Why Identity is Important for Energy and Utilities

NERC CIP and IAM Case Study Delivered

NERC CIP and IAM Case Study Delivered

<html><body><div>As previously announced, on Tuesday May 11th, 2010, we hosted a webinar focused on <a href="https://pplweb.com/">PPL</a>'s strategy for streamlining and automating compliance with <a href="https://www.nerc.com/">NERC</a> CIP requirements and other regulations, such as SOX and FERC, by leveraging an Identity and Access Management (IAM) solution.<img src="https://www.identropy.com/Portals/40850/images/ppl-image-resized-600.jpg?width=304&name=ppl-image-resized-600.jpg" alt="PPL" />My co-presenter, Pete Johnson, Director of Information Assurance at PPL, did a fantastic job explaining the challenges and rationale that went into PPL's strategy and execution, as well as fielding many questions on the fly. Thanks Pete!We had a pretty good turnout, and based on the number of questions we received during the Q&A portion, I would say it was pretty interactive.We discussed topics in the area of provisioning, deprovisioning, privileged user management, organizational and project structure and alignment, handling compliance for legacy apps via <a href="https://www.identropy.com/blog/bid/31405/Identity-Activity-Monitoring">identity activity monitoring</a>; which reveals the level of interest in addressing these requirements in a more efficient manner than with manual labor. I felt that the audience was versed in NERC CIP and well aware of IAM, all of which helped make the session more valuable.<a href="https://www.identropy.com/Portals/40850/images/PPL-Webminar-Diagram-4.png"><img src="https://www.identropy.com/Portals/40850/images/PPL-Webminar-Diagram-4-resized-600.png?width=572&name=PPL-Webminar-Diagram-4-resized-600.png" alt="Compliance for legacy apps - click to enlarge" /> </a>A replay of the webinar is available <a href="https://vimeo.com/91442209">here</a>; Feel free to watch.If you are interested in setting up an IAM Workshop to help your organization get in line with NERC CIP regulations, here are a few things you could do: (1) <a href="https://vimeo.com/91442209">Watch this webinar</a> on IAM and NERC CIP, (2) Read <a href="https://cdn2.hubspot.net/hubfs/40850/IGA%20Workshop%20Stakeholders.pdf">this paper to learn how to define the appropriate stakeholders</a> in your organization, and (3) Complete this <a href="https://cdn2.hubspot.net/hubfs/40850/RevisedScopingDoc2019.pdf">IGA Project Scoping Exercise</a>. <div><a href="https://cta-redirect.hubspot.com/cta/redirect/40850/2bcbac14-0a66-4f32-b446-25e8f9931329"><img src="https://no-cache.hubspot.com/cta/default/40850/2bcbac14-0a66-4f32-b446-25e8f9931329.png" alt="IAM Program Data Sheet" /></a></div></div></body></html>

identropy.com

View Article
Using Identity Governance to Keep Utility Companies Secure, Efficient and Compliant - POWERGrid International

