The European power grid is an attractive target for attacks. Substations and power plants offer the largest attack surface. This is because thousands of protection and control devices communicate here, control high-voltage lines and secure grid operation. Grid operators are often unaware of how many publicly known vulnerabilities exist in their systems. Targeted patching of devices with a clear focus on the truly relevant security gaps could remedy this situation. Why, then, do many energy suppliers still not do this?

When the Devices Are Switched Off

Firmware updates require devices to be shut down — not only must suitable time slots be found in the power grid, but approvals must also be obtained from the grid operator for lines, transformers and circuit breakers, for example. Due to the current high grid utilization, this approval can often take months — while in the meantime, new patches are already appearing, and the OT systems are vulnerable. In addition, complete shutdowns are rarely possible, so updates must be carried out in stages. As a result, energy suppliers often operate several firmware versions of the same device type in parallel — sometimes even within a single plant. This leads to further challenges.

A Residual Risk Remains

Firmware updates can cause unexpected errors in critical OT components. That's why many energy suppliers test new versions in special laboratories that simulate realistic plant environments. However, the enormous complexity of the devices, with thousands of setting parameters and individual functions, also makes on-site testing necessary. Complete test coverage would be extremely time-consuming and often requires the shutdown of entire plants. This means that a residual risk remains after every update — in some cases, the operational risk of patching can even be greater than the risk of leaving the security vulnerability unaddressed.

Manual Labor Results in High Costs

Patching is not only risky, but also time-consuming and expensive. Energy suppliers have to manually collect security advisories from manufacturers, as there is no central source. The three largest manufacturers alone publish over 300 advisories annually — often with multiple vulnerabilities affecting different device types. But even when an advisory is available, identifying affected OT systems remains a challenge: inventory lists usually only contain device types and main firmware versions, but not details about built-in modules. Relevant information is often scattered and rarely up to date, which makes assessment difficult.

The time investment for OT vulnerability management is enormous. The variety of manufacturers and firmware versions means that hundreds of advisories have to be checked every year. While some analyses take only a few minutes, complex cases can take an entire working day — valuable time during which specialist personnel are unavailable for network operations.

Why You Should Still Patch

Current legislation requires German energy suppliers to continuously identify and minimize cyber risks. A certified ISMS and the use of attack detection systems are mandatory. In addition, the BSI requires structured vulnerability management — including regular review of manufacturer warnings and security notifications. Those who ignore these requirements face penalties.

International standards such as ISO 27001, 27002 and 27019 (the latter explicitly for the energy sector) also define clear requirements: Companies must systematically record vulnerabilities, assess risks and implement appropriate measures.

Automated Approach to Asset and Vulnerability Management

Patching remains a time-consuming task, but modern intrusion detection systems (IDS) and OT security solutions offer a smarter approach. The key lies in maintaining a detailed asset inventory that enables automated analyses and precise vulnerability assessments, optimizing patch management and minimizing manual effort.

Without machine-readable security advisories, assigning vulnerabilities to the correct devices can be error-prone. Advanced solutions leverage automated analysis of advisories directly from manufacturers’ sources, ensuring timely and accurate vulnerability mapping.

To automatically match vulnerabilities with an asset inventory, each device record should include meta information such as device type, firmware version and module configuration. Even complex manufacturer histories or serial number assignments can be accounted for, allowing operators to precisely identify which vulnerabilities are relevant for each system and reduce manual effort.

The Future of OT Vulnerability Management

Automation will remain crucial for efficient OT vulnerability management. The adoption of standardized formats such as SBOM and VEX promises to further streamline the process, supporting operators in maintaining resilient, secure networks with minimal manual intervention.