VAUGHAN, Ont. — Managed security service providers regularly romance IT managers of small to mid-sized organizations, promising big gains in productivity, wide security expertise cost savings and round the clock protection for taking their business.
But there are good reasons to say no. That’s what Carey Lacroix, senior IT manager at North Bay Hydro did over a year ago.
Lacroix was one member of a panel of IT leaders from four Ontario electricity distributors who spoke about their decisions at last week’s annual information systems and technology conference of the province’s Electricity Distributors Association here.
Three other members of the panel said yes to MSSP.
Despite coming from one industry, their lessons may be applicable to CISOs in other sectors.
Lacroix’s and his staff of two oversee a network with six LANs with segregated subnets, 10 network nodes and 150 endpoints. Most applications are on-premise. By his account, it has an array of good security and network tools.
But, he added, when joining the department in mid-2017 it was an “eclectic” environment: Lots of things worked, but security and network documentation were lacking. He found computers didn’t have session timeouts — on his first Monday morning computers were running that had been logged in the previous Friday.
The staff knowledge of security was only “just enough to get by … We’re probably lucky nothing major happened to us.”
A review of the department’s options included retaining an MSSP, but “my recommendation was to come in-house to bring some stability, visibility, credibility back to our IT organization.” Lacroix wanted not only to increase staff knowledge of the whole environment but also to better utilize the security and networking tools they had.
“This was important to me because in my prior job, with a large multinational, we had outsourced most of IT to a third party and we lost our institutional knowledge,” he explained to the conference. That company didn’t have enough information to question the MSSP’s decisions, “and I didn’t want to be in that position again.”
The review also included an extensive network and security audit, which generated an action plan. More knowledgeable staff were hired, better use was made of existing monitoring tools while new cost-effective tools were added. It helped that he had support from management.
Admittedly, Lacroix said, he doesn’t have the 24/7 support an MSSP offers, nor as many staff with wide security knowledge. To keep on top of things the staff needs constant training, and they have to be sharp to make sure all systems are patched. And, he adds, “we don’t know what we don’t know.”
Going it alone isn’t a long term solution, he admitted. But “I believe … we needed to get to a point where we actually understood our environment, felt comfortable before allowing another team to come in.”
Waterloo North Hydro was among the three utilities that went the other way. Serving 58,000 customers in the city of Waterloo and two surrounding townships, it has four transmission stations, nine distribution stations and 150 SCADA controllable field devices. The IT network has just over 35 virtual machines, 150 endpoints and over 10 LANs. Several external vendors can remotely access the network.
The department uses four private external hosting sites (for certain sensitive software) and three public sites (for a customer outage map and a human resources suite).
All this is overseen by an IT staff of five — and that, said Marianne Blasman, vice-president IT services, is one of the main reasons the utility decided to retain an MSSP.
In 2016 it hired a company to do a security analysis based on the NIST cyber security controls, which recommended adding a managed detection and response service. The following year, while reviewing its options, Waterloo North Hydro was hit by ransomware. A Cambridge, Ont.-based MSSP called eSentire helped clean up the problem, which led to it being hired.
Shortly after that — and the day before the utility was to switch over to a new customer information system — the utility was hit by another ransomware attack, which was immediately neutralized by eSentire. “We got our money’s worth,” Blasman said.
This year the utility added more services from the provider
Blasman did emphasize that having an MSSP is only one of the utility’s defences. It also has “layers and layers” of security and a “robust” program of mandatory cyber training.
Marius Sima, network infrastructure manager at Oakville Enterprises Corp., which includes Oakville Hydro, said his small IT team oversees 20 office locations, over 1,300 users, 130 servers, 150 network devices, plus the utility’s SCADA network.
Because the parent company likes acquisitions, there were four platforms for network performance, availability and security monitoring. Consolidating tools was a priority.
“We needed to come up with a new approach for network security,” he told the conference.
After six months of looking at options in 2016 it settled on a solution called Accelops (now part of Fortinet) as the utilities’ cloud-based integrated security performance and availability monitoring solution.
Fortunately, Stratejm, a Mississauga, Ont.-based service, had just announced it would offer Accelops as a monthly service.
“The timing was perfect,” Sima said. “We were looking for a cloud-based managed security provider who can provide all these network monitoring tools in one platform.”
A customized security portal built on ServiceNow was added to the Stratejm platform to display cyber security maturity progress.
The other panelist, Greig Cameron, vice-president of engineering and IT at Kitchener-Wilmot Hydro, with both and operational and an IT network to look after, auditioned eight vendors before choosing eSentire because his staff didn’t have the expertise to keep up with the increased number of attacks it was facing.
The four passed on interesting lessons from their experience. For example, Cameron noted that while his
utility has 185 employees, only 100 use it at any one time. “That was important in negotiating our contract,” he said.
A system information event management system (SIEM) is neither detection nor containment, said Blasman. An MSSP, she added. not only has to be skilled at service it also has to be a streamlined extension of your IT staff.”
Lacroix noted that one thing that can hold up any IT department from adding and MSSP is its funding process: An MSSP is not considered a capital expense, he said, while most IT departments are only funded for capital expenses.
