OMICRON's
Product
Security
In addition to monitoring other vendors' security advisories, we also issue our own when necessary, according to our vulnerability handling process:
- Report
- Analyze
- Assess
- Treat
- Disclose
Follow the link and also learn about our recent discovery of a serious Linux kernel vulnerability:
Learn moreDownloadable Documents
StationGuard Brochure
We are happy to help you
Take a decisive step towards a comprehensively secure OT network
- Do you have a question?
- Need more information?
- Would you like to request a demo?
Request a demo!
Ready to experience the power of StationGuard?
Schedule a demo today and witness firsthand how our innovative cybersecurity solution can fortify your critical infrastructure against potential threats and vulnerabilities.
Schedule an AppointmentImmediate Protection
& Other Benefits of Our Solution
We are happy to help you
Take a decisive step towards a comprehensively secure OT network
- Do you have a question?
- Need more information?
- Would you like to request a demo?
Request a demo!
Ready to experience the power of StationGuard?
Schedule a demo today and witness firsthand how our innovative cybersecurity solution can fortify your critical infrastructure against potential threats and vulnerabilities.
Schedule an AppointmentGridOps - Central Management System
Looking for comprehensive protection against cyber attacks? - You have come to the right place!
GridOps enables you to manage all your cyber risks in one place. It integrates threat and alert analysis into a clean, flexible user interface. It provides detailed reporting, complete visibility, and collaboration interfaces. Combined with the most accurate asset inventory, GridOps shows you only the vulnerabilities that matter to you. You benefit from:
- Unified interface for seamless access to alert trends and statistics, global asset inventory, and network visibility.
- Visualized asset inventory and associated security risks, threats, and malfunctions, so you can track overall security posture.
- Sped-up analysis and investigation with automated data enrichment and context.
- Centralized communication to keep your IT and OT teams in the loop.
- Improved decision making processes and efficiency within the organization.
Further benefits
of our GridOps solution
Centralised Management
Manage all your cyber risks
in one place
GridOps' integration of threat and alert analysis and built-in knowledge of assets and their vulnerabilities increases the security of your grid. From a single platform, you can detect, identify and investigate cyber attacks and unauthorized communications.
You can use this information to make important decisions about where you stand and ensure that risk assessment covers all assets. In addition, by understanding your network environment, you can make better decisions for the security and smooth operation of your facility.
With time and information on your side, you can feel safer and more confident.
Asset Inventory
Leverage accurate asset information
to your advantage
Vulnerability and risk management processes on the grid depend on a well-maintained asset inventory with accurate information about device types and firmware versions. To identify equipment affected by security alerts or vulnerabilities is complex.
GridOps automatically creates and updates the asset inventory for you, collecting detailed asset information from multiple sources, such as engineering files and network data. It also maintains a database of protection and control device types and their fingerprints, as well as an up-to-date database of all security advisories for these devices.
Vulnerability management
Prepare for every eventuality
Security advisories for protection, control or network devices warn of threats to your assets that could jeopardize the smooth operation of the power grid. However, it is difficult to determine if these threats actually pose a risk to your system: You need to know the exact device type, module configuration and firmware version to know if a vulnerability affects your fleet of IEDs and network devices. You also need to know if the affected services are being used on your network and if they are vulnerable. Another problem is that many vulnerability reports are inaccurate and lack relevant information.
GridOps Vulnerability Management is designed to take care of most of these tasks for you. Our security analysts have created a database of known vulnerabilities for protection and control systems that provides comprehensive information. This database is also linked to an asset type database to identify asset types. Combined with the accurate asset inventory provided by GridOps, you are shown only the vulnerabilities that are relevant to your system.
"With OMICRON's expertise in implementing network-specific intrusion detection systems, you will never have to worry about a lack of OT knowledge again.” – Christoph Rheinberger, Cybersecurity Analyst
We are happy to help you
Take a decisive step towards a comprehensively secure OT network
- Do you have a question?
- Need more information?
- Would you like to request a demo?
