This document discusses how a mid-sized US electric utility implemented the Dragos cybersecurity platform to improve the visibility of its operational technology (OT) assets and threats, enhance compliance functions, and better support its limited OT security team. The Dragos solution included passive network monitoring sensors, asset characterization, and threat intelligence reporting. It helped the utility address compliance requirements, leverage Dragos' expertise through training and assistance, and improve its detection of OT threats through behavioral analytics and investigation playbooks. The solution demonstrated that combining technology with personnel support can effectively address common industrial control system security challenges faced by electric utilities.

1. SolvingICS Cybersecurity Challengesin the Electric
Industry
Dragos
Matt Cowell
mcowell@dragos.com
@m_p_cowell

3. Dragos Platform
Threat Detection & Response
technology for ICS
Dragos WorldView
ICS/OT Threat Intelligence
Threat Operations Center
Experienced assistance &
training
The Dragos Offering

4. Case Study Background
• Mid-sized US Electric utility
• Generation, Transmission and
Distribution networks
• Diverse mix of control system vendors
• Limited team to support OT cyber
security functions
• Network infrastructure supportive of
monitoring
• Converging IT/OT SOC

5. Customer Objectives
Improve visibility of networked OT assets
Improve visibility of OT threats
Improve NERC/CIP compliance functions
Better enable limited OT security team

6. Architecture
• Passive network monitoring
• Sensor/Server based
• 16 distributed sensors
• Centralized monitoring

7. Objective 1: Asset Visibility
Summary
• 30,000+ assets
• Vast volumes of data available
• Distributed across hundreds of
miles
• Some physical network separation

8. Objective 1: Asset Visibility
Solution
• Asset characterization
• Connections & protocols
• Zoning
• Timeline analysis

9. Objective 2: Compliance
Summary
• NERC CIP regulated utility
• Required high level of manual effort
• Apprehensive of outside vendors

10. Objective 2: Compliance
Solution
• Consultative discussion to
understand compliance pains
• Address specific CIP requirements
through technology
• Establish credibility through
industry trusted partners
Security Patch Management
 CIP-007-6 R2:
Malicious Code Prevention
 CIP-007-6 R3:
Security Event Monitoring
 CIP-007-6 R4:
Incident Reporting & Response
Planning
 CIP-008-5 R1:
Vulnerability Assessments
 CIP-010-2 R3:

11. Objective 3: Personnel
Summary
• Small, dedicated team
• Varied experience levels
• Performing many different functions
• Converging OT/IT SOC

12. Objective 3: Personnel
Solution
• Leverage Dragos experience
through technology
• On site assistance and ongoing
support
• Training to empower customer
personnel
• IR support escalation through
retainer

13. Objective 4: OT Threats
Summary
• Limited information sharing of
industry-wide threats
• Improve detection based on
known TTP’s & behaviors
• Reduce amount of work
performed by analysts to
validate alerts
• Know how to respond to
threats.

14. Objective 4: OT Threats
Solution
• Threat behavior analytics
• Query focused datasets
• Investigation playbooks
• Threat intelligence reports
provide additional context &
details

15. Additional resources
https://dragos.com/resource/implementing-the-dragos-
platform-to-solve-ics-cybersecurity-challenges-in-the-electric-
industry/
https://dragos.com/media/dragos-ics-threat-detection-response-
platform-demo/

16. Summary
Threats are increasing but defense is doable
IT and OT teams are blending
Solution requires combination of tech. & personnel to be effective+
Pursue proactive threat hunting vs reactive IR
Many companies are facing similar challenges

17. Thank you
https://dragos.com
@DragosInc