A critical infrastructure company in Northern California gained visibility into its network...while securing its clients, reports Greg Masters.
As one of the largest natural gas and electric utilities in the United States, Pacific Gas and Electric Co. (PG&E) is the very definition of critical infrastructure. And, like any large business, it has to defend its tens of thousands of devices on different network segmentations from cyber attacks.
PG&E has more than 20,000 employees working at 1,000 facilities and branches across northern California. The San Francisco-based utility company provides electricity and natural gas to approximately 16 million people and has more than five million business and residential accounts spanning more than 100,000 square miles of service territory. Its annual revenue is around $17 billion.
As might be expected, certain of its networks need to be kept separated for security reasons and its team managing the implementation needs full visibility at all times. To that end, it was agreed that a solution was required that would allow the PG&E security team to visualize both networks on an ongoing basis with limited connectivity between them, monitor for suspicious activity and quickly understand and isolate risk.
“Ensuring the safety of the public is paramount,” says James Sample (left), senior director and CISO at PG&E. “We must ensure our systems are reliable and resilient to be able to do this.”
He says that one of the things his team was trying to drive toward was a comprehensive risk management solution. “There's a lot of controversy with those who say that risk management is too ‘pie in the sky,' and you have to do the whole practical implementation,” he says. “Our view is that if you are doing risk management properly, you are doing that whole lifecycle. You are doing the analysis component of it, as well as the detailed execution component of it.”
In moving toward this holistic risk management solution, one thing that is really important is visibility, he says. “The more you can see, the more you understand about your environment, the more data you have and the more data points you have – the more informed decisions you can make and determine where you want or need to invest.”
Sample says he and his team sought to ensure they weren't focused only on chasing vulnerabilities. “We could use all of these tools in a reactive fashion and spend our time chasing vulnerabilities, but instead, we want to plug in trends, plug in more data and be more proactive.”
His team – which consists of 1,700 full-time technology personnel, plus 500 contractors – is dealing with a complex network. So, for his team to be able to protect it and perform computer network defense activities and monitor for vulnerabilities, they needed a better way of understanding and visualizing the activity. “And on top of that, we need to provide that visibility to folks who didn't design or operate our network, but really need to understand our network topography,” he says.
A search for an appropriate solution began. His team compared offerings from RedSeal Networks side-by-side with other vendors in this space. RedSeal, he says, for a variety of reasons was their choice “hands down” to join its security solutions as an overall component of a comprehensive risk management strategy.
“First, RedSeal was readily able to show that they could do the things that we needed the solution to do, and it seemed to be far more mature and built-out versus conceptual,” he says.
Second, he says, because PG&E is a Cisco shop, one of the key requirements was support and integration with Cisco. Another key requirement was that the tool also integrate with its vulnerability management solution, which is nCircle's IP360. This satisfied a need for visibility into network activity – with intelligence on the vulnerabilities that exist on the systems and how exposed those systems are to attack – that could be shared with partners. “RedSeal excelled in its ability to demonstrate these capabilities,” Sample says.
Third, he says, in working with RedSeal throughout the evaluation process, his team came away confident with how it works and supports business partners. “RedSeal was on the same page with us in terms of strategic thinking about how to integrate into a larger system,” he says. “They demonstrated their worth not just operationally, but tactically as well.”
The RedSeal platform automatically creates an end-to-end picture of the network infrastructure, based on the “as-built” configurations of the live networking equipment, says Mike Lloyd, CTO at Santa Clara, Calif.-based RedSeal Networks. “The RedSeal engine then adds data about endpoints, generally obtained from vulnerability scanners. This combines the ‘chess board' of the network with the ‘chess pieces' – the endpoints on which the business runs.”
Combining them answers four major types of questions, Lloyd says: Visibility, including the ability to see what is missing from the defensive big picture; checking individual elements against best practice rules; testing the network as a whole to ensure it meets stated policies for network access; and simulating attacks on the infrastructure to find weak points.