<div id="top-level"> Cyber attackers are growing more and more sophisticated, and they are increasingly turning their focus to areas of highest risk, including critical infrastructure like utilities. In today’s cybersecurity landscape, hackers are focused on gaining access to utilities’ computer networks in order to conduct “network reconnaissance” on the industrial control systems that run the electricity grid, and the potential for damage cannot be ignored or underestimated. Most often, hackers gain access through legitimate user accounts discovered via attacks on an organizations’ employees and third-parties, such as contractors. Like most organizations, great security begins with a utility company’s staff. Tightly managing and controlling their access to applications and data is critical to ensuring a secure, smooth-running organization.    At the heart of the challenge is understanding who has access to what information and managing what they can do with that access. Enter identity governance. An identity governance program offers extensive benefits for utility companies when it comes to security, efficiency and compliance. Here are a few examples of these benefits and examples of how they can be utilized within your organization: Visibility into Who Has Access to What Consider the churn associated with onboarding and offboarding employees. Managers need to onboard new employees, manage user access of existing team members and contractors, and revoke the access of employees who have left the company for any reason. Given the complexities involved with managing this churn, it’s easy to see how, without the proper oversight, individuals might gain access to data that they should not be permitted to have. This is where an identity governance program comes in. Identity governance provides visibility into who can access data or an application, and under what circumstances they can do so. You can think about identity governance in terms of physical security. For instance, you might give a contractor a badge to enter the front door of the plant, but you would never give them free reign to roam the premises and access anything they wanted beyond the “perimeter” in which they are allowed. The badge you’ve provided only allows them to get inside the building and work on their assigned project – it does not give them permission to open up laptops, sift through files or enter areas outside of where they are designated to work. To govern that contractor’s building access, proper controls are put into place on the back end to only allow that contractor to enter pre-approved areas of the plant. Similarly, an identity governance program ensures that IT administrators have an understanding of who has access to what when it comes to applications and data, versus merely being able to grant them access to the data and applications they need to do their jobs without any governance of how they’re using that access. Managing Data Stored in Files Many organizations also have a blind spot when it comes to managing access to sensitive data that resides in files like documents, spreadsheets and presentations. The inability to manage access to this kind of sensitive data – whether it exists in file storage systems in the cloud (e.g,. Box, DropBox, OneDrive, etc.) or on-premises in your data center, presents serious security and data breach risks. By extending identity governance to data stored in files, companies can secure this data by first discovering and classifying what sensitive data exists critical file storage repositories. Second, organizations can then analyze permissions across these repositories to understand how the file and folder access was granted. From there IT departments can easily put effective controls in place to manage the access to this sensitive data and protect it from potential malicious behavior, ultimately reducing risk. Automation of Administrative Tasks An identity governance program also helps to automate many of the manual administrative processes to grant, modify and remove user access that are often time-consuming, costly and more error prone. As utility companies undergo digital transformation throughout their organization, it’s important that these administrative responsibilities transform as well. By leveraging identity governance, utility companies can automate the lifecycle of user access that includes management of roles, accounts, entitlements and passwords. Automation and self-service from critical identity governance capabiliites like provisioning, access requests and  access certifications organizations can reduce the time it takes to onboard and offboard employees, freeing up time for IT administrators to focus on areas of more strategic value or higher risk without sacrificing security. Meeting Federal Regulations An additional benefit to having insight into who has access to what lies in increased oversight into how regulatory requirements are being met. Identity governance can put preventive and detective controls in place to ensure access complies with critical regulatory mandates. Groups such as the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) impose strict compliance regulations for the industry. It’s important for utility companies to be able to assure these regulatory boards that their operations are safe and reliable – from both a material handling and security standpoint. Failure to comply with regulatory guidelines can