UK-based West Burton Energy reduces threat-detection alerts by 98% and improves efficiency by 87% using Tenable OT Security.
In 2022, nearly 11% of cyberattacks targeted energy companies, so for power plants, healthy OT systems are crucial for high uptime and safety, as they control and monitor essential equipment, such as generators, turbines and transformers.
As an important part of the UK’s critical infrastructure, West Burton Energy takes a proactive approach to secure its OT network and assets. The InfoSec team uses Tenable OT Security for in-depth asset visibility, asset inventory and OT vulnerability management to ensure the safety of its employees, while guaranteeing reliable energy generation and delivery to its customers.
West Burton has reduced the time and resources needed to manually manage their asset inventory, saving more than 200 hours per year. Additionally, they were able to create efficiencies in identifying, mitigating and remediating OT vulnerabilities.
Proper OT security requires a proactive approach to asset and network safety in order to stop cyberattacks before they start. West Burton chose Tenable OT Security for OT asset visibility, OT vulnerability management and threat detection – a set of use cases that have proven challenging for so many companies in the power industry.
West Burton has reduced the number of threat detection alerts by more than 98% compared to their previous solution – a time savings of more than 87%. Rather than chasing false positives, the team can focus on remediating the security alerts that put operations at the greatest risk.
“We are a critical infrastructure organisation, so although our InfoSec team is relatively small, we have to minimise risk and harden our cyber-resilience,” said Tom Keyworth, C&I Engineer. “Tenable OT Security gives us comprehensive visibility without burdening us with labour-intensive workloads.”
Error-prone processes had InfoSec team looking for a better way
Keeping the lights on in the UK, West Burton Energy is an advanced and efficient Combined Cycle Gas Turbine (CCGT) plant and 49 MW battery energy storage facility that delivers 1,333 MW of power to the National Grid; enough electricity to power 1.5 million homes and businesses.
In 2021, West Burton spun off from EDF Energy resulting in a three-member security team responsible for securing their entire OT environment with a product alerting on far too many false positive threat notifications. They had to handle engineering changes in the OT environment, new projects and the decommissioning of older systems, leaving the team with a significant workload.
Dealing with original equipment manufacturers (OEMs) was especially painful. The InfoSec team relied on the knowledge of the plant engineers and various OEMs to keep track of assets, which involved a laborious, error-prone and spreadsheet-driven process.
“Between waiting on OEMs to perform preventative maintenance and patches, and with status reports lagging by days or even weeks, we spent several hours per week just managing asset lists,” notes Keyworth.
“We relied on the OEM issuing technical advice letters and alerts to make us aware of CVEs that might be relevant to a specific asset,” adds James Cartwright, C&I Engineer. “It wasn’t unusual for us to spend several hours investigating the issue only to discover that we didn’t even have the equipment in question.”
Keeping the front office informed about the OT vulnerabilities, and remediation statuses and overall cyber-risk is also paramount, but it wasn’t always easy to deliver in a way that was both timely and user friendly in the past.
“We struggled to safely and securely move data from the OT environment and display it to corporate IT users in a way that makes sense,” said Cartwright.
To overcome these challenges and bolster its cyber-resilience, West Burton wanted to check several important boxes, including:
- Visibility of OT assets on the OT network without impacting uptime and availability
- A centralised asset inventory to move away from a time-consuming manual process, without disrupting the operation of modern and legacy systems
- Ability to demonstrate compliance to regulators with confidence
- Clear remediation and mitigation strategies to adhere to the company’s acceptable level of risk
- Using the most up-to-date OT vulnerability database to reduce false positives
That’s when Keyworth and the team set out to find a new solution to secure its OT environment and ensure leadership had a complete understanding of the plant’s complexity and associated risks.
Tenable OT Security – purpose built to safeguard converged IT/OT industrial environments without disrupting productivity
Tenable OT Security brings visibility, security and control to industrial environments, critical infrastructure and more, helping organisations maintain productivity, meet compliance requirements and stay safe from cyberattacks.
Using a patented hybrid discovery approach to safely gain visibility into devices and cyber-physical systems without causing disruption, Tenable OT Security delivers a complete asset inventory along with deep situational awareness across all global sites, all in a single interface.
Tenable OT Security lets organisations prioritise action and enables their IT and OT security teams to work better together.
