Cloud Security Guide for Energy and Utilities

How to Stay Secure and Compliant in the Cloud While Connecting Consumers to Critical Infrastructure and Services

In a world reliant on power and telecommunications, the energy and utilities sector plays a critical role in the stability and success of virtually all other industries. In fact, its overarching importance makes it a target for malicious actors who wish to disrupt businesses of all kinds that rely on the grid to power their operations and connect them to their customers and partners. At the same time, energy and utility companies are trying to manage aging infrastructures, growing environmental concerns, and increased regulatory scrutiny.

There is also tremendous opportunity within the industry. In the late 1980s, the competitive energy market for natural gas began to develop. Soon after, following the Energy Policy Act of 1992, the competitive market for electricity was born. In the years since then, several states and the District of Columbia have voted deregulation into law, thus creating opportunity for innovation and growth where there were previously monopolies.

Many energy and utility companies are moving to the cloud to innovate rapidly and respond to their customers’ demands for better services, increased reliability, expedited customer service, and of course, lower prices. The critical nature of these services, combined with increased scrutiny from regulators on the generation and transmission of power and the data and communications supporting day-to-day operations, necessitates a strategic approach to cloud security and compliance.

Building applications and migrating workloads to Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offers an attractive way to respond to competitive pressures while speeding innovation and resilience. However, the self-service, dynamic nature of software-defined cloud environments creates unique challenges for IT security, governance, risk, and compliance professionals in the energy and utilities industry.

Processes and tools that work well in the traditional data center do not directly translate to the public cloud. Due to concerns over compliance and security, as well as the complexity involved in migrating legacy systems, many companies have approached public cloud adoption with caution. However, the tremendous opportunity of a newly deregulated market is driving others to innovate in the cloud or risk being left behind.

Energy and utility organizations need to innovate at the speed of cloud without creating risk for themselves, their customers, or their stakeholders. To take full advantage of the opportunities public cloud offers, they must define their cloud governance standards clearly; have real-time, automated enforcement of security and governance, risk management, and compliance policies; and be able to present evidence of compliance to assessors, auditors, and regulatory bodies.

This is an achievable objective, and this guide explores how organizations can approach the cloud with a roadmap for continuous security and compliance, and how Rapid7 can help.

Roadblocks

Moving to and thriving in the cloud is fraught with challenges for organizations in the energy and utilities industry.

Compliance

Deregulation in this context doesn't mean that energy and utility companies aren’t subject to compliance. Rather, achieving, maintaining, and substantiating compliance is of critical importance. Depending on the type of services, information, or data that a company handles, they could be subject to comply with any or all of the following:

  • PCI DSS
  • SOC 2
  • FedRAMP
  • NIST 800-53
  • NERC CIP

This list is not exhaustive, and regulatory compliance requirements are likely to evolve for the foreseeable future. It’s important to remember that compliance with any framework is the responsibility of the cloud service provider (CSP) customer, not the CSP. Whether you’re using AWS, Azure, GCP, any other CSP, or even a combination of CSPs, you as the customer are responsible for configuring and using cloud services securely and in a manner that complies with the applicable standards relevant to your business.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards. PCI DSS applies to all entities that store, process, or transmit cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and service providers.

SOC 2

The American Institute of CPAs Service and Organization Controls (SOC) 2 reporting standard defines criteria for how organizations should manage customer data. Many organizations, including energy and utility companies, choose to establish and follow strict information security policies and procedures that adhere to the SOC 2 standard, and to undergo regular third-party audits to certify their compliance.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP simplifies security by providing a standardized approach to security for the cloud through a core set of processes to ensure effective, repeatable cloud security for the government.

NIST 800-53

The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems, except those related to national security. NIST 800-53 controls set the baseline for security for federal agencies and contractors, and are continuously updated to address new threats and prevent major cybersecurity incidents.

NERC CIP

North American Electric Reliability Corporation (NERC) developed Critical Infrastructure Protection (CIP) standards to which North American bulk electric system providers must comply. This baseline set of security measures uses a results-based approach, focusing on performance, risk management, and entity capabilities. Regional reliability organizations are the enforcement arm of NERC. They perform periodic audits of grid operators and can levy fines for non-compliance. All relevant agencies, organizations, and standards fall under the jurisdiction of the Federal Energy Regulatory Commission, which monitors energy markets and regulates the transmission and wholesale sale of electricity.