result in steep fines or even interruptions in day-to-day operations. Having full visibility into user access can help utility companies achieve compliance and avoid unnecessary interruptions in business or costly fines. With an identity governance program in place, organizational leaders can help to mitigate risks threatening their facilities by having centralized and detailed insight into user access to critical applications and data. The benefits of a robust identity governance program can have a significant impact on the security of an organization, and also help to increase efficiencies and meet compliance regulations. When you boil it down, organizations need to have complete visibility into who has access to what within their organization, and what they’re doing with that access, so they can keep their critical systems and data secure. In today’s world, organizations need to be proactive when it comes to security, as sophisticated cyber attackers pose a constant threat to utility companies. Having an identity governance plan in place is the first step to protecting against these attacks. <img src="/content/dam/elp/site-images/RickWeinbergthumb.jpg" id="cq-gen1640"> About the author: Rick Weinberg is vice president of product management at SailPoint. </div>

power-grid.com

View Article
Webinar Replay - A Case Study: Addressing NERC CIP Using ...

Watch Video
Introduction to NERC CIP Compliance & IAM Technologies

<html><body><div><img src="https://www.identropy.com/Portals/40850/images//images1.jpg?width=145&height=59&name=images1.jpg" alt="NERC" />For professionals who work in Information Security (InfoSec) within the Energy sector, NERC (the <a href="https://www.nerc.com/">North American Electric Reliability Corporation</a>) is simply a part of everyday life. NERC is a self-regulatory, non-government organization which has statutory responsibility to regulate bulk power system users, owners, and operators through the adoption and enforcement of standards for fair, ethical and efficient practices, to ensure that the nation's power grid is properly secured. One of such standards is the CIP (Critical Infrastructure Protection) standard.What does that mean for a CISO of an energy company?It means spending a lot of time becoming familiar with the pages of <a href="https://www.nerc.com/page.php?cid=2%7C20">NERC CIP standards</a> 001-009 (and their various interpretations), that cover all types of information security controls such as electronic security perimeters, physical security perimeters, asset identification, and incident reporting and response. It also means sifting through a multitude of software vendors and their promises of easing the burden of demonstrating compliance. Add to that the pressure of <a href="https://www.wurldtech.com/blog/?m=200902">million dollar fines</a> for non-compliance, and you've got a recipe for confusion and stress.After helping a number of companies on this path through our <a href="https://www.identropy.com/identity-management-plan">Identity Management Workshops</a>, we at Identropy have found some patterns that have emerged in addressing the NERC CIP standards; particularly using Identity & Access Management (IAM) technologies. What are auditors looking for?Based on anecdotal evidence from our existing clients, auditors (and pre-auditors) are at this point looking for a logical approach and plan towards compliance, as well as practical, demonstrable steps. We don't believe that it is mandatory, as of today, that any corporation has a fully functioning and integrated automated solution that comprehensively addresses the NERC CIP standards.Obviously, an approach or plan is much more than simply providing the auditor a list of technologies that will be purchased and implemented. It should include your interpretation of the standards, as well as a logical approach to how it addresses your infrastructure in specific. Once you have clearly documented your interpretation of the standards (which may break down each CIP standard, all related requirements, and all control activities associated with each requirement), you can start looking at technologies and how they fit your organizational infrastructure and help you automate the specific controls within your environment.Is documentation enough?Of course not. Once you've boiled all requirements down to a set of control activities, the endeavor of applying technology to the problems can finally begin. Having been personally involved with a number of workshops with Energy clients, certain technology patterns are beginning to emerge. Some technologies can provide a 'quick wins', while others require more planning and development. The good news is that IAM solutions can significantly help address NERC CIP specific requirements in an expedient and efficient manner. In future posts, we'll dive a bit deeper into each of these categories and present a mixture of process and IAM technologies as a suggested means of demonstrating compliance, in specific to <a href="https://www.nerc.com/files/CIP-004-1.pdf">NERC CIP-004</a> (Personnel & Training) and <a href="https://www.nerc.com/files/CIP-007-1.pdf">NERC CIP-007-1 R5</a> (Account Management).<a href="https://cta-redirect.hubspot.com/cta/redirect/40850/2bcbac14-0a66-4f32-b446-25e8f9931329"><img src="https://no-cache.hubspot.com/cta/default/40850/2bcbac14-0a66-4f32-b446-25e8f9931329.png" alt="IAM Program Data Sheet" /></a> </div></body></html>

