Power and Utilities

SAVANTURE is the premier security services provider delivering a complete set of cloud security tools and solutions. These solutions are able to be deployed in variety of delivery options ranging from:

  • Genesis5 which is the industry’s leading security and compliance solution for Power and Utilities. The solution leverages SAVANTURE’s cloud-based managed security services platform, proven processes and best practices, and an assigned team of SAVANTURE security experts to each customers. The technology component is SAVANTURE’s In-The-Cloud (ITC) Managed Security Services (MSS) platform, including Security Information Element Management Service, Log Management Service, Vulnerability Management Service, and Two Factor Authentication service. By combining the power of this technology platform with an experienced lead SAVANTURE CISO whom acts as your solution and services advocate, you receive the industry highest level of protection. Your assigned SAVANTURE CISO program manages a team of security engineers and analysts who know and understand your environment. This team, working toward mutually agreed upon goals and priorities, continually tunes the technology infrastructure and refines the defined processes and standards in order to optimize your security posture. In addition, this approach significantly reduces the daily research and workload associated with chasing down alerts, events, and threats. Genesis5 is the single security solution for your entire Enterprise regardless of your application’s location; Cloud, On-Premise or Hybrid.
  • The tools used in Genesis5 are also available individually. SAVANTURE can provide these same great tools used by our CISOs and staff stand-alone, or in any combination. SAVANTURE’s Cloud Managed Security Services include:

SAVANTURE delivers the industry’s most advanced cloud based Security Software-as-a-Service (SaaS) platform which allows you to dramatically simplify your businesses’ approach to governance and security management. Today’s enterprises understand the need to have a robust Governance, Risk and Compliance (GRC) and Security Program in place to protect your business processes and information assets. Often however, your company’s limited IT, network, and security staff are constantly dealing with today’s tactical problems rather than creating the IT innovations that your company needs to differentiate itself in this high tech world. Outsourcing security tools such as Security Information and Event Management (SIEM), Vulnerability Management System (VMS), Log Management Service (LMS) and associated operational responsibility to SAVANTURE cuts costs for your business and allows your staff to perform more meaningful tasks.

Managed Security Service (MSS) monitors Intrusion Detection Systems (IDS), firewalls, servers and business applications and alerts you on threats and security breaches. With SAVANTURE we add incremental levels of human analysis and tuning that you won’t receive with other providers. We continually evaluate the protection level of the network and provide continual tuning and adjustments to reduce risks. We then combine this with a staff of security experts who routinely conduct traffic reviews, event analysis, and rule reviews, and analyze the accuracy of the correlation engines to ensure that you are seeing the optimal alerting value within our platform. Your network is constantly under surveillance so that when attacks occur we reduce the likelihood of it becoming a security breaches or reduce the level of impact as quickly as possible. This provides the assurance that your business maintains the highest level protection and you are exposed to the lowest level of risk.

Our strategy is not only about delivering the best services in the industry, but recognizing that every decision is scrutinized in today’s cost sensitive world, we must provide the highest value. At SAVANTURE our strategy is to provide you with efficient, effective and cost-compelling information risk management solutions by seamlessly integrating SAVANTURE’s people, process and technology with your unique business needs.  We help your business identify, reduce, and manage information risk to revenue, reputation and regulatory compliance so that you can focus on managing and growing your business. That means we need to understand the regulatory requirements you are subject to today and monitor them ongoing as your business expands and regulations change.

 

Specific to Power & Utilities, common regulatory requirements for companies in the Power and Utility industry include:

  • NERC CIP
  • Consumer and User Privacy Laws (US State, EU, and other country and geographies)
  • Payment Card Industry (PCI) standards
  • Often Entities also are regulated by SEC and HIPAA regulations as well

Let’s take a quick look at each of these as sample compliance and regulatory fulfillment.

 

What Guidance does NERC Provide?

NERC is the North American Electric Reliability Corporation, a nonprofit formed in 1968 to develop security standards to ensure the integrity of the bulk electric system in North America. More than 334 million people rely on 1,866 Registered Entities that produce electricity in North America.  NERC’s Critical Infrastructure Protection (CIP) Reliability Standards provide Registered Entities with requirements for compliance. NERC introduced its Critical Infrastructure Protection (CIP) Reliability Standards CIP-002-1 through CIP-009-1 in 2006. As of June 30, 2010, all Registered Entities must prove "auditable compliance" on a semi-annual basis or be subject to penalties which could be substantial; depending on the offence, they penalties could be upward of $1 million per day. Eachof the 1,866 Registered Entities must comply with the eight categories of controls for securing critical cyber assets used to protect the bulk electric system. These include:

  • Cyber Asset Identification
  • Security Management Controls
  • Personnel & Training
  • Electronic Security Perimeter(s)
  • Physical Security
  • Systems Security Management
  • Incident Reporting and Response
  •  Recovery Plans for Critical Cyber Assets

The threats to our power grid are numerous.  Threats to the US critical cyber infrastructure are many.  The US electricity producing Entities are a key target and the adversaries range from sovereign states and terrorist to lone hackers; none of which play by any defined rules.  Any number of successful exploitscould result in disrupting the delivery of electrical power.

