OT exposed what the passive IDS of OMICRON reveals in substation networks

A study of OMICRON based on actual deployments of its intrusion detection system (IDS) in more than one hundred facilities reveals that the operational technology (OT) networks of substations, plants and control centres still carry out failures that leave them exposed. After connecting passive sensors into PAC networks (protection, automation and control), the teams identified, in many cases, critical problems within minutes: unpatched devices, unexpected external connections, poor segmentation and incomplete asset catalogues that make it difficult to understand what is really on the network.

The nature of the electrical systems explains why network-level detection is essential. Many industrial automation devices do not run conventional operating systems and therefore do not allow standard security agents. Therefore, standards and frameworks such as the NIST Cybersecurity Framework recommend network-based detection capabilities for industrial environments ( NIST), and sectoral standards such as IEC 62443 define controls specific to OT (see general explanation in ISA / IEC 62443).

The methodology used in the analysis combines passive monitoring through mirror ports or TAPs and probes that observe traffic without interfering in communications, with active consultations when the protocol allows. In addition, the operation of standardized descriptors such as the IEC 61850 SCL files and the use of MMS to recover "nameplate" data facilitate the construction of automatic device inventories and know firmware, manufacturer and model. This mix of techniques helps close the famous "visibility gap" in which many operators remain trapped ( IEC 61850 - overview).

Recurrent technical findings include PAC equipment with obsolete firmware containing known vulnerabilities; a documented example is the CVE-2015-5374, which allows for conditions of denial of service in protection relays through UDP packages and for which there have been patches for years ( CVE detail). Unsafe services that should not be active were also located, from Windows file sharing to PLCs debugging functions, and unauthorized external TCP / IP connections that in some locations amounted to dozens of persistent destinations. The most worrying finding was the frequency of "flat network" architectures, where hundreds of devices share communication without clear barriers, dramatically increasing the scope of any incident.

The deployments not only exposed cybersecurity risks: operational problems that affect the availability and integrity of communications emerged. VLAN misleaps and inconsistent labelling of GOOSE messages, mismatches between TU and SCD descriptions that prevent SCADA updates, time synchronization errors and loops or misconfigurations in redundant switches are examples that show how functional fragility can amplify the impact of an intrusion.

The human factor and organization also weigh heavily. OMICRON often detected diffuse responsibility between IT and OT teams, lack of personnel dedicated to industrial safety and budgetary constraints that slow the implementation of controls. When OT security is managed as an IT extension without adapting processes and roles, measures are often limited to the specific requirements of the energy sector.

One of the practical advantages of a passive IDS in these environments is its ability to provide visual representation of traffic, generate asset inventories automatically and identify unnecessary connections or services. This makes it easier to prioritize patches and controls without touching the equipment in production, minimizing the risk of causing interruptions. Tools with knowledge of industrial protocols (IEC 104, MMS, GOOSE, etc.) also allow to detect deviations from expected behavior through white lists and known signatures, which improves early detection.

Operators do not have to invent the wheel: there are guides and public resources that help design mature and critical infrastructure-adapted OT controls. Agencies such as the U.S. Infrastructure and Cybersecurity Agency. United States (CISA) issue guidelines for industrial control and incident management systems that are useful for prioritizing specific actions ( CISA - ICS). In Europe, the European Union Agency for Cybersecurity (ENISA) has worked on recommendations to protect the energy sector from modern threats ( ENISA - energy).

If there is a clear lesson from the study, the solutions must be specific to OT and complementary: automated inventories that reduce operational blindness, segmentation and access control that limit the effect radius, reviews of active services to close unnecessary doors, patching policies adapted to critical and coordination routines between operations and security. It is not enough to move IT to OT practices without adaptation: convergence requires controls designed for availability and security simultaneously.

The path is demanding, but practical: to deploy passive monitoring at strategic points, to prioritize vulnerable assets, to close unjustified external connections and to solve detected functional errors (VLAN, synchronization, redundancy) usually offer rapid improvements in resilience. In addition, the formation of IT-OT mixed equipment and the allocation of clear BT security roles are equally decisive organizational changes.

The study of OMICRON shows that many electrical infrastructures continue to accumulate risks that can be exploited with known techniques. Acting now, with specific visibility and controls, reduces systemic risk and protects both service continuity and public safety. For more information on the technological solutions used in these analyses, see the OMICRON StationGuard product page ( OMICRON StationGuard) and the resources cited from NIST, CISA and ENISA to align with proven good practices.