While Jill is excited to take on this new initiative, she knows that the impending influx of connected devices will make the company more vulnerable to cybersecurity attacks. She must make sure this doesn’t happen.

First, she must assess cyber risks to their Industrial Automation and Control Systems (IACS) by: inventorying their existing IP-connected assets, identifying network access points into the IACS, understanding existing network segmentation solutions, determining how third parties access their Operational Technology (OT) networks, defining security requirements based on system criticality, and creating policies for how Energy Co will enable and secure cloud-connectivity while maintaining visibility and control over web-enabled IACS assets coming online.

Solutions & Resources

Board Related:
Questions Your Board of Directors is Asking >
Cyber Risk and Resiliency >

For consulting support from understanding current security maturity of the organization to developing a segmentation strategy:
Cisco Security Services >

To mitigate risks across the entire lifecycle:
NIST Cybersecurity Framework >
NIST SP800-37 – Risk Management Framework >

Upon learning of the digitalization initiative, the Board requests that Energy Co’s digital asset registry and risk management plan be updated and documented.

Meanwhile, Jill’s ongoing inventory uncovers alarming news: between and among Information and Communications Technology (ICT), Engineering, and Operations, Energy Co’s organizations have only limited visibility into the various ways assets are connecting to the Internet. They also discover many unregistered devices using the network, but no one knows the purpose, make or model of these devices, nor what types of data they are exchanging.

To remedy this, Jill and her team reduce the number of external connections that bypass Energy Co’s network, consolidate management of cellular connections, and implement Netflow to regain visibility across all IT/OT network activities, including IACS.

Jill and her team are now able to passively baseline network behavior, detect anomalous network activity and minimize Energy Co’s overall cyber risk.

Jill uses these data points to comply with the Board’s requests.

Solutions & Resources

Board Related:

Network Monitoring & Security:
Netflow >
Stealthwatch >

Automated Connectivity Management:
Jasper >

Monitoring & Risk Management for Industrial Operations:
Cisco Industrial Network Director >

Asset Discovery, Monitoring & Risk Management for Industrial Operations:
Cisco Industrial Network Director >
Sentryo ICS CyberVision >
Cisco Completes Sentryo Acquisition >

The CTO, returning from a recent industry gathering, learns that the crippling cyber attack which shut down several large power grids across multiple cities began as a spear-phishing email to the marketing department of another energy company. He requests that Jill and her team build defensive capabilities in anticipation of such attacks.

Designing and implementing an asset segmentation strategy, which is what Jill and other CISO’s call this defensive measure, is a complex exercise, depending upon the state of the infrastructure. The strategy can’t block required data flows and cause further interruptions, yet must isolate corporate networks from Engineering, Operations, and Dispatch networks used for their Energy Management System (EMS), Advanced Metering Infrastructure (AMI), Physical Security, Collaboration, and Remote Worker access.

Fortunately, network virtualization technologies such as Cisco’s Software Defined Access (SDA) using Security Group Tags (SGT) enable flexible and automated segmentation of assets based on security policy, while increasing ROI by enabling all communications over a converged infrastructure. The strength of this approach helps define and enforce a per-device micro-segmentation capability that can control lateral movement within the network.

Jill’s security team is looking to prevent the entry and spread of malware within the corporate network. They use email and web security tools, DNS security, and next generation firewalls that include Intrusion Prevention Systems (IPS), malware protection and Virtual Private Networking capabilities. Endpoint protection including malware protection, DNS security, and VPN services protect mobile and roaming devices.

Solutions & Resources

Board Related:

To enable converged networks with segmentation capabilities:
Cisco MPLS >
Cisco SD-WAN >

Centralized Management:
Cisco DNA for Utilities >
Cisco FND >
Cisco IND >

Software-Defined Segmentation:
Cisco ISE integration with IND Configuring SXP on IE Switches >

Cisco Security Solutions:
Cisco Umbrella DNS Security >
Cisco Advanced Malware Protection (AMP) >
Cisco Email Security >
Cisco Web Security >
VPN and Endpoint Security Clients >
Cisco Next Generation Firewall >
Cisco Ransomware Defense >

As the complexity and scale of connecting heterogeneous systems to enable digitalization increases, so do the operational costs, and this has caught the eye and concern of the COO.

The cyber risk analysis Jill conducted earlier revealed a tangle of network access policies and management systems that bogged down the network operations teams.

