When South Central Power Company underwent a penetration test, they realized they had to make some changes. The company dove headfirst into implementing Zero Trust principles across their organization, including in both IT and operational technology (OT) environments. The result was a significant improvement to the organization’s cybersecurity posture across the entire extended enterprise.
Those cybersecurity capabilities were put to the test last year, as South Central had to transition nearly overnight to a remote workforce. By leveraging the principles of Zero Trust and the technologies they already had in place, the team was able to ensure smooth and secure operations, even with hundreds of employees now connecting in to corporate or OT networks from remote locations.
I sat down with Jeff Haidet, Director of Application Development and Architecture, to discuss this journey, including how they went about implementing Zero Trust and their learnings as an organization along the way:
Tell us a little bit about your network infrastructure and what types of Enterprise of Things devices are present in your environment.
At South Central, we have broken traditional IT into three buckets. The first is systems, which includes the physical machines and items that people use. The second is pure networking, such as data transport switches and wide area networking. Finally, there’s applications, which is what I oversee and comprises of enterprise applications, license management, release management, and software development.
Security is the overarching item that stretches across every one of those buckets, from the front-facing applications to our customers and securing payments to laptops, cellphones, tablets and computers. We also have regulatory compliance needs and critical infrastructure technology. Some of these devices, particularly when it comes to critical infrastructure, are older – sometimes 30 years old or more. The result is a wide variety of devices that we have to secure and maintain.
What event opened your eyes to the importance of Zero Trust in your cybersecurity strategy?
Back in 2015, we did an in-depth penetration test to help us illustrate and prioritize risk and we’ve been working on the long-term remediation since. Some of the things we discovered were easy to correct, but others took a bit more work. One of those areas was network segmentation. We needed to be way more granular and have way more visibility into our environments. Adding Forescout a year ago allowed us to make a leap forward with this remediation. That was when we began our Zero Trust journey in full and Forescout helped us execute on that.
We knew we wanted to bolster our posture going forward. This not only helps us achieve our security goals today, but also puts us in a position to respond to any future regulatory requirements that may emerge. This is all about being preventative and proactive – we can’t protect what we do not know. We can’t manage it if we don’t see it.
What were some of the challenges you encountered in your transition to implementing Zero Trust?
When we first started, we really didn’t have a clue as to how many IP-based devices we had on our network. One of our initial goals was to get to a strong level of visibility across all our devices, from those used by our internal employees to our linemen. What we found is that we average around 7 to 8 different devices per employee – significantly higher than our estimates. Having that visibility opened our senior leadership’s eyes to the importance of having strong device visibility and control.
We were able to get the software installed in under a day and within two to three days had full visibility. From there, we took about two to three weeks for device classification. This set the foundation for initial rules and then segmentation, which allowed us to put our Zero Trust strategy into action.
What are some examples of how you are using the Forescout platform to ensure Zero Trust?
One example is around patching. We have a third-party tool that manages our Windows patch status, but we are able to use Forescout eyeSight to have a policy that reviews to make sure that those patches are being applied in a timely manner and raises alerts if they are not patched. If we find a critical vulnerability that’s greater than 30 days old, for example, we force that to be remediated prior to being able to join the network on the trusted side of the network.
How do you determine when and where to segment various device types?
Our initial stance on everything is “trust nothing.” When it comes to segmentation and Zero Trust, that means looking at the traffic, determining what needs to talk to what and clearing that traffic out. We can have discussions about individual groups of machines, their functions and anything that deviates from those base case situations is not trusted.
This evaluation happens on an on-going basis. If anything does fall off the reservation, something has changed. Whether that’s a software update, whether that’s a vendor doing something that they shouldn’t be doing or is not documented somewhere, we are able to root those things out. We can do that because we now have full visibility into the Matrix, if you will, between the different segments.
How do you do a policy enforcement without knowing it’s going to break something?
We don’t. In this model of Zero Trust, we have to make the assumption that we are willing to break something. That is because, if it breaks you probably didn’t know about it and it is likely some obscure function that somebody is doing. It’s not likely to be your everyday stuff. That said, it doesn’t happen as often as you might think. Once you are able to standardize your footprint of your applications, you very rarely go off the rails.
While we’ve decided we’d rather break something than let it remain insecure in the name of Zero Trust, we also have the power of simulation on our side. Using eyeSegment, we can test if a change in deny posture or a changing policy could have an unexpected ramification across the network. The simulate feature allows us to basically double-check our work before we make it live.
How has COVID and remote work affected or validated your Zero Trust strategy?
In order to ensure the health and safety of our employees, we moved from less than 50 employees regularly using VPN access to more than 250 people within just a few days. With such a newly distributed workforce, we knew we needed to be able to monitor the traffic patterns for people in the VPN segments, as well as ensure they are updated to our patch policies, no rogue software is being uploaded on them and that all anti-malware is up to date. We felt our security posture was drastically improved because of this visibility, even with so many of our employees working remotely.
To read more about how South Central Power was able to gain visibility, compliance and Zero Trust network segmentation with Forescout, read the full case study here.