NPC Ukrenergo

About NPC Ukrenergo

NPC Ukrenergo is a power company responsible for operational and technological control of the Ukrainian energy system and electricity transmission from generating plants to the distribution networks of the regional electricity suppliers. The company network includes eight regional power systems, covering the entire territory of Ukraine and employing over 8,000 people.

A so-called BlackEnergy cyberattack on Ukraine’s power grid took place in December 2015 and is considered to be the first known successful cyberattack on a power grid. Hackers were able to successfully compromise information systems of three energy distribution companies in Ukraine and temporarily disrupt electricity supply to 230,000 end consumers for a period of one to six hours.

As a critical infrastructure company, this caused NPC Ukrenergo to closely examine its security processes, as Dmitriy Ryzhkov, Senior Information Security Analyst for NPC Ukrenergo explains: “When you need to protect industrial control systems, as we do, different rules apply. Availability and business continuity are paramount, as operations cannot be interrupted without major consequences to the general population. The systems are managed through operations and infrastructure teams, rather than IT teams, and comprehensive security management requires cross-team collaboration. Without this, and security solution support, these systems remain vulnerable to attacks.”

Ultimately, the company realized it needed a Security Operations Centre (SOC); a centralized unit that manages security issues on an organizational and technical level. However, a comprehensive Security and Information Events Management (SIEM) solution would provide a great interim step for the organization to learn, protect itself against future attacks, and increase its understanding of the elements that make up a SOC. Micro Focus ArcSight Enterprise Security Management (ESM) is widely known in the marketplace as providing powerful, efficient threat detection and response through security analytics, which is just what the team needed to get started.

NPC Ukrenergo started with an infrastructure assessment. “To implement an effective SIEM you need to have a full understanding of the infrastructure and IT systems operations,” says Dmitriy. “What data logs are stored? What type of users have what level of access rights? We performed vulnerability scans on our environment to assess the risk level we need to address. The resulting data was then leveraged in a single Arcsight ESM console. It took time to grasp the ArcSight ESM capabilities for us, but once we did, we saw the flexibility and opportunity quite clearly.”

As the framework organically grew into a SOC it started to include thread intelligence and incident response. A dashboard maps security events to the MITRE ATT&CK framework, adopted by NPC Ukrenergo. This knowledge base is a foundation for the development of specific threat models and methodologies. With more connected event sources, specific user behavior analytics, and the MITRE ATT&CK framework, the team added more advanced use cases, and the result was a clear risk assessment, more visibility, and improved alerting and incident response.

Following the MITRE principles, NPC Ukrenergo divided SOC responsibility into tiers, as explained by Dmitriy. “Using ArcSight ESM, we created a model with a Tier 1 lead taking responsibility for real-time monitoring and triaging of security events, vulnerability scanning, and emergency alerts. Tier 2 then takes up incident analysis, coordination, and response, as well as forensic artifact handling, and insider threat case support. A system administration lead focuses on the infrastructure operation and maintenance, and tool engineering and deployment. The final tier includes advanced capabilities such as scripting and automation which is a real time-saver for us. The teams work as one and intelligence is shared to help everyone.”