To compensate for the increased threats, NERC has expanded its responsibilities and is now engaged in compliance monitoring, compliance enforcement, and managing a due process for contestations by Registered Entities who receive audit violation findings.

While a Utility may fall under other compliance areas such as SEC, PCI, and Federal and State Privacy Laws, the actual core power infrastructure is the only element intended to be protected by NERC CIP-002 through CIP-009.  The overall relationship between Critical Assets, Cyber Assets, and the Bulk Electric System is best described in NERC FAQ for NERC Cyber Security Standards (CIP–002 through CIP–009) on nerc.com.
savanture

As defined by NERC:

    Area A — The entire Electric System including Transmission, Distribution, Bulk Electric System, Generation, and Market Systems.
    Circle 1 — Bulk Electric System, as defined by NERC.
    Circle 2 — Critical Assets, as identified by the Responsible Entity. Many Critical Assets are also part of the Bulk Electric System (Areas B, D, F), but not all (Areas C, E).
    Circle 3 Critical Cyber Assets supporting all the Critical Assets as identified by the Responsible Entity. Shown are Critical Cyber Assets supporting the Bulk Electric System (Areas D, F) and Critical Cyber Assets not supporting the Bulk Electric System (Area E).
    Area F — Indicates Critical Cyber Assets that support the Bulk Electric System within the scope of the NERC Cyber Security Standards.
    Area G — Cyber Assets covered by the NERC Cyber Security Standard CIP–007 because of their network connectivity with Critical Cyber Assets that support the Bulk Electric System.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to the core administrative networks and SCADA systems while corporate security are intended to assure the confidentiality, integrity, and availability of all other parts of the IT infrastructure. 

NERC provides, in discussion, that under Standard CIP–003–1—Cyber Security—Security Management Controls, that a Power or Utility company may have acyber security policy that is integrated into “the larger corporate policy providing that the overall policy demonstrates management’s commitment to addressing the requirements of these CIP standards and provides a framework for the governance of these standards.

SAVANTURE fulfills CIP requirements for scanning of vulnerabilities, monitoring the network addressable operational infrastructure in real-time, collecting and managing logs for forensics, and two factor authentication to protect access to critical cyber assets. These SAVANTURE solutions provide the means for auditing a broad range of other security controls within an Entity to ensure that they are operational and properly configured.  In addition, the SAVANTURE platform provides the capabilities to properly provide security across the entire enterprise.

How SAVANTURE helps with CIP compliance

The core goals of NERC CIP, relative to IT security, are 1) decrease the risk of a compromise that results in the unauthorized access to Critical Cyber Assets that support the Bulk Electric System, 2) be able to identify and rapidly close a weakness in your IT Infrastructure or processes that could compromise or result in the compromise of the Bulk Electric System, 3) ensure measurable standards are in place that allow organizations to be judged if they are following reasonable compliance with NERC standards, specifically the eight controls outlined in CIP and 4) reports and documentation are generated that demonstrates an organization has a healthy security and policy program in place that supports NERC CIP standards.  SAVANTURE helps in each of these as follows:

  • Easy to Implement and Use Authentication
    SAVANTURE can be used to protect administrative access to internal systems through our on-premise two-factor Authentication Service including CCAs.  In addition, the same technology can be used from our In the Cloud (ITC) platform to protect employee access to the network via VPN or to specific applications and we can also provide extremely cost-effective integration with user-facing systems to provide the added level of security that modern day customers are demanding … and more and more commonly becoming a regulatory requirement for many of the more broad privacy laws.

    SAVANTURE helps Power and Utilities both domestically and globally protect their data and their customers with strong two-factor authentication (2FA). SAVANTURE integrates with your environment (applications, servers, VPNs, network devices and web applications) to provide the security needed to comply with your regulatory requirements.

