While Jill is excited to take on this new initiative, she knows that the impending influx of connected devices will make the company more vulnerable to cybersecurity attacks. She must make sure this doesn’t happen.
First, she must assess cyber risks to their Industrial Automation and Control Systems (IACS) by: inventorying their existing IP-connected assets, identifying network access points into the IACS, understanding existing network segmentation solutions, determining how third parties access their Operational Technology (OT) networks, defining security requirements based on system criticality, and creating policies for how Energy Co will enable and secure cloud-connectivity while maintaining visibility and control over web-enabled IACS assets coming online.
Solutions & Resources
Board Related:
For consulting support from understanding current security maturity of the organization to developing a segmentation strategy:
To mitigate risks across the entire lifecycle:
Upon learning of the digitalization initiative, the Board requests that Energy Co’s digital asset registry and risk management plan be updated and documented.
Meanwhile, Jill’s ongoing inventory uncovers alarming news: between and among Information and Communications Technology (ICT), Engineering, and Operations, Energy Co’s organizations have only limited visibility into the various ways assets are connecting to the Internet. They also discover many unregistered devices using the network, but no one knows the purpose, make or model of these devices, nor what types of data they are exchanging.
To remedy this, Jill and her team reduce the number of external connections that bypass Energy Co’s network, consolidate management of cellular connections, and implement Netflow to regain visibility across all IT/OT network activities, including IACS.
Jill and her team are now able to passively baseline network behavior, detect anomalous network activity and minimize Energy Co’s overall cyber risk.
Jill uses these data points to comply with the Board’s requests.
Solutions & Resources
Board Related:
Network Monitoring & Security:
Automated Connectivity Management:
Monitoring & Risk Management for Industrial Operations:
Asset Discovery, Monitoring & Risk Management for Industrial Operations:
The CTO, returning from a recent industry gathering, learns that the crippling cyber attack which shut down several large power grids across multiple cities began as a spear-phishing email to the marketing department of another energy company. He requests that Jill and her team build defensive capabilities in anticipation of such attacks.
Designing and implementing an asset segmentation strategy, which is what Jill and other CISO’s call this defensive measure, is a complex exercise, depending upon the state of the infrastructure. The strategy can’t block required data flows and cause further interruptions, yet must isolate corporate networks from Engineering, Operations, and Dispatch networks used for their Energy Management System (EMS), Advanced Metering Infrastructure (AMI), Physical Security, Collaboration, and Remote Worker access.
Fortunately, network virtualization technologies such as Cisco’s Software Defined Access (SDA) using Security Group Tags (SGT) enable flexible and automated segmentation of assets based on security policy, while increasing ROI by enabling all communications over a converged infrastructure. The strength of this approach helps define and enforce a per-device micro-segmentation capability that can control lateral movement within the network.
Jill’s security team is looking to prevent the entry and spread of malware within the corporate network. They use email and web security tools, DNS security, and next generation firewalls that include Intrusion Prevention Systems (IPS), malware protection and Virtual Private Networking capabilities. Endpoint protection including malware protection, DNS security, and VPN services protect mobile and roaming devices.
Solutions & Resources
Board Related:
To enable converged networks with segmentation capabilities:
Centralized Management:
Software-Defined Segmentation:
Cisco Security Solutions:
As the complexity and scale of connecting heterogeneous systems to enable digitalization increases, so do the operational costs, and this has caught the eye and concern of the COO.
The cyber risk analysis Jill conducted earlier revealed a tangle of network access policies and management systems that bogged down the network operations teams.
To remedy, Jill’s team develops a unified network access policy enforcing security and access policies for endpoint devices and limiting users to the equipment they’re authorized to use. The use of Cisco TrustSec software-defined segmentation technologies and Duo Unified Access Security solution makes it easy to administer, operate and scale this simplified policy, while saving time and reducing risk overall.
Jill updates Energy Co’s information security policies to ensure their regular review and improvement, thereby ensuring compliance going forward.
Solutions & Resources
Learn about Cisco security architecture:
As the digitalization efforts continue, the line of business has become more dependent upon the network. A third-party cyber risk assessment exposed Energy Co’s aging network infrastructure as vulnerable. And the network is now categorized as a critical system—an outcome of recent company-wide cyber risk workshops.
The network has become foundational to Energy Co’s digitalization efforts, and Jill’s team seeks out network devices with built-in security in an immediate effort to increase security and resiliency.
Energy Co learns that the first line of defense is to seek out networking products that contain embedded trustworthy technologies (e.g., hardware root-of-trust, software image signing, secure boot and boot integrity protection). These technologies ensure the devices are operating as expected, and create evidence that the security system is working.
Solutions & Resources
Network infrastructure is being targeted by malware:
Learn more about trustworthy solutions with embedded security:
Cryptography & Encryption Standards: