WIXLIB

MANAGED CYBERSECURITYSERVICE PROVIDERS FORELECTRIC UTILITIESPREPARED FOR:THE AMERICAN PUBLIC POWER ASSOCIATION ANDTHE NATIONAL RURAL ELECTRIC COOPERATIVE ASSOCIATIONBY: PRESCOUTEROctober 2017

Managed Cybersecurity Service Providers for Electric UtilitiesAcknowledgmentThis material is based upon work supported by the Department of Energy, Office of ElectricityDelivery and Energy Reliability under Award Numbers DE-OE0000807 and DE-OE0000811.DisclaimersNRECA and APPA Disclaimer:This report is not an endorsement of the companies, products, or services referenced herein.NRECA, APPA and the report authors assume no liability for how readers may use this report orany damages resulting from its use. There is no warranty or representation that the use of thisreport does not infringe on privately held rights or that this report is complete, up-to-date oraccurate. Readers are encouraged to perform due diligence in applying this report to their specificneeds.Department of Energy Disclaimer:This report was prepared as an account of work sponsored by an agency of the United StatesGovernment. Neither the United States Government nor any agency thereof, nor any of theiremployees, makes any warranty, express or implied, or assumes any legal liability or responsibilityfor the accuracy, completeness, or usefulness of any information, apparatus, product, or processdisclosed, or represents that its use would not infringe privately owned rights. Reference herein toany specific commercial product, process, or service by trade name, trademark, manufacturer, orotherwise does not necessarily constitute or imply its endorsement, recommendation, or favoringby the United States Government or any agency thereof. The views and opinions of authorsexpressed herein do not necessarily state or reflect those of the United States Government orany agency thereof. PREVIOUS i

Managed Cybersecurity Service Providers for Electric Utilities — Table of Contents iiTable of ContentsAcknowledgment.iDisclaimers.iPreScouter's Statement of Work .ivAreas of Interest .ivReport Organization.Description of Categories and Icon Legend .vExecutive Summary .1Proposed Next Steps .1Summary Tables.On-site Systems Integration Consulting.3Systems Management of the Client’s Network.3Managed Security Monitoring.4Penetration Testing and Vulnerability Assessments .79Company Descriptions .11Alpine Security.11The Business Challenge .Section 1Section 2Organization.Incident Management Forensics Analysis Services.Section 3AlienVault.Brier & Thorn .Carbon Black, Inc. .ivv151213Center for Internet Security (CIS) .14Datashield.16Digital Guardian .1819DNV GL.21Cisco Systems, Inc. .Delta Risk LLC .1517Digital Hands . 20Duff & Phelps . 22EiQ Networks, Inc. . 23EventTracker. 24FireEye . 25Fortinet Security Services. 26Hitachi Systems Security . 27LogRhythm. 28Lumension Security Inc . 29Masergy . 30Morphick . PREVIOUS 31

Managed Cybersecurity Service Providers for Electric Utilities — Table of ContentsMosaic451 .N-Dimension Solutions, Inc.Netwatcher .Nexum, Inc. .NTT Security . iii3233343536Nuspire Networks. 37Palo Alto Networks . 38Proficio. 39Rapid7. 40RAVENii .41Redhawk. 42RedSeal, Inc. . 43Rendition Infosec . 44root9B. 45SageNet. 46SecureWorks . 47SecurIT360 . 48Security On-Demand . 49Sedara . 50Sera-Brynn .51Solvere One . 52SpearTip. 53Symantec . 54Tagrem Security. 55Trustwave . 56Wipro, Ltd . 57 PREVIOUS