identropy.com

View Article
Cybersecurity For Energy & Utilities: Why It Matters | BitLyft Cybersecurity

<div class="fl-module-content fl-node-content"> When we think of the targets of malevolent digital threats, we consider the financial sector. We think of identity theft. But do we consider the wild importance of energy cybersecurity? Let’s take a look at the energy and utility industry and talk about why security issues are so crucial, the most common problems in their security infrastructure, and what energy and utility providers can do to keep themselves safe from these types of threats moving forward. <h2>Why Is Energy Cybersecurity Important, Anyway?</h2> Utility and energy providers understand the value of protecting their physical infrastructure. If a massive wind or ice storm were to knock out a chunk of the power grid, trained technicians would be on the scene within hours to make sure that the broken elements get fixed and everything gets back up and running. Why? Because those providers have trained experts on staff ready to respond at a moment’s notice to any sort of threat to the physical network. They know the value of quick response and remediation of issues. However, they don’t always see the same level of value when considering their digital system’s infrastructure. And that is a problem. <h2>What’s The Worst That Can Happen?</h2> Utility providers and energy companies can experience some major problems if their security is compromised. And those problems can carry on right to the consumer. If an attacker gets unfettered access to a utility or energy company, they can turn off or re-route services. No power. Blocked 911 calls. Reversing the flow of sewage pumps. And on top of that, most utility companies have private consumer details and billing information stored in their systems, which would also become compromised. So it’s not a stretch to stay that taking care of the security of a digital infrastructure is just as important as taking care of the physical infrastructure. <h2>Do Most Utility Providers Have Effective Energy Cybersecurity?</h2> Sadly, no. And if this concerns you, it should. Now, this isn’t to say that most energy companies don’t invest in some sort of cybersecurity efforts. In fact, they may be spending a lot of money on security tools. Antivirus. Security alert software. Firewalls. “Network Monitoring” services. Energy companies invest in all these solutions and more. But here’s the problem: these are “siloed” solutions designed to fix a particular issue, but they don’t factor in the overall security of the system as a whole. This is like slapping a band-aid over a huge wound… it may stop the bleeding in one specific area, but it won’t heal the entire problem. Many energy companies spend a lot of money on the individual, siloed solutions for their security system, and they assume they are safe because of the dollars they spend and the tangible ‘gizmos’ and programs that they see in return for that investment. But what they don’t see are the gaps between all those solutions that attackers can use to gain access to their system. Instead of having cybersecurity that blankets their entire environment, they end up with a security system that looks more like swiss cheese. Those holes in the system? They can be exploited. <h2>What Makes Cybersecurity For Energy & Utilities Effective?</h2> Here’s the difference between protecting your digital infrastructure and your physical one: people. Attacks on your security environment are attacks by people. Smart people, who want to do bad things with the systems and data in your care. And it takes people to fight people. Energy companies invest in siloed energy solutions because they want a set-it-and-forget-it style solution to their security needs. But software can only go so far. Even top of the line SIEM (Security Incident Event Management) software, which is an incredibly useful and comprehensive tool for aggregating logs and monitoring them for threatening activity, is only as good as the team of people who run it. Think of it this way: if you were suddenly put behind the controls of the newest, fastest, all-around-best passenger airliner on the market today, could you land it without having any previous flying experience? In the same way, a siloed solution in the hands of someone untrained in learning the proper security context won’t be able to accomplish their goals. What does this mean? Well, it means that if you truly want effective security that you can rely on, it’s best to rely on a managed security service, provided by experts who know exactly how to fight the attackers that try to gain access to your system. <h2>Expert Solutions For Energy Cybersecurity</h2> In the energy sector, there’s no room for error when it comes to protecting consumer data and the security of the infrastructure. It’s important to really understand the context of the security environment, to understand normal behavior and deviant behavior, to have an expert set of eyes on the system at all times. At Bitlyft Cybersecurity, we partner with all of our clients to make sure their security needs are met; not only for today but for the many days to come. You aren’t buying a product, you’re buying a long-term solution from a team of security experts. We proactively seek out threats to remediate and ways to keep your system secure and compliant, so your IT department can focus on keeping your business systems running smoothly. When we think of the targets of malevolent digital threats, we consider the financial sector. We think of identity theft. But do we consider the wild importance of energy cybersecurity? Let’s take a look at the energy and utility industry and talk about why security issues are so crucial, the most common problems in their security infrastructure, and what energy and utility providers can do to keep themselves safe from these types of threats moving forward. <h2>Why Is Energy Cybersecurity Important, Anyway?