Just like all the other automaton and control technologies before it, cybersecurity can also optimize process applications and improve efficiency by preventing the downtime that accompanies network intrusions and cyber-attacks.
For example, Vermont Electric Cooperative (VEC) in Johnson, Vt., serves 75 communities in eight counties and earns $77 million per year, but it recently sought to enhance the reliability and cybersecurity of its power grid, while also improving operational efficiency by eliminating labor-intensive ICS monitoring, and saving 10-12 hours per week.
“As with any utility, service reliability is paramount, and a robust cybersecurity program and platform is how we ensure it," says Kris Smith, operations engineering manager at VEC, which adopts the U.S. Office of Electricity Delivery and Energy Reliability's mindset for boosting cybersecurity preparedness and incident response. "We used to rely on manual, time-consuming processes to administer our systems and mine data. Collating and analyzing large datasets from three different systems in tabular format was so resource-intensive that it was difficult to apply comprehensive cybersecurity."
Smith reports that VEC's criteria for automating its cybersecurity system included implementing a solution with a proven industry track record that could:
-
Automatically build an asset inventory, visualize assets, and model their interactions;
-
Detect and provide alerts about anomalies and potential threats;
-
Improve operational efficiency by replacing manual processes with automation features and capabilities; interfacing seamlessly with VEC’s existing systems, and enabling the consolidation of data from networks onto one platform; and
-
Scale and adapt for future development, growth and support.
Following a proof-of-concept (PoC) project, VEC picked real-time monitoring software from Nozomi Networks, which met its requirements for visualization, detection, response, administration, and long-term administration and support. In the PoC, VEC used Nozomi's solutions to consolidate its ICS data for analysis, visualize assets and their relationships, and automate alerts to address anomalies and potential threats.
"Nozomi let us do a deep dive into the network protocols themselves, which supports both our cybersecurity and efficiency objectives," says Smith. “Today, I can visualize all my network components, and see how they interact. I also added indicators of compromise (IOC) as I get them from the cybersecurity community. So, in a matter of moments, I can identify and address any issues. Plus, when Nozomi automates cybersecurity and operational monitoring system detects anomalies, I get real-time email alerts. The software's integrated reports let me to do more consistent reviews of my log data and system performance, and respond more quickly and comprehensively to information we get from our peers."
Asset inventory, AI identify anomalies
Nozomi also provides more granular visibility into VEC's ICS operations by creating an asset inventory and automatically updating it; visualizing the utility's network and models, and the relationships between assets; and using an artificial intelligence (AI) feature to learn network traffic behavior patterns, and issue alerts or warnings when anomalies are detected. "We’ve also used this data to tune protocols to be more efficient and to eliminate some communication errors,” adds Smith. "It used to take me two to three hours to go through dozens of pages of information from three systems,” says Smith. “Today, some of the cybersecurity system reviews I do take as little as 15 minutes. Nozomi's software also lets us drill down into protocols for new and existing equipment to efficiently diagnose issues.
Consequently, we’ve improved our operational performance, and in some cases can avoid costly truck rolls.”
While VEC doesn’t have any NERC CIP jurisdictional assets, Smith adds it's ready for them. "We're prepared if regulators bump the limit down so that our assets are included,” says Smith. “I like that Nozomi positions us to be compliant if regulations become more stringent.”
Andrea Carcano, founder, board member and chief product officer at Nozomi Networks, adds that, "Over the past year, Nozomi's job has evolved along with many others. We switched to emergency mode because the employees at so many companies had to work at home, and they needed added equipment and networking to reach their chemical or power plants and other facilities. Many big companies already had most of this infrastructure, but they hadn't used it yet."
As usual, the problem with expanded networks and added connection is increase risk of intrusions and cyber-attacks, according to Carcano. "Being more open to the world also means users may catch viruses they wouldn't get before. As soon as COVID-19 kicked in, we saw more malware and attacks," he explains. "These included standard attacks, but also some modified to better attack OT users, including generic ransomware. We believe the best response is using a cybersecurity solution with dedicated rules for monitoring remote connections that have been added, such as our Vantage SaaS-based software that monitors all connections in real-time, and also performs anomaly detection and gathers threat intelligence to identify anything going wrong in a plant."
Beyond monitoring for anomalies and cyber-attacks, Nozomi's software also checks if they're similar to attacks observed elsewhere, and keeps track of the threat actors generating them. In addition, the software monitors for botnets, which are groups of compromised, Internet-connected devices that can work collectively to allow outside, unauthorized control of internal components and systems. "We're seeing more botnets as IIoT devices have multiplied. They're increasing in consumer business and industrial networks, and will like increase as 5G expands because it also gives every device an IP address. There's just a constant war over communications and control, so it's crucial for users to identify their IIoT devices, make them follow cybersecurity best practices, and monitor who and what is talking to them, even if it's just a simple camera."
