimmler, operational technology (OT) is the backbone of industrial processes. However, its security is often taken for granted. What needs to be done to ensure that OT security is not only noticed when something goes wrong?

Sascha Schimmler: Companies must establish OT security as an integral part of their corporate and risk strategy. This includes regularly analysing risks, strategically integrating OT issues into operational security management and raising awareness among all relevant stakeholders in a targeted manner. Responsibilities for OT security should be clearly defined and embedded in existing processes such as change and incident management. It is also important to regularly review and update protective measures in order to be able to respond to new threats. Only through proactive action and continuous communication can OT security be understood as an ongoing management task – rather than something that only comes onto the agenda when something goes wrong.

In IT, confidentiality, integrity and availability are of paramount importance. What is the focus of OT security?

When it comes to the security of OT devices, system availability is the top priority. After all, production downtime can have direct financial and safety-related consequences. This is followed by the integrity of people, because targeted manipulation of process data or control commands can lead to serious malfunctions. Confidentiality is also relevant, but plays a secondary role compared to IT, as relevant OT components are already deeply embedded in the overall infrastructure to be defended.

In OT environments, the safety of people and the environment is much more important – for example, in the machine room. This overarching goal must be taken into account in all measures.

Critical infrastructures in particular must prepare for cyber attacks – and know how to defend themselves in the event of an emergency. NIS2 is the keyword here. How did you proceed when developing the ICS Firing Range for Verbund's hydroelectric power plant?

First, some background: An ICS Firing Range is a realistic test environment in which industrial control systems (ICS) and their components are simulated or replicated in order to safely run through attack and defence scenarios.

For the hydroelectric power plant project, we first identified the key OT components and how they interact. We then set up an isolated test environment with original hardware and software that replicates typical operating and attack scenarios. The focus was on complying with regulatory requirements such as the NIS2 regulation, realistically replicating critical processes and safely conducting attack tests without jeopardising real manufacturing.

What purposes should the test simulation cover? Please give us a few sample scenarios.

The test simulation should:

• Verify the effectiveness of technical and organisational protective measures
• Identify vulnerabilities in OT components and interfaces
• Train incident response teams under realistic conditions
• Validate emergency and recovery plans

Sample scenarios include

• Compromising a PLC with targeted malware
• Manipulating process data (e.g. temperature or pressure sensors)
• Attacking the remote maintenance interface
• Failure of critical communication links between the control room and field devices

Is artificial intelligence (AI) also used in the testing process?

AI can be used to support the testing process, for example to detect anomalies in network traffic or to automatically evaluate large amounts of data from the simulations. It helps to identify patterns that indicate attacks or misconfigurations. In the hydroelectric power plant project, AI was primarily used to analyse log data and helped to develop further detection use cases, i.e. different threat scenarios.

Although the components used are original parts that are also installed in the hydroelectric power plant, they only represent a fraction of the total quantity. How meaningful is the testing in light of this fact?

Since we were able to use not only the original parts but also real configurations that accurately replicated the installed products, the firing range is essentially a miniature version of the real power plant. The test results are therefore very meaningful.

What can be learned from the hydropower plant example and transferred to other business areas?

The approach shows how important a realistic test environment is for securing OT. Whether in energy, manufacturing or transport, the methodology – setting up an isolated test environment, targeted attack simulations, continuous improvement of protective measures – can be transferred to all industries with critical OT infrastructure. It is crucial that OT and IT teams work closely together and take the relevant regulatory requirements into account.

Would you recommend that every manufacturing company prepare for an attack using simulations and training? Who should consider this option?

Simulations and training are recommended for all companies with critical OT infrastructure, especially operators of critical infrastructure and companies with a high degree of automation.

They help to identify vulnerabilities at an early stage, test emergency plans and raise employee awareness of security issues. Targeted simulations also offer added value for SMEs with limited resources, as they provide practical insights and increase resilience to cyber attacks.