To remedy, Jill’s team develops a unified network access policy enforcing security and access policies for endpoint devices and limiting users to the equipment they’re authorized to use. The use of Cisco TrustSec software-defined segmentation technologies and Duo Unified Access Security solution makes it easy to administer, operate and scale this simplified policy, while saving time and reducing risk overall.

Jill updates Energy Co’s information security policies to ensure their regular review and improvement, thereby ensuring compliance going forward.

Solutions & Resources

Learn about Cisco security architecture:
Secure IoT solution architecture >
Cisco Identity Services Engine >
Duo Unified Access Security >

As the digitalization efforts continue, the line of business has become more dependent upon the network. A third-party cyber risk assessment exposed Energy Co’s aging network infrastructure as vulnerable. And the network is now categorized as a critical system—an outcome of recent company-wide cyber risk workshops.

The network has become foundational to Energy Co’s digitalization efforts, and Jill’s team seeks out network devices with built-in security in an immediate effort to increase security and resiliency.

Energy Co learns that the first line of defense is to seek out networking products that contain embedded trustworthy technologies (e.g., hardware root-of-trust, software image signing, secure boot and boot integrity protection). These technologies ensure the devices are operating as expected, and create evidence that the security system is working.

Solutions & Resources

Network infrastructure is being targeted by malware:
New VPNFilter malware targets at least 500K networking devices worldwide >
Evolution of Attacks on Cisco IoS Devices >

Learn more about trustworthy solutions with embedded security:
Cisco Trust Center >
Built-in Security >
Cisco Secure Development Lifecycle (SDL) >
Value Chain Security >
Next Generation Encryption >

Cryptography & Encryption Standards:
Global Government Certification >

In an effort to minimize unplanned outages and extend the lifetime of their capital-intensive Industrial Automation and Control Systems (IACS), Energy Co management wants to implement predictive maintenance.

Secure network connectivity is a foundational requirement to implementing and scaling predictive maintenance, which requires the ongoing measurement of device-level operating fluctuations, as well as the extraction, transport, consolidation and analysis of this data across the system for decision-making purposes.

By enabling an open, standards-based network, data and security architecture that includes sensors and endpoints; gateways, routers, and switches with fog computing; data centers and cloud applications; Jill’s team can increase the ROI of their new network infrastructure investments while reducing Energy Co’s overall costs.

Solutions & Resources

Learn how Cisco can support your specific predictive maintenance needs:
Wireless Sensor Networks >

Drive better business outcomes by making full use of your IoT data:
Cisco Kinetic IoT platform >

When an unplanned service interruption impacts their customers, Energy Co must identify the source of the problem and quickly get the power systems operational. Traditional processes include truck rolls to physically inspect grid components and reduce the impact.

The promises of Distribution Automation include the ability to remotely detect faulty equipment across their energy infrastructure, and to quickly minimize the size of the service disruption by making changes from the control center. This capability requires secure network connectivity to remotely sense and control the grid.

Jill is concerned that the expanded role of the network infrastructure (e.g., Wide Area Network, Field Area Network) will have the unintended consequence of creating a larger cyber-attack surface, possibly leading to more service interruptions. She inserts a requirement that Energy Co must expand their Security Operations Center (SOC) and coordinate incident response between the control center and the SOC if they are to deploy a Distribution Automation solution. .

Solutions & Resources

Distribution Automation:
Unified Field Area Network Architecture for Distribution Automation >

Respond quickly and definitively to cyber-attacks:
Cisco Threat Response >
Cisco Rapid Threat Containment >

The COO wants to better understand customer energy consumption. Doing so will enable him to develop a demand-based energy delivery model, helping create efficiencies and reduce costs.

Jill understands from her work with Distribution Automation that it can also enable the data flows required to coordinate demand response at scale for the line of business. Yet she has concerns about customer data privacy and Energy Co’s liability to protect Distribution Automation data that can be used to determine their industrial customers’ manufacturing production schedules or end consumers’ daily routines.

With the new network infrastructure in place, Jill and her team are able to segment, prioritize, and securely transport business-critical distribution automation traffic from the edge to the cloud. This can be done in isolation from other business data flows all over a converged network by using technologies such as MPLS and VRFs, QoS and IPsec VPN tunnels managed centrally with SD-WAN.

