OT Network security
Utilities: Energy & Power, Water, Waste
Vendors

Trustpower deploys Nozomi to comply with voluntary OT security standards

February 04, 2020
OT security standards

Nozomi Networks today announced that Trustpower has deployed Nozomi’s Guardian solution to deliver deep asset discovery and improved operational visibility and control over its network.  Trustpower, a New Zealand based utilities company that provides power, broadband, phone and gas, Trustpower owns and operates 36 stations across 19 schemes, with a strong focus on sustainable generation.

“As we continued to expand, digitize and add to our operational environment, this lack of visibility presented a major challenge,” said Marty Rickard, Delivery Manager – Operational Technology, Trustpower. “We needed a new approach to cut through the noise, gain real insights into our network and ensure we were protected from cyberattacks.”

“Nozomi Networks has enabled us to meet New Zealand’s Voluntary Cyber Security Standards for Industrial Control Systems (VCSS-OCS),” said Matt van Deventer, Head of Technology, Trustpower. “Maintaining and exceeding these standards is a key priority for Trustpower and Nozomi Networks enables us to comfortably achieve that.”

Now deployed across Trustpower’s operational network, Guardian provides deep asset discovery, inventory and operational visibility; automatic real-time notification of industrial events of interest, including alerts triggered by custom-designed rules and constraints; and traffic analysis for current and future investigations.

The standard – Voluntary Cyber Security Standards for Controls Systems Operators was published in October 2019 by New Zealand’s National Cyber Security Centre and the Control Systems Security Information Exchange.  As stated in the standards document,  New Zealand’s government and industry organizations have responded to the increasingly hostile cyber environment by developing this standard. It is intended to support New Zealand’s control systems operators in building resilient cyber security defenses and practices.

The voluntary OT security standards covers the following areas

Governance & Roles – To effectively implement this standard within an organization a governance framework must exist that clearly defines the applicable roles which at a minimum should encompass the operator and owner of Critical and Cyber Assets as well as the incident management and escalation points.

Risk Assessment & Management – The driver to create, maintain and improve controls is ultimately justified by the risk that threats pose to the organisation. The requirements and recommendations in this standard should be considered in a risk context that will help establish the extent to which they need to be applied and prioritised.

Threat Modelling – Ultimately risk is quantified based on the threats being faced by  the organisation. A complete threat model relevant to the organisation should be developed based on the internal, local and global threat landscape and should be updated at least annually.

Framework & Foundational Controls – The NIST CSF provides a best practice framework and foundation for applying cyber security controls across both IT and control systems environments. To support this a mapping has been provided where the relevant CSF subcategories are listed against the CIP requirements.

CIP Requirements – these provide the recommended minimum standard required across control systems environments in addition to the foundational controls. These are clearly defined along with specific measures and operators can read the standard in a sequential manner or choose a component or aspect that best meets organisational needs, requirements and risk profile.

Assurance – Overall a compliance and measurement regime should exist that provides assurance over the effectiveness of the foundational and CIP requirements.

Although the OT security standards are voluntary, the publisher (rightly) claim that there are wide ranging benefits in the adoption the standard including, Strategic, Financial and Operational Resilience

The full standard document can be found here

Vidya Lakshmi
IndustrialCyber Editor & Features Vidya is a freelance journalist with over 10 years of experience in business journalism. She started her career reporting on U.S. equities markets and later moved to niche financial news. She developed an interest in ICS cybersecurity after researching some incidents and reading about it online.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Salvador
Salvador secures investment from Deutsche Telekom to expand cyber-attack recovery platform