Plant team manages remediations and delivers actionable data to front office
Tenable OT Security was initially deployed in 2022, providing Keyworth and Cartwright with complete visibility and control over the West Burton B’s operations, which includes countless assets which may or may not be supported by the many OEMs charged with maintaining the plant’s equipment.
“We use Tenable OT Security to identify vulnerabilities and maintain a complete asset list, sometimes surfacing issues that our OEMs either don’t know exist or no longer support,” said Keyworth. “Then as part of our workflow we import everything into Tenable Security Center for scoring, prioritisation and to track how we are reducing vulnerabilities asset by asset as we remediate.”
When facing a situation where a vulnerability simply can’t be remediated, such as on a piece of legacy OT equipment that is no longer supported, the team uses Tenable to assess the acceptable level of risk. The team can then implement measures to prevent access to those systems and keep leadership informed.
“With Tenable OT Security, the data is visible on the wall,” said Cartwright. “Vulnerabilities are fed into an alerting system, and if we install a new device the asset list is updated in an automated way.”
“The front office has the data they want, they understand where it came from, and more importantly, they know what it means,” added Keyworth.
InfoSec team optimises OT Security, saves time and streamlines compliance
Most organisations view any opportunity to increase efficiency as a win, but for a small team spread thin, process and time-savings improvements mean even more. Today, West Burton actually spends more time on vulnerability management than ever before. And that’s a good thing.
Prior to implementing Tenable, the InfoSec team didn’t have a complete picture of what was vulnerable, often waiting months for an OEM to issue technical advice letters and alerts to make the team aware of CVEs that might be relevant to a specific asset. What’s more, it wasn’t unusual for the team to spend hours investigating an issue only to discover that they didn’t even have the equipment in question.
“Using Tenable OT Security we can identify vulnerabilities early in the process, review the published CVE documentation and implement remediation and security restrictions without waiting for the OEMs,” said Keyworth. “Not only can we challenge the OEM guidance from an informed position, but we’ve taken the 200-plus hours per year saved by eliminating manual asset management and applied them to the time we spend on critical vulnerability management efforts.”
West Burton uses Tenable Nessus, built into Tenable OT Security, within one of its OT environments to scan Windows servers and network switches and other IT equipment. Simply initiating a scan across the entire Windows environment helps the team discover vulnerabilities, for example, from the impact of an OEM’s latest release or a version of software that is out of date.
“From patch level through to programs and everything installed on a machine, Tenable Nessus highlights vulnerabilities that the OEM probably never thought to look for,” said Keyworth. “Tenable has earned our confidence to embed Tenable Nessus within our OT environment. From a vulnerability management perspective this puts us far above what we’d have been able to achieve without it.”
“Tenable OT Security plus the Tenable Nessus scanner provides far richer data than we had before,” added Cartwright. “It allows us to use Active Query to communicate with and discover OT assets, and IT assets as well – all in one solution, which eliminates additional costs and saves time. It would’ve saved our team many hours of effort during Log4j.”
Fewer false positives also provides new freedom for the team. The passive tool that was in place prior to the corporate separation was alerting on more than 500 possible vulnerabilities per day – some 182,000 per year. Today that number clocks in at only 50 per day.
“With Tenable OT Security tuned and trained to prevent false positives we’ve reduced the number of reported events by 98%, resulting in tremendous time savings,” said Keyworth. “What used to take two days per week to manage now takes only a few hours, and we’ve improved efficiency by 87%.”
“Tenable OT Security does a lot, but it isn’t a ‘fit-and-forget’ solution – nor should it be,” added Cartwright. “You have to invest the time and effort to configure the product to understand what ‘normal’ looks like on your network, because that’s where you’ll derive true business value.”
Keyworth agrees: “How do you see the woods for the trees if you don’t condition the solution to understand your OT environment? I think many people buy these bits of kit, install them and it ticks loads of boxes from a compliance perspective, but the results that are returned aren’t worth the digital paper it’s written on.”
Speaking of compliance, West Burton and the auditors are confident in the results reported by Tenable OT Security versus manual processes. Keyworth explains that the accelerated pace of the OT and IT environment no longer allows for spreadsheets and handwritten records to be a viable source of truth.
“It would be very difficult to demonstrate compliance without a tool like Tenable OT Security. The time savings is virtually immeasurable,” said Keyworth. “It gives auditors a level of assurance that you are doing the correct things. From the asset list to risk scoring, Tenable makes the whole compliance piece so much easier.”