With 70 international plants spanning 15 different countries, the AES Corporation is a next-generation energy company helping lead the way to a carbon-neutral future. Like many organizations, AES wanted to improve the security posture within their OT networks with technology spanning multiple vendors. Recently I sat down with Kyle Oetken, Director of Cyber Defense, and Andrew Plunket, Sr. Cybersecurity Engineer (OT), at AES to discuss the challenges and lessons learned for securing OT environments. You can check out the full roundtable to hear more from Kyle and Andrew.
Can you provide some background on your OT environment?
Our global network of plants features all major turbine vendors spanning various kinds of power generation. Because of this, our key priorities now are vulnerability management, identification of all systems that bridge to OT and their security – both internal and external – and ensuring we have visibility to all the systems on the OT network with our monitoring tools for detection and response purposes.
Are your OT sites standardized? How many ICS vendors do you have across the sites?
We have policies that each site must adhere to, including network architecture, but each site is unique. I think you could find at least one of our sites that runs equipment from every major ICS vendor worldwide.
How was your environment managed before Forescout? What persuaded your organization that you needed a solution like Forescout provides?
Outside of AES, there was a significant rise in reporting of cybersecurity incidents affecting OT and manufacturing. Historically, the global cyber organization was very involved in implementing security programs for the internal network, but we had less control over securing the OT network, so it was clear to us that we needed to include the OT networks as part of our overall cybersecurity program if we wanted to mitigate the risk to our plant operations. It was imperative for us to implement a unified platform that could provide cybersecurity monitoring and data for each plant.
Can you share any key findings (detected by Forescout) that were eye openers for your OT site teams and IT teams?
One thing the Forescout platform does very well is creating network maps of what each system is talking to and in which direction. This highlighted systems that bridged OT to IT that some plants could monitor better. We have also been able to detect network scanning activity (pen tests or vendor maintenance) on the OT network, identify default credentials and then work with the OT operations teams to change those credentials. All these findings helped improve the value of the OT security program since it highlighted and fixed issues we should prioritize.
How are you assessing risks and prioritizing remediation steps?
This is a complicated question, but it is a mix of the criticality of the system in question, where on the network that device sits (does it bridge to IT?), and the severity of the vulnerability. The Forescout platform helps with all of this because it can give us a good idea of all three of these data points for us to make a risk decision. From there, we prioritize the highest risk items. All of this requires a detailed remediation plan made in collaboration with each specific site and almost always requires planning to implement changes in an outage window.
What are the steps on site at the plants once a risk is discovered?
We work with IT and operations staff at each plant to create a remediation plan. We then provide them with a prioritized list of risks we would like remediated and work with them to plan how each one needs to be done and in what order. Then, we create a work completion timeline.
Patching is not always possible. How do you deal with those situations to manage your risks despite the unpatched vulnerabilities?
We have a vulnerability exception process that identifies those situations. First, we try to provide compensating controls, mainly through network isolation, as best as possible. We then require the operators and OT management to verify that they know of the risk and accept it.
What are your recommendations to other end users looking to move ahead on their OT cybersecurity journey?
The foundation of any cybersecurity program is to know the assets. You’re kind of shooting in the dark without a tool to do this for you. OT devices typically lag behind the IT network as far as cybersecurity is concerned. Having well-defined network segmentation to isolate one from the other is incredibly important. Many times, the operators will think that the number of systems and ways to bridge from IT to OT is much less than it actually is. So, it is essential to be ready to partner with plant operators because cybersecurity is new to them and, in most cases, not a high priority. Developing a partnership of collaboration is key.