Improving the Cyber Security for an Energy Provider
Mandeep THANDI
Director of Cyber & Privacy (Gemserv, a Talan Company)
The Challenge
Our client serves 910,000 homes, farms and businesses connected to the electricity network in Northern Ireland. They employ over 1,400 people. They required a Cyber Security partner to provide subject matter expert advice and guidance for all aspects of their business. An essential part of the requirement was that their partner would be available to give real time advice and recommendations during a major security incident or event.
While the client had an IT service provider that managed their immediate response to any security incident or event, they wanted a Cyber Security partner that could also give them tailored independent advice and guidance. It was important to the client that they were achieving and maintaining compliance to the Cyber Security Network & Information Systems (NIS) regulations and working against recognised standards such as ISO 27001.
They therefore expected their Cyber Security partner to have proven experience in:
- Generating policy, procedures, baselines, and standards.
- Undertaking NIS Regulation based Gap Analysis.
- Proposing methodologies and performing risk assessments.
- Evaluating and testing implemented solutions.
The client required their Cyber Security partner to deliver:
- Infrastructure health checks.
- Application security and penetration testing.
- Security training.
- Support for cyber security governance and compliance.
- Participation in bi-monthly IT.
The Solution
Gemserv, a Talan Company, conducted two days of stakeholder engagement workshops on the client’s main information technology site. These sessions gave us the opportunity to interact with stakeholders and build the key relationships required for a successful partnership. It also enabled the team to detail the scope of work and ensure that both parties were in-step moving forward.
We successfully provided services against the client’s deliverables on an ad-hoc basis and set up a dedicated ticketing system that allowed the client to request work, or to alert Gemserv of an incident on top of established direct contact with our team.
A secure file sharing platform was set up so that the client could upload documents for review and input. This platform also allowed both the Cyber and DP teams to upload deliverables securely.
Gemserv also delivered a full NIS directive gap analysis for all the client’s current security policies and provided recommendations for updates to all current policies. This included identifying which policies should be added to the current suite in order to ensure compliance.
The Impact
All work completed by Gemserv for the client was well received. We have provided additional support at no additional cost to them in order to align and structure the security posture of the organisation to enable enhanced delivery, but also provide clarity on how a mature Cyber Security strategy should be approached.
Gemserv will be undertaking further work as a result of the NIS Regulations gap analysis that has already been completed, including the drafting of new security policies.
These recommendations were completed for each objective and subsection detailing all key points, current and suggested, the client’s employees should adhere to.
Gemserv supported the client through weekly update calls and attended bi-monthly cyber security forums on site (and latterly remotely due to the COVID pandemic).
Since starting work with the client, we have successfully completed the following engagements:
- Individual document reviews, providing detailed recommendations for improvements.
- Advised and facilitated internal penetration testing.
- Conducted internal workshops with project and Information Security teams to discuss monitoring solutions.
- Reviewed security schedules for a contract against the NIS Regulations detailing levels of compliance achieved for each subsection, along with improvement advice.
The client has also engaged us to undertake security work relating to their smart metering programme and developments associated with upgrading their operating system. To date there have been no major cyber security incidents to test the reporting and alerting system.
Our team also delivered similar services to the client for Data Protection, including a virtual Data Protection Officer (DPO). Support requirements covered both IT corporate and SCADA systems, which Gemserv has extensive experience in.