</h2> Utility and energy providers understand the value of protecting their physical infrastructure. If a massive wind or ice storm were to knock out a chunk of the power grid, trained technicians would be on the scene within hours to make sure that the broken elements get fixed and everything gets back up and running. Why? Because those providers have trained experts on staff ready to respond at a moment’s notice to any sort of threat to the physical network. They know the value of quick response and remediation of issues. However, they don’t always see the same level of value when considering their digital system’s infrastructure. And that is a problem. <h2>What’s The Worst That Can Happen?</h2> Utility providers and energy companies can experience some major problems if their security is compromised. And those problems can carry on the right to the consumer. If an attacker gets unfettered access to a utility or energy company, they can turn off or re-route services. No power. Blocked 911 calls. Reversing the flow of sewage pumps. And on top of that, most utility companies have private consumer details and billing information stored in their systems, which would also become compromised. So it’s not a stretch to stay that taking care of the security of digital infrastructure is just as important as taking care of the physical infrastructure. <h2>Do Most Utility Providers Have Effective Energy Cybersecurity?</h2> Sadly, no. And if this concerns you, it should. Now, this isn’t to say that most energy companies don’t invest in some sort of cybersecurity efforts. In fact, they may be spending a lot of money on security tools. Antivirus. Security alert software. Firewalls. “Network Monitoring” services. Energy companies invest in all these solutions and more. But here’s the problem: these are “siloed” solutions designed to fix a particular issue, but they don’t factor in the overall security of the system as a whole. This is like slapping a band-aid over a huge wound… it may stop the bleeding in one specific area, but it won’t heal the entire problem. Many energy companies spend a lot of money on the individual, siloed solutions for their security system, and they assume they are safe because of the dollars they spend and the tangible ‘gizmos’ and programs that they see in return for that investment. But what they don’t see are the gaps between all those solutions that attackers can use to gain access to their system. Instead of having cybersecurity that blankets their entire environment, they end up with a security system that looks more like swiss cheese. Those holes in the system? They can be exploited. <h2>What Makes Cybersecurity For Energy & Utilities Effective?</h2> Here’s the difference between protecting your digital infrastructure and your physical one: people. Attacks on your security environment are attacks by people. Smart people, who want to do bad things with the systems and data in your care. And it takes people to fight people. Energy companies invest in siloed energy solutions because they want a set-it-and-forget-it style solution to their security needs. But software can only go so far. Even top of the line SIEM (Security Incident Event Management) software, which is an incredibly useful and comprehensive tool for aggregating logs and monitoring them for threatening activity, is only as good as the team of people who run it. Think of it this way: if you were suddenly put behind the controls of the newest, fastest, all-around-best passenger airliner on the market today, could you land it without having any previous flying experience? In the same way, a siloed solution in the hands of someone untrained in learning the proper security context won’t be able to accomplish their goals. What does this mean? Well, it means that if you truly want effective security that you can rely on, it’s best to rely on a managed security service, provided by experts who know exactly how to fight the attackers that try to gain access to your system. <h2>Expert Solutions For Energy Cybersecurity</h2> In the energy sector, there’s no room for error when it comes to protecting consumer data and the security of the infrastructure. It’s important to really understand the context of the security environment, to understand normal behavior and deviant behavior, to have an expert set of eyes on the system at all times. At Bitlyft Cybersecurity, we partner with all of our clients to make sure their security needs are met; not only for today but for the many days to come. You aren’t buying a product, you’re buying a long-term solution from a team of security experts. We proactively seek out threats to remediate and ways to keep your system secure and compliant, so your IT department can focus on keeping your business systems running smoothly. And here’s the best news: a cloud-based cybersecurity service featuring SIEM, SOC, and SOAR solutions is not only more effective than installing siloed solutions on-prem and training your own on-site team… it’s also more affordable, and it able to be implemented faster. Sign up for a free demo, and let us show you what we can do. We’d love to chat about partnering with you and keeping your business systems secure. And here’s the best news: a cloud-based cybersecurity service featuring SIEM, SOC, and SOAR solutions is not only more effective than installing siloed solutions on-prem and training your own on-site team… it’s also more affordable, and it able to be implemented faster. Sign up for a free demo, and let us show you what we can do. We’d love to chat about partnering with you and keeping your business systems secure. </div>