Request a demo!
Ready to experience the power of StationGuard?
Schedule a demo today and witness firsthand how our innovative cybersecurity solution can fortify your critical infrastructure against potential threats and vulnerabilities.
Schedule an AppointmentFind the right platform
for your network
Our platforms provide powerful and secure solutions for cyber security and digital asset surveillance. Compare our platforms RBX1, MBX2, and VBX1 and discover which one is the right fit for you!
RBX1 Permanently installed 19" platform
- Guaranteed to be cyber secure with crypto processor, secure boot and hard disk encryption.
- Multiple Ethernet interfaces for separate networks with timestamp support.
- Powerful and robust: 4 cores, 450 GB memory, 16 GB RAM.
- Temperature resistant, tested 19" platform with no moving parts.
- Secure I/O, hardware failures are reported immediately (via watchdog contact).
MBX2 Mobile and DIN rail mountable platform
- Powerful quad-core processor for complex plant applications and system visualization.
- 4 SFP slots for secure fiber and Ethernet connections to SAS network segments.
- PC isolation, easy IP address configuration for IED simulation.
- Crypto processor and hard drive encryption for maximum system security during testing.
- Availability of permanent installation on a DIN rail.
VBX1 Virtualized platform
- Virtualized platform for the StationGuard sensor.
- Deployment on existing substation and control center computing platforms.
- Rapid installation and maintenance.
- Easy backup and recovery.
We are happy to help you
Take a decisive step towards a comprehensively secure OT network
- Do you have a question?
- Need more information?
- Would you like to request a demo?
Request a demo!
Ready to experience the power of StationGuard?
Schedule a demo today and witness firsthand how our innovative cybersecurity solution can fortify your critical infrastructure against potential threats and vulnerabilities.
Schedule an AppointmentAbout StationGuard- and GridOps-Features
How does OMICRON ensure that the IDS does not impact the availability of my assets?
StationGuard is a passive IDS that does not interact with your equipment. The connection via mirror ports (also known as SPAN ports) ensures that the IDS cannot send any packets into the network.
Does the StationGuard solution provide real-time alerts and notifications? Can it automatically respond to detected threats?
All events and alerts detected by StationGuard are immediately reported in the StationGuard and GridOps user interfaces, logged on the sensors along with forensic evidence, and routed. In addition, your staff can be separately notified of events and alerts via email according to your reporting and escalation paths.
Because StationGuard is a passive IDS, it does not actively interfere with network traffic or execute commands/switches. In addition, it is possible to implement automated processes that execute pre-programmed automatic responses (e.g., via a SIEM system). This would allow a SIEM or SOAR system to automatically activate firewall rules to block the IP addresses in question after a StationGuard alert, for example.
Can I integrate the IDS StationGuard with my ActiveDirectory or LDAP system?
Yes, LDAP/Active Directory integration can be managed and configured through the GridOps central management system.
How are users and permissions managed? Can I manage roles and permissions myself?
To ensure secure access to your StationGuard instances, you can define different roles and access rights via our central management system GridOps. For example, you can specify that only authorized personnel can make configuration changes or enter maintenance mode. With Role-Based Access Control (RBAC), threats can be reduced and even eliminated.
How exactly does vulnerability management or the vulnerability database help me?
GridOps has a vulnerability database that monitors all your assets or resources live for vulnerabilities. This database contains all security advisories published by device vendors for each asset. GridOps has a built-in device database that can identify sub-components, plug-in cards, and their firmware versions to provide the most accurate vulnerability management for protection and control devices.
With our built-in vulnerability management, GridOps shows you
- which of your protection and automation devices are affected by a disclosed vulnerability (CVE or Security Advisory),
- automatically assesses their criticality based on CVSS, and
- shows you remediation options, such as a firmware update or configuration advisories.
What is “DPI” and which protocols are supported?
For IT and OT protocols, our attack detection system includes advanced and effective anomaly detection based on our integrated Deep Packet Inspection (DPI) to protect against cyber-attacks at an early stage. We perform a detailed analysis of transmitted data packets and their content on the network.
