Nozomi Networks today announced that Trustpower has deployed Nozomi’s Guardian solution to deliver deep asset discovery and improved operational visibility and control over its network. Trustpower, a New Zealand based utilities company that provides power, broadband, phone and gas, Trustpower owns and operates 36 stations across 19 schemes, with a strong focus on sustainable generation.
“As we continued to expand, digitize and add to our operational environment, this lack of visibility presented a major challenge,” said Marty Rickard, Delivery Manager – Operational Technology, Trustpower. “We needed a new approach to cut through the noise, gain real insights into our network and ensure we were protected from cyberattacks.”
“Nozomi Networks has enabled us to meet New Zealand’s Voluntary Cyber Security Standards for Industrial Control Systems (VCSS-OCS),” said Matt van Deventer, Head of Technology, Trustpower. “Maintaining and exceeding these standards is a key priority for Trustpower and Nozomi Networks enables us to comfortably achieve that.”
Now deployed across Trustpower’s operational network, Guardian provides deep asset discovery, inventory and operational visibility; automatic real-time notification of industrial events of interest, including alerts triggered by custom-designed rules and constraints; and traffic analysis for current and future investigations.
The standard – Voluntary Cyber Security Standards for Controls Systems Operators was published in October 2019 by New Zealand’s National Cyber Security Centre and the Control Systems Security Information Exchange. As stated in the standards document, New Zealand’s government and industry organizations have responded to the increasingly hostile cyber environment by developing this standard. It is intended to support New Zealand’s control systems operators in building resilient cyber security defenses and practices.
The voluntary OT security standards covers the following areas
Governance & Roles – To effectively implement this standard within an organization a governance framework must exist that clearly defines the applicable roles which at a minimum should encompass the operator and owner of Critical and Cyber Assets as well as the incident management and escalation points.
Risk Assessment & Management – The driver to create, maintain and improve controls is ultimately justified by the risk that threats pose to the organisation. The requirements and recommendations in this standard should be considered in a risk context that will help establish the extent to which they need to be applied and prioritised.
Threat Modelling – Ultimately risk is quantified based on the threats being faced by the organisation. A complete threat model relevant to the organisation should be developed based on the internal, local and global threat landscape and should be updated at least annually.
Framework & Foundational Controls – The NIST CSF provides a best practice framework and foundation for applying cyber security controls across both IT and control systems environments. To support this a mapping has been provided where the relevant CSF subcategories are listed against the CIP requirements.
CIP Requirements – these provide the recommended minimum standard required across control systems environments in addition to the foundational controls. These are clearly defined along with specific measures and operators can read the standard in a sequential manner or choose a component or aspect that best meets organisational needs, requirements and risk profile.
Assurance – Overall a compliance and measurement regime should exist that provides assurance over the effectiveness of the foundational and CIP requirements.
Although the OT security standards are voluntary, the publisher (rightly) claim that there are wide ranging benefits in the adoption the standard including, Strategic, Financial and Operational Resilience
The full standard document can be found here