The Independent Electricity System Operator Shifts Left for Streamlined Operations
As supervisor of the IESO’s infrastructure team, Armando Valdrez juggles management of different technology solutions, including networking, security, NERC cybersecurity and telemetry, which is the field data for the power grid. Ten years ago, his existing client-based VPN didn’t have the ability to allow vendors and contractors access into their network. And because the solution leveraged their internet-facing DMZ firewall perimeter, administrative tasks became high risk due to the management of a single appliance performing multiple operations.
They need a simplified solution that would be portal-based, would enable remote two-factor authentication and that would effectively segment access ability and responsibilities for the different departments, so they chose to adopt a purely remote VPN. By separating their previous VPN and firewall functionalities, they were able to separate duties for better role-based operations and outcomes. Armando elaborates,
“We wanted to separate duties based on Tier One Control Room Operations and Tier Two Network Engineer functions, but you can’t do that with a consolidated device missing granular access control features. So we had to look for a solution that was purely for remote VPN and a solution that was only for firewalling functions. We achieved that by decoupling the remote VPN functionality and firewall functionality. We shifted left. Now our OPS team manages the remote users, while our Tier Two Engineers focus on other things like projects, as opposed to managing the operational tasks. This move addressed our issues from both a business standpoint and a technical standpoint.”
Considering a zero trust approach
For Armando and his team, weaving in some of the principles of zero trust can help reduce exposure and unauthorized access across the threat landscape. Incorporating multifactor authentication (MFA), micro-segmentation and the “policy of least privilege” provides a hardened security posture and aligns to zero trust best practices.
Armando shares his thoughts on incorporating zero trust, “We are talking about zero trust at a high level right now. We’re seeing how it can fit with our network refresh strategy. There’s a lot of features we can play with.”
Adopting zero trust practices helps both operations and information security teams gain visibility with insights and analytics to determine the number of users connecting, where they are connecting from and what applications they are accessing. From an operations perspective, Ivanti Security Appliance provides administrators a single pane of glass for management and analytics, while PCS features include the ability to:
- Verify users: With Single Sign-On (SSO) and multi-factor authentication (MFA), Ivanti Security Appliance ensures that all users are authorized before connecting.
- Verify devices: From a device standpoint, Ivanti Security Appliance enabled host checking and location awareness to validate the device before it connects.
- Protect data: Technologies like always-on and on-demand VPN along with per-app VPN tunneling ensure every transaction is encrypted to reduce data leakage and increase security compliance.
- Control access: Ivanti Security Appliance controls access to the data center, cloud and SaaS with centralized policy management, ensuring users are accessing only the appropriate resources they’re entitled to.
Disaster recovery support
With a critical utility infrastructure, the IESO performs regularly scheduled disaster recovery exercises to ensure business continuity in the event of a catastrophic network failure. Being able to minimize downtime and data loss is paramount to any disaster recovery plan (DRP), with a primary objective to protect the organization during any event where operations and services are incapacitated. In the IESO’s case, they were able to perform failovers of their Ivanti Security Appliance clusters. Armando explains,
“Our clients need applications that are patched and allowed, before having access to the network. This also aligns with our disaster recovery initiative in a sense that we have high availability functions. Just a couple of weeks ago, we finished our business disaster recovery exercise, and we were able to perform failovers of the PSA clusters. You have a thousand users connected at a given time and it was all transparent to them. It’s even more important now during this COVID pandemic as the majority of our users are working remotely.”
Advanced features for greater flexibility
Ivanti Connect Secure’s “always-on” VPN enables the IESO to enforce security and compliance on all traffic from endpoints, even when they are not on prem. Taking advantage of features such as split tunneling helps limit secure access platform usage only to critical enterprise/data-center applications. One advantage of split tunneling is that it alleviates bottlenecks and conserves bandwidth as internet traffic does not have to pass through the VPN server. Another advantage is in the case where a user works at a third-party site and needs access to network resources on both networks throughout the day. Enabling split tunneling reduces traffic on corporate networks, increases speed through reduced latency for specific tasks and grants privacy to end users. To help improve network performance, Armando is actively running tests on split tunneling:
“Right now we’re having our QA team test split tunneling, because since the pandemic hit, we noticed that collaboration traffic, specifically things like Microsoft Teams, Skype, Webex, was being scanned by a lot of our cybersecurity tools. For example, traffic will go through our VPN gateway, then firewall and a myriad of tools such web filtering proxies, IPS and advanced malware protection. We have a lot of tools that it goes through and there was performance degradation. We are testing the split tunneling functionality right now to bypass things like Microsoft O365, Outlook, Teams, Skype, and Webex. We are two weeks into that testing and the results are promising. So that is something we will be enabling. Before, things like collaboration video would hit a bottleneck and the outcome would be choppy streaming. But now in our QA system, playing with this stuff, we’re hearing really positive results.”
Organizations like the IESO understand the architectural decisions that go into implementing security and clearly understand the impact of those outcomes. One size does not fit all, so being able to test and right-size solutions prior to broader deployments can help IT departments implement stronger security best practices.