bitlyft.com

View Article
A NERC CIP Quick Win = Recertification + Closed Loop Deprovisioning

<html><body><div>In my previous <a href="https://www.identropy.com/blog/bid/31662/An-Introduction-to-NERC-CIP-Compliance-and-Identity-Access-Management-Technologies">entry</a> on NERC CIP compliance, I mentioned a few patterns that have emerged in addressing NERC CIP standards with IAM technologies. I also mentioned the importance of developing an IAM roadmap and executing on quick wins to demonstrate that your organization is making moves towards compliance. In this article, I'd like to highlight a great first quick win that your organization can practically make a reality in less than 6 months.<a href="https://www.nerc.com/files/CIP-004-1.pdf">CIP-004-1 R4</a> is all about Revoking Access (Deprovisioning) and Reviews (Recertification). Read for yourself:<blockquote>R4. Access — The Responsible Entity shall maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to Critical Cyber Assets, including their specific electronic and physical access rights to Critical Cyber Assets. R4.1. The Responsible Entity shall review the list(s) of its personnel who have such access to Critical Cyber Assets quarterly, and update the list(s) within seven calendar days of any change of personnel with such access to Critical Cyber Assets, or any change in the access rights of such personnel. The Responsible Entity shall ensure access list(s) for contractors and service vendors are properly maintained. R4.2. The Responsible Entity shall revoke such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. </blockquote> Based on the above, a hybrid approach of automation and governance for recertification and deprovisioning will be your best bet towards demonstrating an effective quick win.<h4>Automate, Automate, Automate...Recertification</h4>Recertification (aka Access Reviews, aka Attestation) is the recurring process of reviewing accesses by managers on both the business and IT sides of an organization. Most corporations accomplish this through the use of spreadsheets and paper-based forms, which is typically inefficient and inaccurate - although if handled meticulously, can satisfy auditors. On the other hand, if it is required to review accesses every 3 months (as by NERC CIP standards) with stiff penalties if you miss something, it's time to look for a system to automate this.<img src="https://www.identropy.com/hs-fs/hub/40850/file-14171801-png/images/picture_1.png?width=409&height=315&name=picture_1.png" alt="Attestation" /> Automation of Recertification activities has a multitude of benefits. It not only eases the tough job of managing all of the data manually, but over time, it can provide your compliance officer with some great views of the data that auditors love. It can make sure you don't forget critical aspects of your recertification approach, as well as give you historical data regarding from your recertification cycles.<h4>Automate Deprovisioning If You Can, although Governance is a Great Runner-Up</h4>Deprovisioning is the process of removing a user's access to a specific system. As shown in CIP-004-1 R4 above, there are stringent requirements to remove access if a person is terminated for cause (24 hour time limit), and less stringent requirements to remove access (7 days) otherwise.Automating Deprovisioning is typically accomplished through a provisioning platform. "Connectors"<img src="https://www.identropy.com/hs-fs/hub/40850/file-14171938-png/images/picture_3.png?width=409&height=240&name=picture_3.png" alt="Deprovisioning" /> are configured to take action against the target system. It also typically provides a user interface that can be used by a manager or authorized user to remove a user's access. The result is immediate revocation of the user's access in all integrated systems.Sometimes, automating deprovisioning can become a rather complex task if the NERC CIP Critical Assets are closed proprietary systems. In this case, custom connectors will need to be developed which could add risk and time to a project plan. In this case, we suggest a closed-loop deprovisioning approach.Close-loop deprovisioning integrates with target systems (or data feeds of identities fro<img src="https://www.identropy.com/hs-fs/hub/40850/file-14171990-png/images/picture_6-resized-600.png?width=443&height=374&name=picture_6-resized-600.png" alt="closed-loop deprovisioning" />m target systems) in read-only mode. When a manager requests a de- provisioning action to take place, the system simply e-mails the appropriate system administrator with instructions to manually remove the terminated user's access rights. The system regularly pulls data from the target system to validate if the requested action was taken. If not, policies can be configured to escalate or nag the appropriate people to ensure that the action was taken. It can keep track of any violations that may have occurred, which is something auditors like to see. <h4>Last Words</h4>Most clients we speak to have between 10-20 NERC CIP applications in their environment. It is very attainable to automate the recertification process for these applications in addition to implementing a closed-loop deprovisioning system within 6 months, end to end. In my next entry on this subject, we'll dive a little deeper on some of the nuances of such a project, as well as some practical first steps you can take.<a href="https://cta-redirect.hubspot.com/cta/redirect/40850/dcca1d5d-de61-41ff-b216-e1b3d0e2d80c"><img src="https://no-cache.hubspot.com/cta/default/40850/dcca1d5d-de61-41ff-b216-e1b3d0e2d80c.png" alt="Anti_POC_Data_Sheet" /></a></div></body></html>