Useful Features

We’ve provided an overview of how compliance is relevant to enterprises in the energy and utilities industry. Let’s now focus on what features or capabilities you should look for and leverage in a cloud security tool to support growth and innovation. There are four key areas that will help ensure successful management of your cloud security:

  • Visibility
  • Unified posture
  • Efficiency and automation
  • Scalability and adaptability

Visibility

Visibility into cloud environments allows organizations to identify, assess, prioritize, and remediate risk (and automate this entire chain). It is the cornerstone on which strong cloud governance and continuous security are built. Having a complete picture of every cloud service is one of the only ways you can safely identify all security considerations. InsightCloudSec by Rapid7 includes capabilities for automated discovery and inventory assessment across CSPs and containers, including:

  • Infrastructure as a Service, Platform as a Service, and Serverless/Function as a Service support
    • AWS, including AWS GovCloud and AWS China
    • Microsoft Azure, including Azure GovCloud and Azure China
    • GCP
    • Alibaba Cloud
  • Containers as a Service
    • Amazon Elastic Container Service for Kubernetes
    • Azure Kubernetes Service
    • Google Kubernetes Engine
  • Private Cloud
    • Kubernetes
    • OpenStack

With support for a range of platforms, InsightCloudSec by Rapid7 can help identify gaps and issues across all cloud assets and resources. Armed with this information, companies can ensure the right policies are in place to establish and maintain continuous security and compliance.

Unified Posture

Establishing a unified posture has a number of significant advantages. It’s a great way to cut down on the time spent cataloging resources, and more importantly, it ensures a complete and accurate picture of the assets that need to be evaluated. With a tool like InsightCloudSec, an organization has a single interface to view data and make decisions based on a complete understanding of the IT systems, resources, and configurations, regardless of CSP or resource type. Having a consistent, unified approach will also allow you to understand the security and compliance posture across the entire scope of cloud and containers through a standardized asset inventory.

For example, InsightCloudSec has developed standard terminology to describe cloud services across cloud environments. In InsightCloudSec, you will not see provider-specific resource names like S3 Bucket (AWS), Blob Storage Container (Azure), Cloud Storage (Azure), or Swift (OpenStack). Instead, InsightCloudSec uses the normalized terminology “Storage Container” for all of these. By offering this standardized asset inventory, an organization can apply a unified policy and automated, real-time remediation across all of the environments, both existing and future. Unified visibility and monitoring is particularly useful for energy and utility companies, which often have diverse business units that use different tools and systems and different CSPs.

Efficiency and Automation

Another critical element to evaluate for any tool that you may select to handle your cloud security is the ability to provide efficiency and automation, so that you can easily manage your cloud environment and direct your attention to the handful of issues that require manual intervention. In the cloud, communication requirements are far more diverse because of the scope of user and user ability. Most tools are accessible to users regardless of their skill level. Having the correct cloud tools, particularly when dealing with security, can help empower task owners regardless of their skill level.

With a tool like InsightCloudSec, you can provide guardrails for cloud environments, ensuring that your teams can provision within the limits of the policies you’ve defined. In addition, with automation, you can achieve both security and speed at scale. With API polling and an event-driven data harvesting approach to identify risk and trigger remediation, InsightCloudSec provides fast detection of changes, enabling automated remediation to occur in real time.

Scalability and Adaptability

Scalable cloud security solutions that can adapt to new and updated requirements, now and in the future, are essential for those in the energy and utilities industry. With the quantity of cloud resources that most organizations have, it is often difficult to maintain continuous visibility—let alone security—without the appropriate tools. Failure to have the ability to change and adapt to new requirements can result in noncompliance, misconfigurations, and a host of other problems. In any of these situations, the worst case scenario is always the looming threat of a security breach.

By investing in an enterprise cloud security tool like InsightCloudSec, you can protect your organization and adapt to the future challenges of cloud security with features like:

  • An extensible platform with API integration capabilities for third-party tools
  • Support for hybrid-cloud, multi-cloud, and containers
  • Reporting capabilities
  • Visibility based on a variety of user types, ranging from view-only monitoring to complex administration
  • Built-in policies and compliance tools along with limitless customization capabilities
  • Proof of compliance for numerous compliance standards

The ability to leverage smart, adaptable enterprise capabilities can help you face all of the challenges we’ve outlined throughout this paper. Efficient, scalable tools will serve you now and into the future as laws, regulations, and standards evolve, regardless of which CSPs you use or your organizational size.

Conclusion

Staying continuously secure and compliant in the cloud can be daunting, particularly for those responsible for providing uninterrupted access to key resources and services. Protecting the data associated with these resources and services is essential for energy and utility companies. With the right tools to support unified posture, efficiency and automation, scalability and adaptability, and continuous security and compliance through visibility, this responsibility becomes manageable–even easy.

Ready to see InsightCloudSec in action?