Solutions & Resources

Learn more about Network Security Architectures:
Cisco SD-WAN >
Security of the MPLS Architecture >
FlexVPN >
DMVPN >
GetVPN >

Implement Cisco Validated Design and Implementation Guides for:
Extended Enterprise Industrial Automation Distribution Automation Remote & Mobile Assets  >

Limiting the impact of service interruptions will greatly reduce unnecessary costs to the business, and so Energy Co looks to explore ways of reducing the resources needed to investigate and remedy service outages.

The COO, CIO and Jill evaluate the existing business processes used to respond to service interruptions and outages. They discover that by consolidating radio dispatch operations with collaboration technologies they can bring remote expertise to bear on any service interruption no matter the cause, making the process more efficient and effective. These new technologies can be easily and seamlessly integrated into Jill’s new network and security architecture.

Solutions & Resources

Interoperability & Collaboration Technology:
Cisco Collaboration Technology >

At the request of the CFO, Jill and the COO work together to determine the total annual costs of deploying maintenance crews in an effort to identify cost savings realized from the various digital transformation projects. Their business case suggests significant savings for Energy Co.

These encouraging results prompt them to do additional baseline analysis. This data further demonstrates that as Energy Co continues to develop new ways of applying digitalization to its business, the ROI of its unified network and security architecture and modernized technology stack increases over the previous disparate and segmented ICT systems that were not being used to their full potential.

For example, by deploying an intuitive network with software defined policy that shares context with other security tools, Jill is able to improve the efficiency of the security operations center. Investigative resources spend less time querying disparate sources for important information, they utilize machine learning tools to analyze user and endpoint behaviors, they quickly detect network anomalous behavior, and they reduce false positives.

Solutions & Resources

Improving IT/OT Operating Efficiencies:
PxGrid >
Stealthwatch >

Based on the success of their cost reduction efforts derived from digitalization, Energy Co’s Board lays out a strategy of increasing market share by undercutting competitors’ prices.

Energy Co has created new and enhanced service delivery capabilities, thanks to its recently deployed Cisco Kinetic IoT platform, a data broker solution that extracts, computes and moves any measurement data from the edge to the fog, enterprise, or cloud. With these refined service delivery capabilities, Energy Co is able to offer new Service Level Agreements to existing customers.

Now Energy Co has significantly increased visibility into how, when, where and why its customers use its products and services. This data has enabled Energy Co to improve its demand response capabilities and spin up or spin down energy production to coincide with demand, making it significantly more efficient.

These enhancements enable Energy Co to offer new Service Level Agreements specifically tailored to their individual customers’ needs.

Solutions & Resources

Enabling Data Insights:
Kinetic >

Solutions for:
Edge >
Fog >
Enterprise >
Cloud >

Now that Energy Co has minimized its exposure to cyber attacks, reduced its operating expenses, and created new efficiencies, it is well positioned to target new markets such as mass energy storage, renewable energy, and electric vehicle charging.

Use Case #1: Plugging In Remote & Un-Connected Populations

After expanding the network infrastructure needed to enable Distribution Automation, Energy Co sees a new opportunity: providing network connectivity to remote and un-connected populations.

Energy Co considers the cost benefit analysis of offering Internet services to rural customers whose ISPs can only offer dial-up and satellite connectivity today.

Solutions & Resources

Cisco Digitial Network Architecture (Cisco DNA) >
Cisco Service Provider Products, Solutions & Services >

Use Case #2: IoT for Municipalities

With its now robust network infrastructure in place, Energy Co’s network and security architecture supports integration of routers with Wireless Personal Area Networking (WPAN) modules, which can enable field area network applications and gateways that support Low Power Wide Area networking protocols such as LoRaWAN IoT technologies.

Energy Co pursues a strategy of targeting local municipalities interested in building out IoT services (e.g., asset tracking, smart city management, etc.) on its network infrastructure.

Solutions & Resources

Smart Cities >

Wireless Connectivity for Field Area Networks:
Cisco Connected Grid WPAN Module >
Cisco Wireless Gateway for LoRaWAN >

Use Case #3: Data as a Service (DaaS)

Energy Co’s digitalization technology stack generates countless business insights around customer and service usage, generated from its extensive new data analytics capabilities. Energy Co recognizes the potential to productize these insights as a Data-as-a-Service (DaaS) offering to interested third parties.

Solutions & Resources

Cisco Big Data & Analytics >