identropy.com

View Article
A Case Study: Addressing NERC CIP using an IAM Strategy

<html><body><div>Given the increased relevance of NERC CIP compliance in the Energy sector over the last 12 months, we have been focusing on this topic from an Identity and Access Management (IAM) perspective since early this year. Our CTO, Ash Motiwala posted a couple of very good blog articles on this subject: <a href="https://identropy.com/blog/bid/32199/A-NERC-CIP-Quick-Win-Recertification-Closed-Loop-Deprovisioning">A NERC CIP Quick Win = Recertification + Closed Loop Deprovisioning</a> and <a href="https://www.identropy.com/blog/bid/31662/An-Introduction-to-NERC-CIP-Compliance-and-Identity-Access-Management-Technologies">An Introduction to NERC CIP Compliance and Identity & Access Management Technologies</a>.Next week, on Tuesday, May 11th from 3 to 4 pm EDT, we hosted a webinar featuring a case study by one of our clients in the Energy sector: PPL. <a href="https://vimeo.com/91442209">WATCH THE WEBINAR HERE</a> <img src="https://www.identropy.com/Portals/40850/images/ppl1-resized-600.jpg?width=430&height=177&name=ppl1-resized-600.jpg" alt="PPL" />PPL, formerly known as PP&L or Pennsylvania Power and Light, is an energy company headquartered in Allentown, Pennsylvania. It currently controls over 11,000 megawatts (MW) of electrical generating capacity in the United States, primarily in Pennsylvania and Montana, and delivers electricity to 1.4 million customers in Pennsylvania.I will be presenting, alongside Pete Johnson, Director of Information Assurance at PPL, and will be discussing their approach to streamlining and maintaining compliance with several regulatory requirements, with a specific focus on NERC CIP, using IAM. I had the opportunity to work directly with Pete and the PPL team in defining and starting the execution on their IAM strategy, and I believe that this case study will be valuable to any organization subject to multiple regulations in any vertical, not just Energy. Evidently, the stiff fines that are now enforceable by NERC (of up to US$1M per incident per day), are a very strong driver in the Energy vertical.Consistent with our style, this session will be very "meat-and-potatoes". We intend to keep this vendor agnostic, without marketing jargon, focusing mainly on the practical knowledge and experience gained by PPL. Our intended audience is IT Managers, IT Professionals, CIO, CISO, COO, CTO, IT Directors, and Solution Architects. We are planning to leave time for a Q&A session towards the end, so I hope you can join us.<a href="https://cta-redirect.hubspot.com/cta/redirect/40850/2bcbac14-0a66-4f32-b446-25e8f9931329"><img src="https://no-cache.hubspot.com/cta/default/40850/2bcbac14-0a66-4f32-b446-25e8f9931329.png" alt="IAM Program Data Sheet" /></a></div></body></html>

identropy.com

View Article
How To Calculate ROI in Account and Identity Management

<div id="page-wrap"> <article class="clearfix col-sm-8 post-15467 post type-post status-publish format-standard has-post-thumbnail hentry category-idm-benefits tag-access-governance-and-management tag-cloud-identity-management tag-cloud-identity-summit tag-delegated-administration tag-google tag-graph-protocol tag-human-resources tag-ibm tag-identity-industry tag-identity-integration tag-identity-providers tag-ldap tag-lifecycle-management tag-mergers-and-acquisitions tag-microsoft tag-oauth tag-openid-connect tag-rbac tag-roi tag-saml tag-scim tag-small-medium-business tag-uma tag-user-management tag-user-provisioning" id="15467"> <div class="article-meta"> <div>How To Calculate ROI in Account and Identity Management</div> <time>February 3, 2016</time> </div> <div class="page-content clearfix"> <meta> <meta> <div> <div> <img src="/wp-content/uploads/2014/07/Identity-Maestro-Logo-Blue-NoBG.png"> <meta> <meta> <meta> </div> <meta> </div> <div class="entry-title">How To Calculate ROI in Account and Identity Management</div> <div class="post-info clearfix"> Posted by <a href="http://www.servicecontrol.com">Rachel Rowling</a> in <a href="/category/idm-news/idm-benefits/">IDM Benefits</a> </div> <figure class="media-wrap"><div><img src="/wp-content/uploads/2016/02/ROI-770x514.png" width="770" alt></div> </figure> <section class="article-body-wrap"> <div class="body-text clearfix"> Times are tough, and in today’s complex IT environments, managing accounts across multiple <a href="http://www.servicecontrol.com/glossary/identities/">identities</a> (email, directory, and third party apps) has become a critical problem for organizations looking to lower administrative burdens while reducing risk and costs. Whether you are already invested in a long-term identity management (IDM) deployment or simply looking for an improvement to managing existing accounts across multiple systems, here are some ways to get an immediate <a href="http://www.servicecontrol.com/glossary/return-on-investment-roi/">return on investment (ROI)</a>. What is Account Management?  Account or identity management is a business process for creating and managing access to resources in an information technology (IT) environment. To be effective, an account management process should ensure that the creation of accounts and access to software and data is consistent and simple to administer. Here are five (5) ways to measure ROI : <ul> <li>Determine the costs associated with current account management and provisioning activities and estimate the savings based on a new automated approach. Note that this could produce hard cost savings or free up resources to focus on more important issues (opportunity cost savings).</li> <li>Look at costs associated to training technical administration teams. An automated and efficient account provisioning technology can allow rapid account administration by non-technical resources allowing your subject matter experts (SME) to focus on higher IT priorities.</li> <li>Review the costs associated with compliance reporting and audits. Automated tools reduce reporting efforts and make audits happen faster.</li> <li>Calculate the probability of security breaches and estimate the potential risk and financial damage. It is important to note that the cost of damage caused by the breach itself is often secondary to the expense of validating the integrity of other data, the expense of securing the environment and the loss of reputation. Last month alone, the <a href="http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html">Identity Theft Resource Center (IRTC)</a> reported 541 corporate security breaches exposing an estimated 140,092,146 million records.</li> <li>Calculate the employee productivity savings that would occur if they could get their applications configured faster. Look at the costs of lost productivity when new employees have quick access to files they’re immediately productive. Assuming an average salary of $50,000, every day of lost work due to slow provisioning could cost an enterprise, school, or governmental agency nearly $200 a day. A large company with 500 new hires a year could easily lose $100,000 to $2M per year.</li> </ul> Despite the complexity of IDM, there are efficient, effective, and scalable solutions like <a href="http://www.servicecontrol.com/">ServiceControl</a> that complement any YTD investment in Identity Management.  ServiceControl delivers immediate ROI while solving immediate business challenges.  It can be deployed within a few hours with our <a href="http://www.servicecontrol.com/get-started-bundle/">“Get Started Bundle”</a> and give you a platform to easily connect with any email, directory, or third party applications like ERP or CRM. Additional options allow for Cloud  migration as a future option with ServiceControl Cloud (release June 2016) and the development of automated custom workflows based on your business rules for improved efficiency. For more information about <a href="http://www.servicecontrol.com/">ServiceControl</a>, please visit our website, download a <a href="http://www.servicecontrol.com/trial-download/">free trial</a>, or <a href="http://www.servicecontrol.com/contact/">request a consultation or demo</a>. </div> </section> </div> </article> </div>