  • Real-time Collection, Management, and Alerting across your IT Infrastructure
    Incident Reporting and Response is a core component of NERC CIP.  The collection, management, and analysis of log and event data are integral elements of meeting regulatory requirements. IT environments consist of heterogeneous devices, systems, and applications all reporting log data.  SAVANTURE provides compliance to this requirement through both SIEM and/or Log Management depending on the organizations IT Infrastructure.

    The SAVANTURE SIEM ensures compliance with regulatory requirements by not only collecting logs (meeting the monitoring information systems in real-time guidelines) but also provides real-time alerting enabling immediate investigations and compliance reporting.  This is the difference between definition and intent.  The intent of NERC is to protect our electrical critical infrastructure.  By being aware of threats in real-time, you have a clear analysis of events that are impacting the integrity of the organization’s data. Areas of non-compliance can be identified in real-time and mitigated before the integrity of your systems are impacted.

  • Identification of Vulnerabilities and Weaknesses across your IT Infrastructure
    Understanding where your weaknesses are before systems are compromised is a logical approach to decreasing risk.  SAVANTURE’s Vulnerability Management Service (VMS) vigilantly probes your Internet-connected systems for vulnerabilities before the hackers can find and exploit them.   The service identifies holes in your perimeter protection to any Internet-addressable host.  In addition, we scan internally to identify vulnerabilities in the event the perimeter is ever breached or someone locally attempts to compromise a system.  New vulnerabilities are discovered every day and hackers are becoming more adept at exploiting these security vulnerabilities.

    SAVANTURE’s VMS allows us to identify vulnerabilities and weakness, target the fix or identify ways to reduce risk of compromise, and track progression of the organizations ability to maintain a lower risk vulnerability profile.

How is your Business impacted by Consumer and User Privacy Laws

Over the past 10 years the individual states within the USA, as well as member countries of the EU and other countries have defined strict policies for protecting employee and consumer data.  Most often this has a basic requirement that provides for some combination of user information that allows a third party to uniquely identify a user.  This often includes the user‘s name, address, unique identifiers such as a credit card number, social security number, member number, or in some regions, even the user’s IP address.

What most businesses don’t recognize is these laws are not limited to where your business maintains its headquarters, or even more broadly where your business physically operates.  Rather, all these laws protect the users’ interest which is most commonly tied to where the user has a residence.  As an example, if you’re a company with a HQ in the US state of North Carolina with physical offices in Maryland, Florida, and Washington, with sales made in 47 other states and any European Union country, you fall under privacy law for all 47 US states you have customers in,as well as the European Union.  Most businesses do not have the resources to 1) properly evaluate each law and 2) apply the proper reporting and protective measures as outlined by the regulations.  SAVANTURE can supplement your capabilities to comply with privacy laws through its CPO services as well as SIEM, LMS, and VMS … and of course Genesis5.

What does are the PCI-DSS Requirements?

The Payment Card Industry Data Security Standards (PCI-DSS) mandate that organizations who "hold, process, or pass cardholder information" meet a minimum level of security. PCI-DSS, first released in 2004, from policies developed by American Express, Visa, MasterCard, Discover, and JCB, is a comprehensive worldwide information security standard aimed at any organization that stores credit card data. Today, the standard has expanded requirements beyond the retailers to include banks and third-party processors.  PCI-DSS is a relatively comprehensive standard and includes requirements for security management, data protection at rest and in transit, and other critical protective measures that were developed to proactively secure cardholder data and transaction information for consumer privacy.  Simply put, PCI-DSS was designed to protect the integrity of the credit card transaction from end-to-end in transit and when stored anywhere along the transaction path.

This is arguably one of the most important regulatory requirements for any business.  Why?  First, they require specific audits that vary based on your credit card transaction volume and the credit card companies are known to validate the audits.Non-compliance with the requirements can result in hefty fines from each of the payment card compliance programs,  increased transaction processing fees, financial fines in the hundreds of thousands of dollars and ultimately to the suspension of your ability to process credit card transactions.  Most businesses cannot operate without accepting credits cards for payment.

    How SAVANTURE helps with PCI-DSS compliance.
    The core goals of PCI, relative to IT security, are 1) decrease the risk of a compromise that results in the unauthorized disclosure of credit card details or impact to the transaction path, 2) be able to identify and rapidly close a weakness in your IT Infrastructure or processes that could compromise or result in the disclosure of an individual, or group of credit card records, 3) have you fulfill PCI-DSS audit requirements and submit results for review, and 4) have your business establishreporting and documentation which demonstrates you have security and policy programs in place that meet the minimum requirements defined by PCI.
    SAVANTURE helps in each of these as follows:

    • Easy to Implement and Use Authentication
      SAVANTURE 2FA can be used to protect administrative access to internal systems, employee user access to the network via VPN or specific applications and we can provide extremely cost-effective integration with user-facing systems to provide the added level of security that modern day customers are demanding … and more and more commonly becoming a regulatory requirement.