Supported OT protocols include IEC 61850 MMS, GOOSE, IEC 62439-3 PRP and HSR (with RedBox), IEC 60870-5-104; DNP3; Modbus TCP; IEC 62056 (DLMS/COSEM); IEEE C37.118 (Synchrophasor); IEEE 1703-2012 / ANSI C12.22 (AMI Protocol); IEC 60870-6 (ICCP/TASE.2 - UCA 2.0); SIEMENS S7; EtherCAT; Profinet; etc.
Supported IT protocols include FTP; HTTP; HTTPS (without decryption, but with application detection); RDP; NTP; NetBIOS (Windows File Sharing); ARP; DHCP; MySQL; MSSQL; PostgreSQL; SSH (without decryption, but with application detection); Telnet; ICMP / ICMPv6; RIPv2; SSDP; MDNS; etc.
What is “Functional Monitoring?”
An additional feature of our StationGuard intrusion detection system is the integrated functional monitoring of the plant network. This allows you to monitor not only cybersecurity parameters, but also the proper operation of your automation systems and networks to detect deviations from the target state of the plant. This can include interoperability problems between devices, configuration errors, exceeded transmission times and failed time synchronization.
How does StationGuard attack detection work?
The key difference between StationGuard and other OT IDSs is how the baseline is created. StationGuard uses a whitelist mechanism, which could also be considered a baseline, but the point is how the baseline is created. With other IDSs, the baseline is learned from the traffic seen in the first two weeks, for example. But you‘re not going to see everything that happens in the lifecycle of a substation, and that‘s going to cause too many false positives for these learning-based systems. StationGuard takes advantage of the system‘s specification by importing project files, such as 61850 SCL format. And by importing the project files and then manually specifying the device roles, StationGuard knows the purpose of each device and the function and traffic that will occur. From there, StationGuard can establish that baseline. This results in far fewer false alarms than the learning approach.
Substation IEDs are taken for maintenance once in three to five years. How does the field team need to coordinate with cyber team?
That‘s a common problem that we see because when you go into substations and you‘re doing maintenance, it‘s likely that you‘re going to trigger a lot of cybersecurity alarms, for example, on the intrusion detection system. And so it makes sense to tell the intrusion detection system that maintenance is going on. And we also saw that maintenance is much more frequent than three to five years, because there are many occasions when somebody does something in the substation. So those alerts are more frequent than you might think. And that is why StationGuard has this maintenance mode, where you can tell the IDS that there is maintenance going on in the substation, and then - and only then - additional activities are allowed by the maintenance teams. Not everything, but certain maintenance activities, accessing web interfaces, using engineering protocols. But during the rest of the time this activity is forbidden. And because of that, you have high detection accuracy during normal operation. And you still have low false alarms during maintenance.
Is StationGuard linked to any threat intelligence source?
Yes. Threat intelligence for this deep OT space is somewhat different than threat intelligence for IT. So there are very few exploits that are only known for these OT devices and their vulnerabilities, but there are many known vulnerabilities. So what we provide is a vulnerability database that we have tailored specifically for these devices, where we have implemented device type matching specifically for all of the OT devices in the power grid, so we can provide the vulnerabilities that you need to look out for. Then the threat intelligence source, that is through our detection engine, updates. So we have a wide range of detection capabilities in our detection engine and we provide continuous threat intelligence updates in the form of detection engine updates to all of our StationGuard sensors out there.
Is it possible for attacks to originate from GOOSE? If so, how do you deal with them?
For GOOSE, there‘s the IEC 62351 standard to enable GOOSE security, and the most important thing there is to add authentication to GOOSE messages, who sent them, and to prevent anyone from tampering with them. However, IEC 62351 is not yet widely used in substations. There are very few utilities using it, maybe even in pilot projects. So the technology is not there yet for widespread use. To that end, StationGuard has implemented over 35 different checks for the GOOSE protocol, because there is a wide range of possible attacks, because GOOSE is based on multicast, and basically anybody can send a GOOSE message that fits in. And so there are all kinds of different patterns of how to spoof GOOSE messages and how to disrupt GOOSE communication and so on. And this can also be done in a sneaky way. And a StationGuard can detect all of them.
