Access Risk Management for Energy and Utilities
Between the infamous Northeast blackout in 1967 and the increased awareness for potential terrorist attacks against energy facilities, the energy sector has recognized the need to protect critical information assets used to control the creation, distribution and management of electrical power across the nation. This requirement has become increasingly important as the national power grid becomes even more interconnected and dependent on computer-based access. The resulting concern — actions taken by an unauthorized employee in one part of the grid has the potential to generate negative outcomes that can affect the entire grid.
Technology Vulnerability
Technology in the energy sector is shifting from closed, proprietary systems to open, flexible systems that allow greater and more meaningful interaction within and between the companies responsible for generating and distributing electrical power. With the complexity of the various systems, comes the potential for access risk from unauthorized access. Because there are no widely accepted standards for access and authorization, most systems must rely on their own internal security models for defining and controlling access rights — increasing the difficulty of managing access.
Regulatory Requirements
Authorities in the US and Canada have authorized the North America Energy Reliability Corporation (NERC) to define, implement and enforce Critical Infrastructure Protection (CIP) regulations that establish standards for defining, controlling and terminating access to critical cyber assets in the energy sector. These requirements carry the force of law in North America, as NERC has been granted enforcement authority by regulators in both the US and Canada.
As a result of these regulations, some of which provide for hefty fines for non-compliance, it has become even more essential for energy providers to protect internal assets from the risks of unauthorized access and potentially fraudulent activity.
Courion specifically addresses many of the pressing security and compliance needs faced by security professionals in the energy industry, and facilitates compliance with the following NERC CIP requirements:
|
CIP Requirement |
Courion Solution |
|
CIP-003-1: Maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. |
Courion’s IdentityMap™ contains a list of personnel responsible for authorizing access to protected information. Managers are only allowed to add, change, or remove access for personnel under their supervision. |
|
CIP-003-1: Review at least annually the access privileges to protected information to confirm that access privileges are correct and that they correspond with the Responsible Entity’s needs and appropriate personnel roles and responsibilities. |
ComplianceCourier can schedule and track completion of reviews of end user access privileges by authorized managers to ensure they are correct. AccountCourier and RoleCourier ensure that user access privileges correspond with personnel roles and responsibilities as defined by policy. |
|
CIP–004–1: Establish, maintain, and document an annual cyber security training program for personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets. |
ComplianceCourier can schedule periodic security training and block access to Critical Cyber Assets of users who have not successfully completed training. |
|
CIP–004–1: Revoke access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access. |
AccountCourier can automatically revoke or suspend access rights to Critical Cyber Assets immediately upon termination, or as directed by authorized personnel. |
|
CIP–004–1: Maintain list(s) of personnel with authorized access to Critical Cyber Assets, including their specific electronic and physical access rights. |
Courion's repository contains data on personnel and all systems (including physical asset systems)who are provided access to using Courion’s solution. |
|
CIP-006-1: Implement one or more of the following physical access methods...where the access rights of the card holder are predefined in a computer database. |
Courion's AssetLink technology can automatically provision or de-provision a security card, authentication token, or other physical security device through integration with a physical asset management system. |
|
CIP–007–1: Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. |
Courion enforces the creation and management of user access to Critical Cyber Assets through provisioning, access rights management, role definition, access certification, and password management. |
|
CIP-007-1: Ensure that individual and shared system accounts and authorized access permissions are consistent with the concept of “need to know” with respect to work functions performed. |
Courion manages user access rights and ensures they are consistent with business “need to know” “least privilege” and “separation of duties” principles. |
|
CIP-007-1: Ensure that user accounts are implemented as approved by designated personnel. |
Courion ensures that only authorized personnel can request and approve user access to Critical Cyber Assets for employees under their supervision. |
|
CIP-007-1: Review, at least annually, user accounts to verify access privileges. |
ComplianceCourier enforces scheduled user account reviews by authorized managers to verify access privileges. |
|
CIP-007-1: Require and use passwords, subject to the following, as technically feasible:
|
PasswordCourier enforces state-of-the-art password policies, including min/max length, password expiration, use of alpha, numeric and special characters, dictionary words, password containing username, password reuse and other strong password policies. |
|
CIP-007-1: Implement automated tools or organizational process controls to monitor system events that are related to cyber security. |