      PCI outlines protecting remote access logins with strong authentication. Specifically, section 8.3 says that organizations must:
      Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

      SAVANTURE allows organizations to easily deploy two-factor authentication using the users’ existing devices. Typically, purchasing and managing hardware tokens makes two-factor authentication prohibitively complicated and expensive. SAVANTURE removes this barrier, giving your company a solution that is manageable, inexpensive and easy-to-use.

    • Real-time Collection, Management, and Alerting across your IT Infrastructure
      The collection, management, and analysis of log and event data are integral elements of meeting both NERCand PCI audit requirements. IT environments consist of heterogeneous devices, systems, and applications, all reporting log data.  SAVANTURE provides compliance to these requirements through either or both SIEM and Log Management depending on the organizations IT Infrastructure.  PCI does not explicitly require SIEM, rather it requires Log Management.  Our SIEM however fulfills the log management requirements and provides the added advantages of fulfilling multiple compliance requirements and a high degree of real-time protection all in one platform.  If you simply need Log Management Service (LMS), SAVANTURE’s LMS fulfills PCIs requirements.

      However, the SAVANTURE SIEM ensures compliance with PCI requirements by not only collecting logs (meeting the monitoring information systems in real-time guidelines) but also provides real-time alerting enabling immediate investigation and compliance reporting.  This is the difference between definition and intent.  The intent of PCI is to protect credit card information and systems.  Being aware of threats in real-time, you have a clear analysis of events that are impacting the integrity of the organization’s data. Areas of non-compliance can be identified in real-time and mitigated before HIPAA non-compliance occurs.

    • Identification of Vulnerabilities and Weaknesses across your IT Infrastructure
      Understanding where your weaknesses are before they are compromised is a logical approach to decreasing risk.  SAVANTURE’s Vulnerability Management Service (VMS) vigilantly probes your Internet-connected systems for vulnerabilities before the hackers can find and exploit them.   The service identifies holes in your perimeter protection to any Internet-addressable host.  In addition, we scan internally to identify vulnerabilities in the event the perimeter is ever breached or someone locally attempts to compromise a system.  New vulnerabilities are discovered every day and hackers are becoming more adept at exploiting these security vulnerabilities.

      SAVANTURE’s VMS allows us to identify vulnerabilities and weakness, target the fix or identify ways to reduce risk of compromise, and track progression of the organizations ability to maintain a lower risk vulnerability profile.

    • Organizational Assessments
      In addition to the immediate protection provided by SAVANTURE’s products and services, we provide self-driven tools like the SAVANTURE Self Risk Assessment for PCI, the means to uncover and address risks are more readily available than ever before.  The assessment then provides recommendations to remedy identified risks through practical guidance and best practices.  We recommend the assessment be taken annually so you can measure your progress and confirm that compliance controls are maintained through the natural and continuous changes that occur within any organization.  For those companies that use SAVANTURE’s CISO services, we will lead up this effort and ensure the proper individuals in the organization take action and that the appropriate follow-up occurs.

      More information on PCI DSS

       

      What Other Compliance Regulations does Savanture help with?

      SEC and HIPAA are common compliance requirements many Healthcare and Hospital Systems are governed by.  SAVANTURE has a full suite of compliance oriented solutions that we can assist you with.  The good news is the core platforms for many solutions are the same, so there is minimal effort and expense in leveraging the existing system capabilities to meet these other compliance requirements.

       
      Learn about our company, read what media and analysts have to say about SAVANTURE, or find open positions and become part of our team. 

     
    We are here to earn your trust, and your business.

 

  • SAVANTURE Services are best in class and provide the most optimal cost performance solution in the marketplace allowing you to focus on your business
  • Best in class offerings allow us to protect your revenue, reputation and regulatory compliance better than any other solution in the marketplace
  • Flexibility in deployment methods allow a low cost entry option, while breath of services allow you to increase your protection logically over time as threats change and regulatory requirements evolve
  • SAVANTURE allows you to leverage best in class or take advantage of SAVANTURE’s Genesis5
  • Ease of deployment and ease of use while always being cost-effective, reliable, and secure
CONTACT US and we can answer any questions or get you started now.