This major South Western Electric & Power Company serves more than 375,000 customers. As the electric and power provider enters its third century of operations, the company continues to find innovative ways to provide reliability, service and value to customers and the community.
A component of delivering reliable service includes ensuring security over the systems that manage energy. Several years ago, the utility company’s Energy Management Services (EMS) group determined that they needed to ensure access controls to the servers that housed core applications and other sensitive data. The security of these applications and data were needed to not only reduce the risk of a security breach, but also as part of achieving FERC and NERC regulatory compliance, especically around the Cyber Security Standards (CIP). In particular, the IT team wanted to enforce, down to the individual user level, exactly who was authorized to access which systems, when, and how, especially for privileged system users such as system and database administrators. They also needed a much easier way to consolidate logs of the user access activity for management review and regulatory audits.
EFFECTIVE ACCESS CONTROL
Like most IT environments, this utility provider uses a diverse mixture of both UNIX and Windows servers to run their business. Dening, managing, and enforcing authentication and authorization rules, automatically, across diverse IT platforms, located across multiple geographic locations, is a challenge. As well, manually provisioning new user entitlements to the various servers and removing the entitlements when they leave is time consuming and error prone. An equally daunting access management challenge comes via the FERC and NERC regulations, specically CIP-003 R5, CIP-005 R2, and CIP-007 R5. The intent of the NERC CIP Cyber Security Standards is to ensure that all entities responsible for the reliability of the Bulk Electric Systems in North America identify and protect Critical Cyber Assets that control or could impact the reliability of the Bulk Electric Systems. To meet the CIP compliance standards, organizations must be able to prove that they have the controls in place for authorizing access by individuals to their servers. In particular, organizations need to focus on managing access to shared accounts (CIP-007, R5.2). Under CIP, the organization is also required to provide an audit trail of the account usage, and must review the user activity logs at set intervals during the year. Manual controls may be utilized in some cases, but it is very labor intensive to eectively manage and enforce these controls and create meaningful audit reports with the user activity logs decentralized across the various servers.
SECURING THE IT INFRASTRUCTURE
The electric and power utility company decided to implement the HelpSystems BoKS ServerControl solution to centralize the administration, authentication, authorization, and auditing of their access policies across their UNIX servers. BoKS ServerControl is implemented to protect servers both in the Corporate and Energy Management Services business units.
BoKS provides many benets to the utility provider including:
- Ability to dene and automatically enforce granular authorization and authentication access rights to improve security over sensitive data; accounts are dened only on servers where they are needed
- Simplies overall IT management with consistent user roles, authorization, and authentication mechanisms across diverse servers
- Reduces the risk of insider fraud with controlled delegation of privileged accounts including keystroke logging
- Protects data in transit with encryption of network communications
- Simplies NERC/CIP regulatory compliance. BoKS automatically consolidates the user activity logs from across the diverse servers and produces a variety of audit-friendly reports. The consolidated reporting also enables management to perform the required reviews of access controls and user activities much faster.
- Reduces the IT administration effort with centralized System administrator provisioning & de-provisioning, Password management, and SSH management
Using BoKS ServerControl, the South Western Electric and Power organization is able to improve the security of the servers that drive their core applications with centralized administration, authentication, authorization and audit capabilities. The ability to automatically control access across their diverse server domain not only provides greater protection of their corporate brand and equity, it also enables the utility provider to meet the CIP standards within the NERC regulations. With a centralized solution for administering their granular access control policies, the company is also able to reduce the eort it takes to both provision users and prepare for internal and regulatory audits, reducing the overall cost to manage IT systems.