identitymaestro.com

View Article
Grid Planners, Operators Manage Transformation, Security of Bulk Power System

<noscript>You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.</noscript>

nerc.com

View Article
Standards, Compliance, and Enforcement Bulletin Archive

<noscript>You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.</noscript>

nerc.com

View Article
How Utilities Can Use CIAM to Avoid 3 Common Problems

<div id="blog-post-content"> Utility companies are in a unique position because of the sheer amount of data they collect and the number of users they manage. This affords them opportunities to generate value in ways that other companies can't. But this wealth of information comes with several challenges. Users have <a href="https://www.powerengineeringint.com/articles/print/volume-26/issue-1/features/three-challenges-for-utilities-in-2018.html">high expectations that many utility companies have yet to meet</a>, and the <a href="https://www.appcues.com/blog/3-customer-engagement-strategies-that-make-users-feel-like-one-in-a-million">prevalence of inefficient customer management systems</a> leaves many teams vulnerable to service outages and even cyberattacks. Using customer identity and access management (CIAM) technology can help utility companies avoid three of the industry’s most common issues: <ol> <li>Inefficient trouble-shooting</li> <li>A lack of personalized service</li> <li>Security</li> </ol> Instead of tackling each with a separate set of tools and processes, a CIAM approach offers a single way to improve all three. <a></a> <h2>1. Quickly Fix Customer Access and Use Issues With a Central Dashboard.</h2> Many utility companies have <a href="https://www.nccoe.nist.gov/sites/default/files/library/sp1800/es-idam-nist-sp1800-2a-draft.pdf">decentralized and poorly planned processses</a> to let users access their power platform. Without a clearly defined system, utilities are more likely to feel the burden of service interruptions and suffer longer and more expensive delays in resolving them. This can also make it difficult to help users in real time both with larger issues, such as power outages, and with simple fixes, such as password resets. Disorganization can diminish customer satisfaction and threaten a company's reputation in the industry as well as its ability to manage a large volume of users, obstructing productivity, and growth. For companies looking to avoid these issues, a central dashboard can help <a href="https://auth0.com/user-management">consolidate previously disparate streams of information</a> within an organization. In addition, if it's high quality, this product can, at any given moment, show which customers are logged in and provide their locations and current behavior. <img src="https://cdn.auth0.com/blog/how-utilities-can-use-ciam-to-avoid-3-common-problems/central-dashboard-consolidates-information-streams.png" alt="Central utility customer dashboard consolidates information streams"> A robust dashboard will offer several ways to visualize the information, such as with a heat map of logins, along with pictures and users' personal details to help verify and learn more about them. <a></a> <h3>Make Password Resets More Efficient</h3> Internet users average <a href="https://blog.dashlane.com/wp-content/uploads/2015/07/MailboxSecurity_infographic_EN_final1.jpg">37 password resets a year</a>. Without an efficient process to tackle these, a simple fix can become frustrating and time-consuming. For utilities, a dashboard is an easy way for system admins to connect directly with end users on tasks like these. In addition to greater overall user management, a dashboard allows admins to create a specific <a href="https://auth0.com/docs/hosted-pages/password-reset">password-reset page</a>, which they can tailor to their company's specific needs: <img src="https://cdn.auth0.com/blog/how-utilities-can-use-ciam-to-avoid-3-common-problems/hosted-login-page-for-better-password-management.png" alt="Hosted login page for better password management"> The tool will enable users to change their passwords independently, without the added burden of IT support. It also allows a company to maintain consistency in the appearance of all associated pages—from login through password reset and more. This approach can also help a team track the number of password resets happening at any given moment or determine how frequently specific users are requesting resets, helping admins identify and solve larger problems, including suspicious behavior. <a></a> <h2>2. Get to know your customers.</h2> Many believe that <a href="https://www.publicpower.org/periodical/article/utilities-missing-out-personalized-marketing-opportunities">utilities are falling short in meeting customer needs</a>. As many <a href="https://www.forbes.com/sites/matthunckler/2017/08/23/the-top-3-strategies-for-customer-success-for-high-growth-tech-startups/#73ff49206805">startups push the bar higher for customer success</a>, a strong CIAM system can help buck the stereotype that established utilities aren’t innovative. Being able to understand and meet the expectations of your customers is critical to <a href="https://www.appcues.com/blog/proven-customer-retention-strategies">customer retention</a>. CIAM technology will help you paint a fuller picture of each customer. In addition to incorporating data on their logins, devices, and utility usage, you can you can use <a href="https://auth0.com/blog/progressive-profiling/">progressive profiling</a> to pull details like their location and their email addresses and even the interests they indicated at the login stage. <img src="https://cdn.auth0.com/blog/how-utilities-can-use-ciam-to-avoid-3-common-problems/progressive-profiling-flow.png" alt="Utility customer progressive profiling flow"> With a more comprehensive collection of data, teams can proactively match the right users to the right promotions. It can help organizations develop new services, boost engagement, and avoid being branded as a company that sends irrelevant spam messages and push notifications. <a></a> <h2>3. Block Suspicious Behavior.</h2> On top of helping utility companies better understand and anticipate customer needs, a secure CIAM setup is crucial in an <a href="https://www.bloomberg.com/news/articles/2018-04-04/cyberattack-bleeds-into-utility-space-as-duke-sees-billing-delay">industry facing an increase in cyber threats</a>. A recent IBM report found that the <a href="https://www.ibm.com/blogs/insights-on-business/energy-and-utilities/security-breach-energy-utilities/">average cost of a data breach for a utility company</a> was approximately $3.5 million per incident in 2016. For companies based in the United States, that number jumped to an estimated $7.4 million, and just this year, an <a href="https://www.bankinfosecurity.com/us-power-company-fined-27-million-over-data-exposure-a-10715">American power company was fined an unprecedented $2.7 million</a> for leaving customer records publicly exposed for 70 days. CIAM offers simple but effective solutions that can help you quickly respond to suspicious behavior in your system and prevent a breach. Features like <a href="https://auth0.com/docs/anomaly-detection">anomaly detection</a> will instantly block users with unknown addresses or repeated failed login attempts. Not knowing who is in your system or what information they are accessing can cause more than just fines and lawsuits: Without a strong user-management system, companies are forced to inefficiently use IT resources and even take systems off-line while searching for the source of a breach. On top of losing money, these interruptions in service can draw even more attention to your failure to secure user data. <a></a> <h2>Consolidating customer data will shape the future of utilities</h2> The utilities industry is set to experience major shifts in the coming years thanks to new technologies and energy sources. As competition increases, companies that embrace strong access and identity technology will emerge as leaders that avoid costly mistakes and create deeper connections with their customers. <a></a> <h2>About Auth0</h2> Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries. For more information, visit <a href="https://auth0.com/">https://auth0.com</a> or follow <a href="https://twitter.com/auth0">@auth0 on Twitter</a>. <ul class="social-buttons-list social-stats"> <li class="social-buttons-item"> <a href="#" class="network"> <img src="https://cdn.auth0.com/website/blog-new/twitter-social-button.svg" alt="twitter-icon"> </a> </li> <li class="social-buttons-item"> <a href="#" class="network"> <img src="https://cdn.auth0.com/website/blog-new/linkedin-social-button.svg" alt="linkedin-icon"> </a> </li> <li class="social-buttons-item"> <a href="#" class="network"> <img src="https://cdn.auth0.com/website/blog-new/facebook-social-button.svg" alt="facebook-icon"> </a> </li> </ul> </div>

auth0.com

View Article

OVERVIEW

Showcase of everything from compliance and regulatory requirements, as well as sustainability, privacy, operations, and even an affect on ROI for utility companies who properly implement and use various Identity Governance and Administration or Access Management programs.

Category:
Security

Tags:
Identity and Access Management, PAM, access management, Cloud Identity, Identity Governance and Administration, Privileged Access Management, energy regulations, utility regulations