Most of us have lived through the nightmare of a large part of the power grid going down, leaving us in the dark, while critical facilities such as hospitals stare out in desperation. It is a tug of war between utility operators, cybersecurity experts who try everything possible to get the grid back up and hackers trying to prevent the same.
Energy and utility companies face many challenges today, stemming from a complex regulatory environment and pressure from investors and shareholders to increase profits. As the energy and utility sector moves away from legacy infrastructure to reap the benefits of emerging technologies, it is worth noting that the convergence of operational technology (OT) and information technology (IT) will pave the way for more technologies, devices, and systems to connect to the grid. This will drive efficiency and productivity while providing access to data often held in silos.
At the same time, the downside of this convergence will be increased challenges that the OT and IT departments might face in efficiently and effectively managing digital identities and access. Many utilities run systems that are fragmented and controlled by numerous departments. There is a lack of overall traceability and accountability regarding access to critical and non-critical assets, which increases the risk of attacks, service disruptions, and a failure to identify the root cause of such attacks.
How can you better protect power generation, transmission, and distribution?
How can you control and secure access to resources, including OT systems, buildings, equipment, and IT systems?
At first, let us look at some of the primary business challenges this sector might be facing with managing digital identities, such as digital certificates and keys.
Lack of Public Key Infrastructure (PKI) Visibility: A lack of clear visibility into where every digital certificate is located results in frequent expiry-related outages, certificate duplication, cumbersome troubleshooting, and complicated maintenance. Detecting the presence of all self-signed certificates and certificates with weak keys and deprecated algorithms is difficult to achieve manually, exposing your firm to vulnerabilities.
Manual, Decentralized Certificate Operations: If the PKI team handles certificate tasks such as expiry monitoring and installations manually, it is time to switch to an automated system to maintain inventory and group certificates. This will help provide visibility post-discovery. Equally important is having a centralized system using which all aspects of PKI can be managed securely.
Lack of Policy and Control: The ubiquity of certificate requests and certificates results in significant responsibility sprawl – several different individuals handle PKI via multiple channels, and there is no way to ensure that the enterprise SSL policy is being adhered to. There is also a need to audit changes made to PKI and assign access control to the owners of certificate groups.
Insecure Endpoint Deployment: There are several different device types where certificates need to be deployed. When the key distribution is done in an unencrypted fashion, pushing the certificate to its respective endpoints requires significant work due to its decentralized nature. The entire certificate deployment process needs to be streamlined and made fully secure, as it is a critical component of the certificate lifecycle management process.
Do not leave your utility exposed.
A converged approach that unifies identity and access management (IAM) functions across OT networks, physical access control systems (PACS), and IT systems can be a game-changer. These networks often operate independently, resulting in identity and access information disparity, increased costs, and inefficiencies. In addition, these networks support different infrastructures, each with unique security risks.
Here are some best practices of an end-to-end certificate lifecycle management (CLM) solution that can be customized and implemented by energy providers of varying sizes depending on your CLM maturity levels.
Scanning and Visibility: Run scans across multiple network environments, endpoints, and certificate authorities (CA) to detect and locate every certificate in your inventory, thus gaining 100% visibility into your PKI.
Key Security and Management: Leverage industry-standard AES-256 encryption to safely store your keys or employ native integrations with hardware security modules (HSM) to add an additional layer of security to your key management strategy.
Automated Certificate Operations: Set up workflows for automated renewals, employ streamlined revocation and replacement processes, and take advantage of zero-touch endpoint provisioning procedures.
Tasks such as certificate signing request (CSR) generation, email notifications, certificate signing, and CLM can be wholly abstracted and automated. The automation engine will help tie together disparate tasks and execute them in an orderly fashion based on activity triggers from users, minimizing significant manual effort.
Dynamic Monitoring: Keep tabs on your certificate infrastructure with real-time reporting and detailed dashboards with key metrics and statistics displayed for quick retrieval and action.
Role-based Access and Audit Control: Enforce policy and ensure that only designated personnel can access critical network components and leverage audit trail functionality to exercise complete control over changes effected.
Self-Service of PKI: A self-service portal accessible to application maintenance teams can be used to requisition certificates as necessary directly. This minimizes their reliance on PKI security teams for trivial certificate tasks, which could prove to be a huge time-saver.
Role-based control ensures that only authorized personnel can make changes to PKI. You could use a low-code page builder to design self-service forms in such a way that different teams are exposed to only the information that is relevant to them.
End-to-end Certificate Lifecycle Management: The importance of a tool that integrates with most endpoints and commercial CAs available on the market can’t be ignored. Teams will be able to discover, request, renew, revoke, deploy, and create certificates from within a centralized console without having to switch between various CAs and device vendor portals. Define and enforce SSL policy across the organization for an enhanced security posture.