Protecting network traffic from malicious attacks is a challenge for any network administrator. It’s an even more daunting task for the IT security team working at the Independent Electric System Operator (IESO), which runs Ontario’s wholesale power market.
With a staff of 500 employees, the IESO is responsible for keeping the lights on for more than 10 million customers.
The non-profit body connects all key players in the grid – generators that produce electricity, transmitters that send the current across the province, retailers that buy and sell energy, industries and businesses that use power in large quantities and local distribution companies that deliver electricity to people’s homes.
IESO is also responsible for reporting network “events” to appropriate industry auditors to ensure it is in compliance with proper security procedures.
This is easier said than done. IESO’s IT architecture includes more than 2,500 connected devices – an intricate mix of servers, firewalls, and other intrusion detection systems – that generate more than 6,000 events per second With such a complex, diversified architecture, producing these reports presents quite a challenge.
“It got to a point where creating the reports on top of our normal day-to-day tasks was nearly impossible,” said Dave Lewis, information security team leader of IESO.
Lewis said four years ago IESO simply created a server to collect the data and extract appropriate events for the compliance reports. “We built a log server using Linux to do the job. It worked, but the task just got too tedious.”
The five-person information security team devoted more than an hour each day to generate the reports.
The IESO’s strategy for dealing with compliance requirements is not uncommon, according to Jim Melvin, executive vice-president of marketing at Network Intelligence Corp.
The Westwood, Mass-based firm produces security information and event management (SIEM) products.
“We meet many technologists who say: ‘all I need to do is collect the data. How difficult could that be?'”
The fact, Melvin said, is that it is a difficult task because of the huge number of devices and varied formats used in any given network. “It’s like walking into a United Nations session and hoping to take jot down all the speeches without an interpreter.” Melvin said companies need a product that can understand the assets that need to be managed.
Network Intelligence’s core appliance-based product, enVision, serves as the “interpreter” that collects and correlates data from all the network devices. The product also churns out event reports in a common language.
Threats to a company’s network can range from seemingly harmless employee activities to planned attacks , according to Melvin.
He said enVision helps users identify these types of network traffic. The product also enables administrators to create a set of static and dynamic rules that govern access.
With additional compliance requirements coming up in 2008 from the North American Electric Reliability Council (NERC), the IESO decided to shop around for a reliable SIEM apparatus in 2005.
Lewis said IESO deployed two enVision HA servers early this year after trying out competing products from 13 other suppliers. “A lot of the products we evaluated did a pretty good job, but enVision gave us the biggest bang for our buck.”
Some products were too expensive, complicated or required “a lot of care and maintenance.”
The enVision installation was completed in just four clicks and in less than hour the system was already recovering data and generating a report, Lewis said.
EnVision captures the activity logged by devices in IESO’s network, regardless of what format the event is written in. The product also creates a comprehensive report on a Web-based template.
The automated process, allows Lewis and his team to specify at what intervals they want the reports generated. Because the templates are Web-based, reports can be transmitted almost instantaneously to auditing authorities.
Lewis would not release any figures but said savings from uptime were “significant.” Compliance with regulatory body requirements have to be viewed as an inherent part of a company’s operation according to one Toronto-based risk and compliance consultant.
“Compliance is not an external matter, it is part of good governance,” according to Fariba Anderson, a partner at Manta Group Ltd.
Depending on a company’s maturity and size, Anderson said, firms earmark anywhere from one to 10 per cent of their information technology budget for compliance.
In the world of tightly budgeted IT departments , projects that help a company reach its compliance mandate often get top priority. Governing bodies, whether government-based or industry created, institute guidelines and principles to ensure companies fulfill their social responsibilities, she said. “If a company doesn’t have proper adequate security measures in place, that firm opens itself up to possible attack or potential disaster.”
Melvin said one key advantage of the enVision system is its scalability. For less than US$20,000 a firm with 50 to 100 employees can purchase a unit that screens network traffic produced by up to 100 devices.
A unit that handles 500 to 1,000 devices costs US$50,000 to US$100,000.
The IESO has two enVision HA units that monitor some 250 devices. Lewis said they intend to add more units next year to handle the rest of the network traffic.
QuickLink 060259
