EPRI Guide Enables Alliant Energy to Integrate Its Cyber Security Activities in Less Than a Year
In football, defensive coordinators manage various defensive players and strategies in response to the actions of opposing offensive teams. Some utilities today are taking a similar approach to cyber security. They are establishing Integrated Security Operations Centers (ISOC), which integrate and coordinate cyber security for information technology (IT) and operational technology (OT) along with physical security for equipment and assets.
Alliant Energy recently established its ISOC in less than a year—much faster than the typical timeline. Alliant used the EPRI ISOC Guidebook, which draws on five years of research and the experience of five utilities that have successfully implemented ISOCs. The guidebook covers various aspects of creating and operating ISOCs, including mission, organizational structure, personnel, and technologies. It is designed to benefit utilities with a range of experience, from those with limited security capabilities to those with robust security monitoring and responses in place.
Power companies typically call on different departments that independently monitor and analyze security status and threats in their IT systems and OT systems for generation, transmission and distribution equipment. A more coordinated approach is needed as electric power systems become more connected and automated—and as threats grow more frequent and sophisticated. Since 2013, EPRI research has considered how to design, implement, and operate ISOCs. Such centers simultaneously monitor and detect threats across various utility departments, enabling a unified response to and recovery from security events.
“We had in-house expertise within separate teams,” said Alliant’s Manager of Cybersecurity Operations John Kotolski. “EPRI’s guidebook provided a detailed roadmap for integrating these teams in a single center. We also benefited from the guidance on defining an ISOC’s mission, the recommendations on personnel and technologies, and the comprehensive focus on OT.”
Alliant’s ISOC operates in two rooms. In one, walls of monitors display status of various assets, weather and news updates, alerts, metrics for security events, and live camera feeds from various locations such as substations. This is where Alliant staff monitor the security of IT and OT systems and physical assets and detect potential problems. The second room is where staff convene to manage and respond to emergencies.
“Bringing the security functions together in one space has significantly improved the frequency, timeliness, and quality of communications and information sharing,” said Kotolski.
In the summer of 2019, Alliant’s ISOC conducted a drill using the scenario of a compromised company badge system, practicing communications and procedures and identifying areas for improvement.
“We plan to continue building synergies through joint drills and exercises,” Kotolski said. “As we execute our ISOC roadmap, we are bringing more OT into the center through partnerships with our generation and energy delivery colleagues.”
EPRI expects to update the guide annually, combining up-to-date research and technology development with utilities’ feedback and their experience with drills, attacks, and other security events.
“We’re tracking and researching emerging technologies that can potentially be used to protect critical systems, such as artificial intelligence, machine learning, security orchestration, automation, and response, and cyber security forensics,” said EPRI Program Manager Ralph King.
EPRI’s Cyber Security Research Lab in Knoxville, Tennessee includes a functioning ISOC. Technical staff use this to demonstrate ISOC capabilities and best practices to utility security professionals. Additionally, EPRI conducts ISOC workshops internationally. With EPRI technical support, Tokyo Electric Power Corporation launched its ISOC in 2018.
Key EPRI Technical Experts:
For more information, contact firstname.lastname@example.org.
Artwork by Ariel Davis