For many large, long-standing utility companies, the edge of the operational technology (OT) network operates in shadows. Sites are numerous, widely dispersed, and sometimes so old that it is almost impossible to keep track of what assets are running or what they’re communicating to. With critical infrastructure increasingly coming online, securing assets and operations is a priority — and you can’t secure what you don’t know. Plus, visibility is a pre-requisite for meeting NERC-CIP (North American Electric Reliability Corporation-Critical Infrastructure Protection) and EU NIS (European Union Network and Information Security Directive) regulatory requirements.

A large utility company came to Cisco for help overcoming its security and compliance challenges. The company lacked the visibility needed to secure the grid and meet its regulatory compliance requirements. It wanted to understand what assets were at the edge and how they were operating – what was considered normal operations and what was abnormal – and it needed to do it all at scale. This was no easy task: the existing architecture consisted of more than 500 substations. The utility needed a single solution that it could seamlessly deploy in a large-scale manner, with verifiable integration.

This is exactly the scenario that Cisco Cyber Vision is designed for. The integrated industrial security solution leverages a highly scalable, two-tier architecture consisting of a central appliance and lightweight software-based sensors. The Cyber Vision sensors decode grid protocols such as DNP3/IP, IEC 61850 GOOSE and MMS, IEC 101/104 and more, providing visibility and insight into all the assets on the network, including what they’re communicating and who they’re communicating to. The sensors are embedded into industrial switches, making it easy to deploy at scale throughout the production, transmission, and distribution networks, enabling the power company to obtain visibility into all the traffic.

Shutting power off in a city just takes a legitimate instruction to a breaker. Cisco Cyber Vision monitors application flows against baselines, defining what normal should look like. Anomalous behaviors that could indicate an attack can now be identified with no delay. Integration with the security operations center (SOC) provides security leaders with a holistic view of the OT environment and threat activity.

Cisco Cyber Vision also eases the burden of achieving regulatory compliance. It builds asset inventories and captures operational insights, such as asset modifications and variable changes, that are needed to meet NERC-CIP and EU NIS requirements. Leveraging the network to collect this data helps reduce the time and cost to ensure regulatory compliance.

To help ensure a smooth implementation and full integration of Cyber Vision, the utility company used a Cisco Validated Design (CVD). A CVD is an architectural blueprint for a specific use case designed and tested by Cisco engineers with Cisco equipment. The Grid Security Design Guide is designed for utility companies implementing a holistic security architecture that includes Cisco Cyber Vision and Cisco networking hardware. Leveraging the CVD reduced the utility’s risk while implementing a fully integrated IoT security architecture.

With Cisco Cyber Vision successfully implemented, the utility company gained valuable discoverability and insight into assets that were potentially vulnerable at the edge. This included devices that hadn’t been touched in ten or more years that had fallen off the inventory list but were still operating in substations hundreds of miles away, creating both a security and regulatory compliance risk. The IT security organization was able to identify those devices and where they were connected, and quickly address the security vulnerabilities that were creating a risk exposure.

With visibility and the ability to detect cyberattacks, the power utility gained confidence in its security posture at the edge and throughout the network. This visibility also gave the OT organization valuable insights into industrial processes, reduced the organization’s regulatory risk, and enhanced IT/OT collaboration. Want to learn more about building a modern grid security architecture? Watch our recent webinar.


Sean Song Jiang

Lead, Distributed Automation Solutions

Cisco IoT Solutions Group