Substations have both critical and non-critical substation automation systems. How does your solution separate and protect these systems based on their criticality?
In SAS communications, all devices use OT protocols, and we classify them based on their role and the function of the device. And then StationGuard knows their behavior and watches closely what they do. For these protocols, StationGuard can really identify the activity. So it can decide or know who is allowed to control a breaker and which other device is only allowed to send simple setting commands, for example. So they are both sending commands over OT protocols, but what they are controlling is completely different, and StationGuard can distinguish that. And then other things like IP cameras, CCTV, for example, they also have their device role and they are only supposed to communicate with these protocols and they are not allowed to use any of the critical OT controllable protocols there. And that‘s how it separates the devices from each other and even their criticality. For RTUs, it can also separate, for example, read-only RTUs and controlling RTUs, so you can also separate the criticality there.
How does StationGuard manage the updates and replacement of equipment within substations, given that its approach to handling anomalies is based on establishing a baseline of permitted devices and communications?
Of course, if you just plug in your equipment, this will trigger unknown device alarms because there‘s suddenly a new device that shouldn‘t be there. That will trigger alarms. But what you can do is you can just accept that device, assign a role to it. You can even reuse the roles that you have for the previous device there, and it will work seamlessly. Then you can even delete the old device if you have removed it from the system. Another option is that you can simply drop the new version of the 61850 SCD file of the project and then station that will update all the devices based on it.
Which protocols does StationGuard support in terms of IEC 61850?
I would say all of them. So we have very deep support for the MMS and GOOSE protocols. Sampled Values is also supported. Along the line, which is not directly 61850, but related, are the redundancy protocols, HSR and PRP, which are also supported. Time synchronization protocols, PTP and NTP are also related to 61850, but not directly in the standard series, are also supported. And of course the SCADA communication protocols, IEC 60870-5-104 and DNP3, are implemented very deeply. So for -104, for example, we also differentiate this criticality of what is being done, what is being controlled, is it a breaker, is it not a breaker, for all of these protocols.
How StationGuard patching can be done when it is running on site with no remote access?
Update of StationGuard can be done as soon as you have connection (remote or local) to it.
How do you patch legacy system that has high ratings of vulnerability?
Implementing patches in any operational technology (OT) system requires a thorough risk assessment. Patching is not always necessary; alternative mitigation strategies can often serve as a substitute for direct patching. If patching is deemed necessary, it is advisable to first apply these patches to identical assets in a controlled laboratory environment to ensure that the integrity of their configuration remains intact. It is then essential to temporarily suspend operations within the OT network to prevent any unforeseen disruptions that may occur during the patching process. This suspension can either be a pre-planned operational downtime or it can be performed during an unforeseen business interruption. Temporarily suspending operations provides an opportunity to perform extensive testing of the configuration of your assets to confirm their operational safety. A practical example of such a suspension could be the de-energizing of an electrical substation to ensure a safe environment for patch implementation.
What are the advantages of using StationGuard on standard network over utilizing SDN which has inherent deny by default?
We have done some studies with SDN switches from SEL. We found many advantages of using SDN together with StationGuard. SDN switches have dedicated mirror ports that can be used by StationGuard. Then StationGuard would verify the security of the traffic allowed through the SDN switch. For example, checking the integrity of the protocols, detecting if there are any spoofed connections. The configuration of the SDN can also be verified by StationGuard, since if there is an allowed traffic by mistake, it will be detected by SG. Configuration verification can be done vice versa.
Whitelisting rules how do you update it for protocols. As these rules could be evolving. How do you intend to update the rules?
We provide SW release twice a year. We have many other testing solutions which are used in OT networks with OT protocols. This side of our business gives us the knowledge of the patterns used in OT protocols which then allow us to create the allow list rules.
