Today, energy and utility companies face many challenges stemming from a complex regulatory environment and pressure from investors and shareholders to increase profits. As the energy and utility sector moves away from legacy infrastructure to reap the benefits of emerging technologies, it is worth noting that the convergence of operational technology (OT) and information technology (IT) will pave the way for more technologies, devices, and systems to connect to the grid. This will drive efficiency and productivity while providing access to data often held in silos.
At the same time, the downside of this convergence will be increased challenges that the OT and IT departments might face in efficiently and effectively managing digital identities and access. Many utilities run systems that are fragmented and controlled by numerous departments. There is a lack of overall traceability and accountability regarding access to critical and non-critical assets, which increases the risk of attacks, service disruptions, and a failure to identify the root cause of such attacks.
A leading energy and utilities holding company that acts as an energy supplier in eight states across the United States faced severe certificate outages due to a lack of visibility into the certificate infrastructure.
Public certificate authorities (CA) provided transport layer security (TLS) certificates for several external access points. The identity and access management (IAM) teams were responsible for certificate management, issuance support, and Public Key Infrastructure (PKI) processes. Thousands of servers and employees used PKI, but there was no well-defined process that dictated how certificates and keys were managed.
A lack of clear visibility into where every certificate was located resulted in frequent expiry-related outages, certificate duplication, cumbersome troubleshooting, and complicated maintenance. The PKI team did certificate tasks such as expiry monitoring and installations manually. There was no centralized system using which all aspects of PKI could be managed securely.
The ubiquity of certificate requests and certificates resulted in significant responsibility sprawl, and there was no way to ensure that the enterprise SSL policy was adhered to. Lack of any proper audit mechanism made identifying and remediating unauthorized access and actions performed on certificates and their private keys extremely challenging.
Endpoint deployment, a critical component of the certificate lifecycle, was not secure. Key distribution was done in an unencrypted fashion, and pushing the certificate to its respective endpoints required significant work due to its decentralized nature.
The AppViewX deployment team worked seamlessly with the customer’s IT infrastructure and started delivering results right from the start.
AppViewX CERT+ scanned and located certificates on many devices and servers and across multiple CAs. The discovered certificates were automatically added to the inventory, and CERT+ allowed for grouping based on a specific criteria.
CERT+ provided holistic visibility into certificate health with reports that displayed validity statuses. Periodic alerts for imminent certificate expirations could be configured to be sent via emails to the respective certificate/group owner, ensuring that a renewal was never missed.
A self-service portal was made accessible to application maintenance teams that could be directly used to requisition certificates. This minimized their reliance on the PKI security team for trivial certificate tasks and was a huge time-saver. Role-based control was also applied, ensuring that only authorized personnel would be able to make changes to PKI.
Tasks such as certificate signing request (CSR) generation, email notifications, certificate signing, and certificate lifecycle management (CLM) were completely abstracted and automated. AppViewX’s automation engine tied together disparate tasks and executed them in an orderly fashion based on activity triggers from users, minimizing significant manual effort.
Since the AppViewX platform integrates with most endpoints and commercial CAs available on the market, teams were able to discover, request, renew, revoke, deploy, and create certificates from right within the AppViewX console without having to switch between various CAs and device vendor portals. SSL policy could be defined and enforced across the organization as well.