Managed Cybersecurity Service Providers for Electric Utilities — Statement of WorkPreScouter's Statement of Workcentralized management, intrusiondetection/prevention, loss prevention, etc.The Business ChallengeThe American Public Power Association (PublicPower) and the National Rural ElectricCooperative Association (NRECA) representthousands of not-for-profit, community- andconsumer-owned electric utilities. Their memberutilities are responsible for delivering reliable,affordable electricity to a majority of the UnitedStates. These utilities are relatively small and maybe resource-limited in terms of IT staffing. PublicPower and NRECA member utilities are oftenlocated in geographic regions that provide limitedaccess to trained cybersecurity personnel. Thegoal of this report is to aid members that may belooking to outsource their cybersecurity work byproviding a catalogue of potential cybersecurityservice providers working in this growing field.Readers are encouraged to perform due diligencein applying this report to their specific needs.Areas of InterestThis report identifies managed security serviceproviders (MSSPs) that offer commercial-off-theshelf (COTS) solutions. The report’s targetaudience is utilities with few, if any, IT staff and/or access to cybersecurity expertise. (However,the content provided within may be useful forutilities of all sizes and staffing levels.) Theseutilities may rely on third parties to provideInformation Technology (IT) services andcybersecurity. In some cases, the personresponsible for cybersecurity may have a primaryrole in an administrative field, not a technicalfield. This may be a staff member in finance/billing, office management, community outreach,etc. This report identifies MSSPs who can fill thegap that existing staff resources cannot meet interms of cybersecurity expertise. Each entryfocuses on one commercial solution/MSSPcapable of satisfying some or all of the followingcriteria: MSSPs that offer bundled services. Morespecifically the MSSPprovides at least one ofthe following four service domains as part oftheir bundle of offered services:End-point security solution that includesmalicious code management (preferablywhite listing to reduce administrativeoverhead, host-based firewalls with ivPrivilege Identity Management thatincludes the ability to manage sharedaccounts and administrator accounts.Patch Management solution thatincludes discovery of new patchesand ability to group devices anddeliver patches.Vulnerability assessment tools that allowassessing network and system threats. MSSPs that have experience providing servicesto the electricity sector. This does not have to betheir only service market, but it should beincluded in their potential service market. MSSPs that focus on Ethernet enabled devices,not serially-connected devices. While primarysystems that need to be secured fall withintraditional IT systems (desktops, servers, etc.),this report focuses on MSSPs that can alsoprovide cybersecurity tools/techniques to secureEthernet enabled ICS devices (e.g. systemscommonly referred to as relays, programmablelogic controllers, reclosers, remote terminal units,protocol converters, etc.) and MSSPs with serviceofferings for security monitoring, secureconfiguration management, and vulnerabilityassessments for the ICS devices. MSSPs that emphasize their ability to offerservices to small businesses. The emphasis is onMSSPs that focus on, or have experienceservicing, small systems with less than 100 assets. Where available, each entry also highlightsMSSPs that provide services in any of thefollowing domains:Single file encryption softwareSecurity Information and Event ManagementMobile device encryptionBring your own device (BYOD) — provisioning for company and personal devicesSubscriptions to threat informationintelligence feeds*The information provided by PreScouter for this report was collected from publicly available websites, not from direct contact with the MSSPs. PREVIOUS

Managed Cybersecurity Service Providers for Electric Utilities — Report Organization vReport OrganizationDescription of Categories and Icon LegendON-SITE SYSTEMS INTEGRATION CONSULTINGThis is customized assistance to assess business risks, and then identify andintegrate appropriate technologies and business processes to address prioritizedcyber risks. A system integrator’s core function is to bring together componentsubsystems into one system and enable those subsystems to function seamlesslytogether. In the context of this effort, the systems integrator consultant’s coreservice will help secure product integration of both security subsystemsand subsystems that are not primarily security focused.SYSTEMS MANAGEMENT OF THE CLIENT'S NETWORKThis service involves installing, upgrading, and managing the network hardware andsoftware infrastructure such as firewalls, routers and switches, Virtual Private Networks (VPN) for remote access, intrusion prevention and detection technologies, andbusiness applications such as electronic mail, billing and finance services, and webservices. These providers may also provide services for configuration management,monitoring, and firewall access control. Regular reports would be provided to theclient regarding network utilization, systems’ health monitoring, and records thatdemonstrate actions taken for security patching and security monitoring. It is possiblethat managed security monitoring will be bundled into a systems management service.MANAGED SECURITY MONITORINGThis is the day-to-day monitoring and interpretation of important system eventsthroughout the network—including anomalous communication, such as maliciouscode, denial of service (DoS), anomalies, and trend analysis. It is one of thesuggsted first steps in an incident response process. Intrusion detectionmanagement, either at the network level or at the individual host level, involvesproviding intrusion alerts to a customer, keeping up-to-date with new defensesagainst intrusions, and regularly reporting on intrusion attempts and activity.Content filtering services may be provided such as email filtering and other datatraffic filtering. It is quite possible that these services will be bundled in a systemsmanagement service.INCIDENT MANAGEMENT FORENSICS ANALYSIS SERVICESThese services would be used after a cybersecurity incident to rapidly respond tothe incident, assess the loss, implement measures to try to: stop or reducecontinued losses; reduce the vulnerabilities used by the attacker; restore affectedsystems and services; and implement changes that aim to reduce the likelihoodof another incident. These services may also be included in either a managedsecurity or system management service.PENETRATION TESTING AND VULNERABILITY ASSESSMENTSThis includes one-time or periodic network penetration tests to simulate anattacker’s ability to compromise a network by exploiting existingvulnerabilities. The penetration test can be performed from an externalattacker’s perspective, with limited knowledge of the target, or from aninsider threat perspective, leveraging known configurations andvulnerabilities. Vulnerability assessments use automated or manual scanningof the hardware and software to find weaknesses in the implementationsthat could be exploited by an attacker. PREVIOUS