Case Study: Watching the Power Grid, in Real-Time

Name of Organization: Tri-State Generation and Transmission Association

Industry: Electric Utilities

Location: Westminster, Colorado USA

Opportunity or Challenge Encountered: Of the many vulnerabilities seen to the national infrastructure due to hacking, the electrical grid poses the greatest risks. If hackers were to gain entry, most of society — homes, offices, schools, factories, restaurants and potentially even data centers — would be hobbled. The dangers posed by cyber-attacks have been top of mind for executives and managers for the Tri-State Generation and Transmission Association, which supplies wholesale electric power to 44 electric cooperatives throughout a 200,000 square-mile service territory across Colorado, Nebraska, New Mexico, and Wyoming. The association maintains internal networks that store both corporate information and subscriber data for 1.5 million customers. Multiple hosts, or master computers, are located throughout the wide area network and support 1,500-plus Tri-State employees.

The challenge was: how can utility administrators know and detect when their networks were under attack, so they could act to head off threats before damage is done?

Meeting the Challenge:  “Situational awareness” has become a watchword for the electric utility industry. Utilities have multiple, interconnected networks to monitor — internal corporate systems as well as power grids. As spelled out in a report from the US National Institute of Standards and Technology, “as part of their current cybersecurity efforts, some electric utilities monitor physical, operational, and information technology separately. According to energy sector stakeholders, many utilities are currently assessing a more comprehensive approach to situational awareness, which, through increased real-time or near real-time cybersecurity monitoring can enhance the resilience of their operations.”

To meet this looming requirement for its members, Tri-State implemented a system that helps monitor potential hacking threats in real time. The solution, the Cognito automated threat detection and response platform from Vectra, helps provide visibility into its networks and internal hosts.

See also: Using AI to customize your customer experiences

The association attempted monitoring previously with firewalls, intrusion prevention, and antivirus software, but constantly was dealing with false-positive messages. The intrusion prevention system would block behavior that wasn’t dangerous, interrupting business processes unnecessarily. There was no context to the organizations’ host traffic patterns. When potential threats did come up, there was no context to the type or degree of threat and no prioritization. “We needed to know what was going on with our internal hosts,” says Dave Buffo, Tri-State senior IT security, quoted in a case study. “We wanted to see what they are doing, what they are talking to, and why they are talking to certain things.”

The new system employs a combination of data science, machine learning, and behavioral analysis, known and unknown threats are proactively detected and automatically scored and correlated. A “Threat Certainty Index” displays the more significant threats in real time based on contextual scoring so Tri-State can address detections that matter the most.

Benefits From This Initiative: Tri-State plans to expand its monitoring from its corporate environment to power plants and field locations, where it will be embedding sensors. This is a key step toward a “converged” approach to utility cybersecurity, as recommended by NIST, to address the “blind spots” in their networks. In addition, for Tri-States, this not only means greater security but a reduction in loses valuable business time — both for administrators and business end-users handling false-positive security alerts.

(Source: Vectra, NIST)