Hydropower companies play a vital role in providing electricity and energy solutions across wide regions. Any disruption to this industry would have far-reaching consequences, affecting both the economy and society and potentially causing environmental repercussions. As a result, the industry is now subject to regulatory requirements outlined in the NIS2 directive.

Preparing for the NIS2 Directive

The company is a power utility organization that runs large hydropower stations and small thermal power plants involved in the electricity value chain, being generation, transmission, distribution, and supply. The company operates across a wide geographic area with various distant power plants and has faced challenges with partial asset visibility of its assets throughout its operational environment. As Operators of Essential Services (OES), they have a responsibility to secure their complex operational environments and comply with the NIS2 security directive.

To ensure readiness and compliance, companies must proactively prepare for the directive's effective implementation by October 17, 2024. To achieve operational resilience in line with NIS2 guidelines, the company contacted OTORIO to conduct the following tasks:

• Discover and inventory the organization's operational technology (OT) assets across all stations and plants.
• Identify vulnerabilities and assess cyber security risks across the hydropower operational environment.
• Ensure compliance with NIS2 regulations to prevent major power outages and mitigate the financial impact of non-compliance.

OTORIO Customer Challenges

The company lacked asset visibility over its geographically spread hydropower stations and thermal power plants, leaving gaps in the coverage of remotely located systems. As a result, the company was unable to have a complete digital footprint of its operational environment, which is a crucial step in securing the supply chain as per NIS2 guidelines. It also experienced challenges with:

• Unclear and partial asset visibility, with limited details and poor context.
• Based on manual effort and managing the inventory with Excel spreadsheets.
• Multi-generation assets (OS from Win7 to Win10, ICS component lifetime of 10-15 years).
• Multiple vendors, including for security controls (different AV/EDR in each division - transmission, generation, distribution)
• An inability to prioritize risk effectively and efficiently
• Limited coverage and maintenance of remotely located systems
• Struggling to detect and respond to threats and lack of proactive OT security risk mitigation.

OTORIO's Solution

To strengthen the Hydropower company's OT security protection in their efforts for NIS2 Directive compliance, OTORIO’s cybersecurity experts deployed OTORIO's RAM² solution for continuous OT cyber risk assessment and management.

The RAM² solution successfully established a comprehensive OT asset inventory and network visibility by integrating with the company's multi-vendor, multi-generation industrial and security systems across generation, transmission, and distribution plants and substations.

RAM² improved asset information, accurately identified network configurations, and installed software using passive and safe active querying, integration with DCS, firewalls, EDRs, and log events analysis. This enabled precise mapping of OT-specific vulnerabilities, providing insights prioritized by the level of operational risk in alignment with business priorities. Security practitioners were then provided with clear mitigation guidance tailored to the needs of Hydropower operational environments.

Read the full case study to understand how OTORIO benefited the hydropower company and ensured optimal preparation for the NIS2 directive.