Courion User Activity Manager enables authorized personnel to evaluate user activity, as captured in system log files, and determine if the activity is appropriate or not. The Courion Advanced Analytic Framework can be configured to capture and display relevant system events and correlate them with user access profiles to identify, manage, and monitor risks associated with noncompliance with CIP. |
Courion in Energy
Given the significant potential impact of an access breach, energy providers need a solution that enables them to comply with the requirements of CIP and improve the security of critical cyber assets by ensuring that only the right people have the right access to the right resources and are doing the right thing with that access. They need Courion’s Access Risk Management Suite™ solution. The Access Risk Management Suite enables energy organizations to:
- Control access to critical cyber assets, such as applications and databases
- Verify the proper use of that access
- Safeguard sensitive data from unauthorized access
- Demonstrate compliance with key elements of NERC CIP and other relevant regulations
The Access Risk Management Suite features:
Manage Employee Access Rights: Energy providers must cope with assuring that new employees have access to the systems they need in order to do their work, and then automatically remove that access when they leave the organization. They use Courion’s RoleCourier® solution to manage the role definition process, which ensures that users within a particular role only have the access rights they require to be productive. AccountCourier® automates the process of account creation and termination, using either pre-defined roles, or the specific access request and authorization process your organization uses. These solutions ensure that users have the appropriate access rights, prevent separation of duties violations, and significantly reduce the time, effort and cost of managing employee access rights.
Identify Unknown Accounts: In many attacks, a hacker may attempt to compromise or create an account for their own purposes. Courion’s IdentityMap™ process locates user accounts on internal systems and associates those accounts with a known individual identified in a designated system of record. The initial IdentityMap scan can identify and resolve zombie accounts, which are accounts associated with someone who is no longer with the organization. Subsequent IdentityMap scans may reveal previously unknown accounts, which may indicate an attack. Courion can then alert the appropriate personnel to take remedial action.
Access Certification: Courion ComplianceCourier™ is used by line-of-business managers, compliance officers, security personnel, or IT administrators to review access rights of users they supervise and certify that access complies with policy. When a user’s access rights are out of compliance with policy or industry regulations, ComplianceCourier provides a range of options to block or restrict unauthorized access. Audit tracking capabilities also make compliance reporting and analysis faster, easier and cheaper.
Protect Sensitive Data: Courion’s Sensitive Data Manager module works in conjunction with industry-leading data loss prevention (DLP) technologies to verify that access is not being misused to cover up illegal or unethical activities. According to the Verizon Business 2009 Data Breach Investigations Report, 67 percent of breached records were in locations that the organization wasn’t aware of. Integration with DLP technologies enables your organization to find sensitive data, identify who has access to that data, determine how they obtained that access, and correct access that is inconsistent with the individual’s business role.
Identify Suspicious Activity: Courion’s User Activity Manager module leverages leading security incident and event management (SIEM) technologies to perform deep analysis of prior user activity. Integration with SIEM technologies enables you to identify patterns of suspicious behavior – after-hours access, large data downloads, access from a previously unknown account, etc. – captured in system log files, and combine that data with information concerning the user engaged in that behavior, such as name, title, department, manager, location, etc. You can then determine if the individual’s behavior is consistent with the needs of the business, and take the appropriate steps to terminate access to key applications if it is not.
Secure Passwords: Courion’s PasswordCourier® reduces potential access vulnerabilities by enforcing strong password policies, while also dramatically reducing costs associated with help desk calls because of its secure self-service password reset capability.
Benefits
Courion solutions provide companies in the energy and utility sector with the following benefits:
Improve productivity: create accounts for new permanent and contract employees quickly and easily, giving them immediate access to mission-critical business applications, while ensuring they have the minimum access to sensitive data required for their jobs.
Enhance security: dynamically adjust access rights as employees change roles due to transfers, promotions, demotions or reorganizations. Transparent synchronization technology allows users to use the same username/password combination for all systems, reducing the potential that they will be tempted to write down their password.
Eliminate zombie accounts: automatically suspend or discontinue access when staff or contractors are terminated.
Reduce costs: enable users to securely reset a password if they forget it or it expires from their Windows workstation, over a web browser, or via a telephone, without having to call the help desk. Courion's provisioning solution enables substantial reductions in IT staff overhead dedicated to managing the account creation, management and termination process.
Demonstrate compliance: quickly and easily attest that employees have access rights that are consistent with organization policy and relevant regulations.
