By Amit Sharon, Head of Global Customer Community & Market Intelligence, Check Point Software
Digitalization is introducing new capabilities into energy distribution and power grids. Intelligent technologies offer far greater visibility and control, but they also open the door to new cybersecurity risks. Learn how E-REDES built next-generation security into critical infrastructure while increasing visibility and preserving control.
E-REDES (formerly EDP Distribuição) operates and maintains more than 99% of Portugal’s energy distribution power grid, connecting more than six million Portuguese customers. Nuno Medeiros, CISO of E-REDES, and I recently discussed the challenges of securing this mission-critical asset.
In many areas of the world, critical energy infrastructure has been built and implemented over decades. Systems were originally designed with high resiliency—not security—in mind. Security has traditionally focused on data center systems and applications. But now, technologies such as smart meters, digital twinning, and intelligent power grid capabilities demand that security be extended to lower levels of the infrastructure, such as substations.
Amit Sharon: How is defending mission-critical infrastructure different than securing data center systems and applications?
Nuno Medeiros: Although data center infrastructure is considered “critical,” it is vastly easier to secure than power grid infrastructure. We operate approximately 500 substations and 60,000 secondary substations across Portugal, all of which have been designed and deployed over periods of decades. Many of our existing substations are more than 20 years old, and new substations are planned for the future, which creates a large, highly heterogeneous infrastructure. A one-size-fits-all approach to security will not succeed. Equipment in substations also is subject to harsh, semi-outdoor conditions with temperature extremes, humidity, vibration, and other factors—unlike systems in a protected data center. Perhaps the most challenging factor however, are the two types of networking zones within each substation. There is an engineering network zone, which is used by employees for remote access to systems. A second network zone encompasses operational technologies dedicated to critical power distribution functions. The operational zone cannot be touched—we can’t implement security controls on that traffic. So the challenge was to gain deep visibility into traffic while maintaining control, while simultaneously being able to detect, identify, and prevent threats from affecting either zone.
Amit Sharon: How did you even begin to identify the right security solution?
Nuno Medeiros: It wasn’t easy! It was pretty clear that we needed a next-generation firewall. And it was also clear that we needed strong partners who understood the challenges inherent in securing power distribution environments. First, we researched the market, looking for solutions that were designed for rugged environments. After analysis and discussions with multiple vendors, we identified Check Point as the best solution for us. We also evaluated system integrators and chose Warpcom, who provides strong support for cybersecurity and public safety digital transformation initiatives. Warpcom proved to be a flexible, dynamic partner for us and for Check Point Software.
Amit Sharon: Which Check Point Software solutions did you implement?
Nuno Medeiros: We first conducted a very successful proof of concept with Check Point Rugged Appliances in three substations—each with a different technology environment. In our first implementation, we deployed Check Point Rugged Appliances in 68 of our most critical substations. In each substation the appliance mirrors traffic between the engineering control center and operational zones. With Check Point Security Management R80, we integrated security management across all deployments. Check Point R80 Smart Console gives us policy, logging, monitoring, event correlation and reporting in a single system. With a ‘digital twin’ of the substation traffic, we can easily identify security risks and apply security controls to all traffic leaving the substation before it joins the main network. Check Point R80 SmartView centralizes viewing through a friendly interface. Check Point R80 SmartEvent provides full threat visibility. Threat and logging data is sent to our SOC, where our team can quickly manage and respond to a security event.
Amit Sharon: How did Check Point Software meet your objectives?
Nuno Medeiros: Our two primary objectives were increasing visibility and maintaining control. Before Check Point Software, we had limited visibility into the substation networking traffic, but now we know exactly what is happening on any substation floor. Check Point gives us control by allowing us to quickly and easily create new rules or add capabilities without needing access to the devices themselves. If we want to add a new rule to 50 firewalls, we do it with a click—all without jeopardizing mission-critical power operations.
Amit Sharon: How will the Check Point Software solutions help E-REDES address security going forward?
Nuno Medeiros: The substation security initiative has become a flagship project for E-REDES, and we’re now deploying the solution in 200 more substations. With Check Point, we built security capabilities into our most important facilities in a swift, agnostic way. Even as cyber threats increase and diversify, we’re confident that our Check Point solutions are effective. With built-in Supervisory Control and Data Acquisition (SCADA) protocols and operational technology (OT) equipment, they give us continually current Firewall, IPS, Application Control, Antivirus, and Anti-Bot protection. In addition, digitalization will continue to transform many aspects of energy and power distribution. With strong security defenses and partnerships, we significantly mitigate risk to mission-critical operations. Going forward, we have much more peace of mind.