runZero Discovers all IP-Addressable Assets and Proves Active Scanning is Safe for Operational Technology in NREL/CECA Testing

As FBI Warns of Rising Cyber Threats in Renewable Energy Sector, runZero Demonstrates Effectiveness in Protecting Critical Infrastructure with No Impact on ICS Processes & OT Device Performance

AUSTIN, TEXAS — July 24, 2024 — The U.S. Department of Energy’s (DOE’s) National Renewable Energy Laboratory (NREL) has released a public report summarizing the outcomes of the second cohort of the Clean Energy Cybersecurity Accelerator (CECA) program. As previously announced, runZero, a leading provider of Cyber Asset Attack Surface Management (CAASM), was selected as the first of two participants from numerous applications for this rigorous months-long evaluation.

CECA Cohort 2 aims to bridge the gap between the widespread use of tools for monitoring information technology (IT) networks and the less common adoption of tools for actively monitoring operational technology (OT) systems. The solutions assessed by CECA aimed to identify risks that asset owners might miss due to incomplete visibility of systems or device configurations. The goal of these solutions is to improve the visibility of OT systems, illuminate OT networks and assets, and clarify any associated risks. Capabilities such as asset identification, attack surface enumeration, and configuration management can all help OT asset owners gain a better understanding of their overall risk posture.

CECA’s work comes at a critical time. On July 1, the FBI issued a warning about increasing cyber attacks in the renewable energy sector. They advise organizations to monitor network activity for any unusual or suspicious traffic and activity. In addition, they have recommended other critical measures to overcome cybersecurity challenges. The evaluation of the runZero Platform demonstrated its effectiveness in addressing the urgent cybersecurity challenges facing the modern electric grid, including the most recent FBI warning.

CECA concluded that runZero’s discovery methods significantly improve visibility into utility infrastructure with detection of all IP-addressable devices in the test environment. This was accomplished without impacting the performance of industrial control systems (ICS) assets or interfering with ongoing SCADA processes and communications. runZero leverages a unique combination of proprietary active scanning, novel passive discovery, and integrations to provide accurate, comprehensive visibility across IT, OT, and IoT environments, including delivering in-depth insights into potential risks and exposures that attackers could leverage.

According to the CECA report, runZero’s active scanning methods in the CECA test environment did not negatively impact system performance, challenging the widely held industry belief that active scanning inherently disrupts operations. The conclusion that active scanning in this environment proved safe with runZero is significant, opening the possibility of expanding scanning beyond traditional passive collection methods. CECA’s findings could be transformational for the energy industry since active scanning provides more comprehensive data about connected devices compared to passive discovery, giving security teams improved visibility to better secure ICS environments.

“runZero is thankful to DOE and NREL for the chance to showcase the effectiveness of our CAASM solution. The tests confirm that the runZero Platform and our unique combination of active scanning and native passive discovery provide advanced visibility into assets – both managed and unmanaged – without disrupting normal business operations. This serves as a crucial deterrent against external attacks,” said Rob King, director of research at runZero.

Evaluation Criteria and Key Results for the runZero Platform

The evaluation plan outlined four scenarios to examine different aspects of the solution: initial discovery, change discovery, passive discovery, and scale discovery. Each scenario involved a scientific and repeatable set of procedures and data collection methods. The runZero Platform demonstrated the following key capabilities:

• Accurately identified all IP-addressable assets in the environment and collected detailed information about each identified device and all open ports, including the ability to detect OT protocols like Modbus.

• Identified and alerted on the introduction of new devices and changes to existing devices in the environment.

• Built an accurate inventory of assets through proprietary active scanning and passive traffic sampling, discovering all IP-addressable IT and OT assets.

Cybersecurity is a complex and shifting field full of unique challenges. Threats, risks, architectures, and technologies will continue to evolve as the energy sector undergoes significant transformations. Innovation of solutions should be enabled to evolve as well. Using solutions such as those offered by runZero to identify control system assets and to monitor changes in that equipment is expected to improve the security of the industry as a whole, continued the report.

CECA is managed by NREL and sponsored by the Department of Energy’s (DOE’s) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and utility partners in collaboration with DOE’s Office of Energy Efficiency and Renewable Energy (EERE).

To learn more about runZero’s participation in the NREL CECA Program you can read their news story here.

To download the free and publicly available report, please visit https://www.nrel.gov/docs/fy24osti/89105.pdf.