Verve Security Center in Energy Transmission & Distribution

The power grid is one of the most critical elements of modern society, and it is under constant threat of cyber-attack. Power continues to be the #1 or #2 most attacked industrial sector with the United States CISA and DHS recommending even greater protection actions given recent observed threats in 2022. The grid’s unique architecture make it both incredibly stable due to its distributed structure as well as challenging to protect given its legacy systems and lack of ability to apply traditional IT security tools. Although the distributed nature means that the likelihood of an attack taking down an entire country a remote possibility, specific geographies or operators face significant threats which would cause severe impact in local geographies.

Operators in the power and energy sector need to apply critical security functions such as management of inventory, identification and remediation of software or hardware vulnerabilities, management of users/accounts/access-rights, management of hardened configurations, monitoring for malware or anomalous behaviors that may indicate an attack is occurring or a threat is present, the ability to ensure robust backups in case devices are disabled, etc. However, the network architectures and the field devices make traditional IT security tools inappropriate to these environments. They need to bring the best of IT security into this “operating technology” environment.

OT Cybersecurity Practices for Energy Sector

Verve has worked with power companies for the past 30 year to design, deploy, and manage secure and reliable control systems. Our firm understands the above challenges first-hand.  Over fifteen years ago, Verve deployed its first version of the Verve Security Center to enable the “best of IT security into OT.”  Since that time, Verve has continued to improve and evolve the product to deliver a comprehensive solution that addresses these unique challenges of power distribution and transmission.

The Verve Security Center (VSC) is a cybersecurity platform that enables IT-type security functionality, but in a way that is safe and effective within the OT construct.  It is the only endpoint management platform that provides turn-key solutions for NIST CSF, NERC CIP, CIS Top 18, IEC 62443, and a range of other security and compliance standards across the OT environment.

Its agent-agentless architecture is unique and built on 30 years of Verve experience in the power sector. VSC combines proprietary technology with an open API that can integrate clients’ existing technology stack to reduce costs, streamline processes, and increase the ROI on existing technology investments.

Verve designed each element of VSC for the specific requirements of industrial control systems– and each includes critical IP that Verve brings to the OT environment.  VSC has three core distinctive elements in how it approaches compliance and security in OT:

1. An architecture that is OT-specific – one that was tuned with 30 years of hands-on OT experience to be scalable to remote locations, able to manage in low bandwidth environments, low CPU usage, and use a centralized reporting database that brings together asset visibility across all distribution, transmission and generation facilities into a single console.
2. Configuration, asset management, and alert management for ALL OT end points, that goes direct to the endpoint, rather than relying on spans/taps and network traffic to guess at the critical information about the endpoint. Through our proprietary Verve Agentless Device Interface (ADI), Verve directly gathers make, model, firmware, configuration, and vulnerability status on all brands of OEM embedded devices (as well as the more typical Windows and Networking equipment). This means a single solution for management of HMIs, PLC’s, controllers, Substation IED’s (Relays, gateways, RTU’s), etc.
3. A simple UI designed for easy security reporting against a range of different security standard. VSC brings the critical alerts, evidence and actions into one common place for monitoring, remediation and compliance reporting – without the added complexity that often comes with standard IT tools.

Our clients find 5 key benefits of the VSC approach:

Application of the Verve Security Center in Energy Transmission & Distribution

We built Verve in partnership with our energy customers.  Therefore, it was designed to work in the unique transmission and substation environments.

Deep Asset Visibility

The first key feature of Verve is that it requires no scanners, taps, span ports etc.  The image below shows how we use agents on OS based devices and OT-safe agentless profiling of networking and embedded equipment to capture in real time a robust profile of the end point. One of the key features of Verve is that we integrate with a wide-range of third-party, OEM systems such as Landis & Gyr, Eaton, GE, Schweitzer, and many others. This not only allows us to gather robust endpoint information, it also means that Verve can deploy without needing to deploy additional hardware into these remote environments. Even in environments with serial connections, Verve can be deployed on low-cost Linux devices to forward key information over modem connections if necessary.

The first benefit of this is cost and speed. One energy client came to us after realizing the cost of deploying hardware taps across their infrastructure would be 2x the size of the cost of the software and would take over a year of scheduled time to complete. Our solution deploys in a matter of days or weeks depending on the infrastructure. Our collection approach gathers data even from remote substations which may only connect via 9600-baud modems. In addition, Verve integrates with various installed T&D systems from Eaton, Schweitzer (SEL), MV90, etc. This means that the speed to gathering aggregated asset information can be accelerated.

The second benefit is the depth and breadth of data we can collect. By connecting directly to all OT asses in scope, the data Verve collects is far richer than what little data is available on the wire. Additionally, Verve sees deep into segmented or complex networks so often found in OT environments. It can go through the backplane of different devices to collect serially connected devices on the backend, etc. This level of depth provides a more robust asset inventory and vulnerability picture.

As shown below, Verve can connect to a comprehensive list of transmission and distribution devices, gather critical information and push that data up to the Verve Asset Management system.

The result is a robust set of data from each device to enable vulnerability and configuration management.

Vulnerability Management and 360-Degree View of Risk

Because Verve gathers detailed and accurate data, vulnerability identification is more accurate and certain than other types of approaches. Verve captures detailed OS patch levels including all kb’s deployed, application software versions, firmware make/model/firmware/configuration data, etc. This allows the client to see specific vulnerabilities and rate the criticality of those assets.

Verve brings all of the captured risk data – from vulnerabilities to configuration, AV status, network protections, etc. into an integrated perspective.

Verve also includes advanced analytics to identify specific risks scores for each asset based on risk as well as asset criticality.

Change Management

This data collection also allows Verve to provide configuration management on key substation devices such as relays. Verve gathers back detailed running configuration data and compares that to prior state to determine whether changes have occurred. In addition, it maintains the current configuration for recovery as well as monitoring for consistency.

Verve can integrate these alerts with tools such as ServiceNow to ensure integration with IT ticketing systems to ensure that there is integration between IT and OT.

Threat Detection

Beyond these fundamental security management functions, Verve also includes a robust threat detection platform, again leveraging the power of an agent-agentless approach. Verve aggregates data from logs, syslog, device performance, as well as netflow and traffic to identify potential anomalies and threats. It can also include information from passive, deep packet solutions as additional security event context.

Verve’s OT threat detection includes the following functions and benefits:

• Pre-built alerts based on hundreds of clients’ experience
• Simple UI to create additional custom alerts as needed
• Integration of a wide-range of telemetry to improve comprehensive detection
• Enables clients to grow into more advanced functions over time

The power industry is under significant threat of cyber-attack and needs tools and solutions that apply best-in-class security into the OT environment. We built the Verve Security Center to do just that. With a combination of agent-agentless interfaces, Verve enables robust security management across a client’s transmission and distribution environment, with a single, easy-to-use centralized analysis and reporting database.