Case Study
Background
Businesses that run on Operational Technology (OT) environments differ from those that run on Information Technology (IT) because they depend on hardware and software to detect or cause changes that control industrial equipment, assets, processes and events. Like most industries, security teams working in companies that run on OT struggle to keep pace with emerging threats given the resources available to them. The skills shortage is compounded in the OT environments specifically due to the lack of talent that understands the convergence of OT and IT principles, and the nuances of industry regulations, like North America Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP).
An independent electricity transmission investment company shared many of these challenges. They knew that in order to reduce risk and ensure continuous compliance with their limited security staff, they would need to find a security automation or SOAR solution. The energy company first turned to 1898 & Co., their long-time consulting partner, to identify a solution. Considering that fines associated with NERC CIP compliance could be anywhere from thousands to millions of dollars, both the energy company and 1898 & Co. knew that investing in a security automation solution would pay for itself in terms of risk mitigation. 1898 & Co. recommended that the customer proceed with Swimlane’s low-code security automation solution, and they did.
COMPLIANCE
Simple, Scalable & Secure Deployments
To comply with NERC CIP requirements, the energy company needed Swimlane to be deployed on a hardened platform. They opted to deploy Swimlane on-premises with a custom hardened appliance called Haos that 1898 & Co. built. 1898 & Co.’s hardened appliance meets CIS level 1 benchmarks, allows the Kubernetes environment to be updated under the hood, eliminates requiring external loadbalancers in most high availability deployment scenerios and finally, autoration and provisioning of TSL certificates across the ingress controller.
The energy company needed a total of 4 Swimlane deployments to follow traditional test and production style deployment pipelines as well as ensure failover support to their second datacenter. The first deployment took 1898 & Co. about 8 hours to deploy post architecture planning due to meeting the site’s NERC CIP requirements. After this, they used terraform infrastructure as code logic, and the remaining three deployments were completed in less than 15 minutes. The energy company found that the process of deploying Swimlane, with the hardened device and professional services from 1898 & Co., was simple, secure and scalable.
SOLUTIONS
Quick Wins with Low-Code Automation
After completing the Swimlane deployment, 1898 & Co. helped the energy company establish quick wins that would deliver value fast. To do this, they started by establishing automation for phishing, indicators of compromise (IOC) and incident response (IR) use cases.
45-Minutes Saved per IOC Investigation
Like many power and utilities companies, the energy company is part of the Electricity Information Sharing and Analysis Center (E-ISAC). This means that they receive regular emails with information about IOCs that they should be investigating. 1898 & Co. used Swimlane to help the energy company build an ingestor that would parse E-ISAC emails, and look across their environment to detect known IOCs.
Before automating this process, the energy company’s security team was spending 1 hour+ manually looking up IOCs. Now, the query happens automatically and is complete in minutes. Having a human in the loop of automation remains critical, but by leveraging low-code automation for the manual parts of the process, the company can save roughly 45 minutes per investigation. As geopolitical tensions rise, having automated controls in place to speed this process will save the energy company time, and help them remain secure.
Secure Management of the Energy Grid
Asset management in critical infrastructure can be incredibly challenging to accomplish. In these industries an asset takes many forms. They can be anything from a traditional IT asset like a workstation, server, or a switch to generators, controllers, sensors, and actuators. As the OT and IT convergence reaches its peak, this will only become more challenging.
To help ensure continuous NERC CIP compliance and accuracy, 1898 & Co. helped the energy company automate asset management using a new substation deployment of the Swimlane low-code security automation platform. The team built a sharepoint page that allowed engineers to submit new equipment forms, net new or retrofit substation forms. From here, Swimlane picks up these forms and executes the correct workflow, depending on the type of request. After the process is complete, Swimlane informs the SIEM that the device has been deployed, so that the SIEM knows to begin logging alerts for continuous security monitoring. This automated workflow helps to ensure compliance, and that energy grid assets are securely managed.
RESULTS
Securing the Energy Industries Future
The energy company looks forward to a continued partnership with 1898 & Co. and Swimlane. 1898 & Co.’s consulting services have helped the company establish secure deployments and efficient use cases that maintain compliance. Swimlane’s technical flexibility and responsive customer service have enabled the company to solve any problems they’ve needed to tackle. Looking to the next 3-5 years, OT cybersecurity experts from 1898 & Co. anticipate three major trends that they, together with Swimlane, will help energy companies address:
- The convergence of OT and IT technologies
- Ransomeware and nation-state threats will continue to rise
- Grid modernization
By using Swimlane and 1898 & Co. consulting services to automate time-consuming and repetitive tasks, the energy company is freeing up time to focus on more strategic work. This shift will enable them to prepare for the growing or emerging problems. With 1898 & Co.’s expertise and Swimlane’s adaptable security automation solution, they have the partners needed to help them automate future use cases as they emerge.
Explore Swimlane Turbine
The world’s most capable security automation platform