Does StationGuard integrate any identity and access management?
I am not clear with this question but to give an answer for my understanding, StationGuard supports Active directory and RBAC.
Will StationGuard be able to detect non IEC61850 traffic like configuration traffic which uses other protocols. and will it be able to create a baseline for that? Same applies for FTP, HTTPs between HMI client and server etc.
Yes, StationGuard is not IEC 61850 protocol dependent. It supports more than 300 IT protocols and more than 30 OT protocols. FTP, HTTPS are also supported.
Is a SIEM integrated in StationGuard? If so, how does it retrieve security logs to implement WORM?
StationGuard is not a SIEM solution. StationGuard provides its logs to SIEM solution via syslog.
Can StationGuard deal with serial protocols (60870-5-103)?
If it is map to TCP/IP, yes.
Will StationGuard support IOT devices?
Question is not clear here, but it will detect the traffic coming out of the IOT devices, if it is in a monitored zone.
Which protocols can be analyzed by StationGuard?
With our extensive deep packet inspection list, we are proud to support over 300 IT protocols and over 30 OT protocols. This comprehensive coverage allows us to effectively monitor and analyze diverse OT environments, ensuring robust security and operational insight across diverse infrastructures.
What is the difference between the allow list approach of StationGuard and the creation of a baseline?
StationGuard uses a model-based approach rather than a learning-based approach to baseline creation. With StationGuard, users manually define the system model by adding inputs through predefined rule sets and function sets. This differs from the learning-based approach, where the IDS system listens to the network over a period of time to establish a baseline of normal communications. The key difference lies in the verification process: while the learning-based approach requires ongoing verification of network activity, StationGuard users verify and configure everything into the system model up front, allowing for more targeted detection of anomalies after the fact. This approach gives users greater control and confidence in identifying potential threats on their network. But it is of course possible to train the system further on the basis of this safe initial state.
Does StationGuard have active components or does it only use passive monitoring of network traffic?
StationGuard uses multiple methods for system monitoring and asset inventory, providing both passive and active monitoring capabilities. Passive monitoring: StationGuard passively monitors the system without interfering with network communications. This approach allows for non-intrusive observation of network activity, providing insight into system behavior and potential threats. Active polling: StationGuard uses active components to actively poll devices on the network. This querying is not intended to block traffic, but rather to retrieve live name plate information from devices. By actively querying devices, StationGuard enriches its asset inventory with real-time data, improving visibility and understanding of the network environment. By leveraging both passive monitoring and active discovery, StationGuard provides a comprehensive approach to system monitoring and asset inventory management, ensuring thorough visibility and effective threat detection without disrupting network operations.
If within the OT network protocols, traffic are encrypted, can StationGuard still analyze the traffic?
StationGuard can classify encrypted protocols based on information available in the packet headers, allowing identification even when traffic is encrypted. However, StationGuard does not currently decrypt traffic to obtain protocol details. This decision is based on the rarity of encrypted protocols in OT environments, particularly in power grids, and the associated complexities, such as troubleshooting difficulties. Because there hasn‘t been significant customer demand for decrypting encrypted traffic, StationGuard has not yet implemented this functionality. However, StationGuard can still classify protocols even if they are encrypted, since protocol information is often available on the network despite the encryption.
What are typical guidelines of locating StationGuard sensor? And does it require out-of-bound network or port mapping on L2 switches?
It‘s important to recognize that the effectiveness of StationGuard sensors is highly dependent on environmental conditions. A best practice is to monitor as many networks as possible to ensure comprehensive coverage of the network. In local OT networks, it is critical to focus on monitoring main switches, as these switches facilitate communication between the main DCS SCADA or local SCADA and servers. Leveraging the mirroring option within switches, which is commonly supported, allows for efficient monitoring of network traffic. In addition, when monitoring external connections that pass through a router, routing the traffic behind the router allows monitoring of incoming and outgoing traffic at the station. It‘s important to note, however, that the implementation of these practices should be tailored to the specific environment, as effectiveness may vary based on unique network configurations and conditions.
Can StationGuard analyze proprietary protocols?
StationGuard classifies the protocol and verifies the integrity of the protocol to ensure it conforms to expected standards and behavior.
About the integration of OMICRON's solution
Does StationGuard require a setup period/learning period?
OMICRON has developed a novel Allowlist approach based on its many years of expertise in the field of power analysis. In contrast to conventional signature- or learning-based IDS approaches, this approach enables our StationGuard IDS to be used immediately without a learning period and with improved detection of security-relevant events and faults. The typical commissioning time for StationGuard is 1-3 hours per plant network. After this time, StationGuard is fully parameterized and ready for use without any additional training time.
How easy is it to configure and manage the StationGuard solution? How much IT expertise is required?
StationGuard has been designed from the ground up to allow plant operators to operate and configure the intrusion detection system. The training required can be estimated to be as little as one day. StationGuard's built-in knowledge of the system gives it the advantage of requiring little system or IT knowledge from the operators themselves. However, our experts are always available on site or by phone for planning and configuration.
How does OMICRON support me with the integration, installation, and configuration of the IDS?
To ensure a smooth and optimal start of the StationGuard IDS, we support you with our best practice approach. To this end, we first discuss your deployment and application requirements, as well as the structural design of your operator's plant. Our staff will then perform the user-specific pre-configuration of your StationGuard. Installation and integration are carried out by our expert staff at your site.
If desired, we can work with your staff to perform a security assessment of your OT networks and systems.
How does an IDS solution integrate with other security tools and systems in my organization's security infrastructure?
StationGuard and GridOps can easily connect to SIEM and ticketing systems (such as Splunk, FortiSIEM or ServiceNow) via built-in plug-ins. Our easy-to-understand alerts can also be forwarded via the Syslog protocol.
Asset data, e.g., from OMICRON ADMO or ERP systems, can be imported into StationGuard to complete the asset information. By exporting the asset or working capital list from StationGuard to ticket systems, you can easily update, reconcile, and document your asset inventory.
Integration with ticketing systems allows you to automatically create tickets to handle IDS alerts. Tickets can also be automatically assigned to the employee(s) responsible for the asset or location through an imported asset directory.
How can I protect myself from attacks during commissioning, testing, and maintenance?
To protect against cyber-attacks during testing or maintenance of your equipment, we support you with a specially developed "maintenance mode". This can be quickly and easily enabled or disabled via StationGuard. To ensure that no false alarms are triggered even when authorized tasks are being performed, the engineering PCs and test equipment used can be registered in advance in StationGuard. This method can also be used to monitor the activities of service providers during commissioning. This flexible approach allows StationGuard to monitor assets prior to factory acceptance.
How do you patch legacy system that has high ratings of vulnerability?
Implementing patches in any operational technology (OT) system requires a thorough risk assessment. Patching is not always necessary; alternative mitigation strategies can often serve as a substitute for direct patching. If patching is deemed necessary, it is advisable to first apply these patches to identical assets in a controlled laboratory environment to ensure that the integrity of their configuration remains intact. It is then essential to temporarily suspend operations within the OT network to prevent any unforeseen disruptions that may occur during the patching process. This suspension can either be a pre-planned operational downtime or it can be performed during an unforeseen business interruption. Temporarily suspending operations provides an opportunity to perform extensive testing of the configuration of your assets to confirm their operational safety. A practical example of such a suspension could be the de-energizing of an electrical substation to ensure a safe environment for patch implementation.
We are happy to help you
Take a decisive step towards a comprehensively secure OT network
- Do you have a question?
- Need more information?
- Would you like to request a demo?
Request a demo!
Ready to experience the power of StationGuard?
Schedule a demo today and witness firsthand how our innovative cybersecurity solution can fortify your critical infrastructure against potential threats and vulnerabilities.
Schedule an Appointment