The utilities industry is under continuous and persistent threat. The Ukraine attack was a wake-up call for many utilities who would not have considered something as improbable as a serial-to-Ethernet gateway vulnerability to be one of the key factors in allowing hackers to turn-off power to more than 230,000 Ukrainian residents. The E-ISAC’s detailed analysis of the attack shows how existing SCADA and communications processes were used to compromise systems. As we learn more about the CrashOverride Malware at the heart of this attack, the importance of proactive protection becomes evident. The WannaCry cryptoworm ransomware attack underscored again the importance of updating and patching systems (Microsoft has published guidance for WannaCry), and just days ago, U.S. Power Firms were the target of attacks which, while not fully analyzed yet, show signs of credential harvesting in order to compromise power facilities including the Wolf Creek nuclear facility in Kansas. If passive defense is no longer sufficient, how can customers actively protect themselves and their systems?

Commitment to the Industry

Microsoft is deeply aware of the importance of cybersecurity for companies supporting the electric grid and is committed to helping partners and customers secure their nations’ most critical of critical infrastructure. In furtherance of this commitment, we are announcing a cyber program: “Microsoft Azure Certified Elite Partner Program for Cyber Analytics in Power and Utilities”. Microsoft has invested deeply in tools, analytics, cyber intelligence, and services for our own Cloud, and we believe it is imperative we engage customers to put these capabilities to work for them as well. While we are beginning this program in the U.S., there are plans to quickly expand worldwide.

Microsoft is demonstrating a commitment to the industry by covering the initial costs for deploying and running the Operations Management Suite (OMS) for program participants. The program is designed to engage Azure Certified Elite System Integrators to perform the OMS Service integration for utility customers enrolled in the program. What this means to the utilities industry is customers can better track threat actors currently in their network, identify malicious software dialing outbound from their servers, and establish an alerting system to enable active network cyber defense. The program also includes a limited Azure subscription which can be used to support training and development, and for expediting implementation/deployment projects. In short, there is significant upside to this program.

Microsoft Azure Certified Elite Partner Program

The program uses the Microsoft Azure OMS Advanced Log Analytics Service to analyze customer logs uploaded to an Azure Storage Account. This includes the data acquisition of network cyber logs across the utility enterprise and ICS networks to an Azure repository. Global malicious site and threat actor intelligence is used to provide utility companies greater visibility into the current security state of their networks. The OMS alerting capability is also used to notify a utility if intrusion or new malware is detected, almost immediately.

OMS Data Collection

Operations Management Suite is a collection of management services that were designed in the cloud from the start. Rather than deploying and managing on-premises resources, OMS components are entirely hosted in Azure so configuration is minimal, and you may be up and running literally in a matter of minutes. Data collected by Log Analytics is stored in the OMS repository hosted in Azure.

Connected sources generate the data that gets collected into the OMS repository. There are many types of connected sources supported:

1. An agent installed on a Windows or Linux computer connected directly to OMS.
2. A System Center Operations Manager (SCOM) management group connected to Log Analytics. SCOM agents continue to communicate with management servers which forward events and performance data to Log Analytics. OMS can forward log data via SCOM Agents as well.
3. An Azure storage account that collects Azure Diagnostics data from a worker role, web role, or virtual machine in Azure.
4. Various Azure resources (full list here) pushing data as a connector, extension, or via Diagnostics depending on the resource.
5. O365 Data
6. Custom logs

Threat intelligence

Microsoft runs dozens of cloud services across dozens of regions throughout the world, creating a truly global scale which enables us to achieve a unique view of the threat landscape. The insights we derive, informed by trillions of signals from billions of sources, create an intelligent security graph that we use to inform how we protect all endpoints, better detect attacks and accelerate our response. Microsoft’s sophisticated tools help us know, for example, where attacks came from, meaning we can better and more quickly identify malicious IP addresses. Our goal is to enable our customers to benefit from this knowledge to help protect their resources.

Antimalware assessment

One of the most important tools to defend your systems is antimalware software. Building upon existing antimalware capabilities in OMS, the antimalware solution has been extended to enable nearly full coverage for Microsoft Antimalware engines, as well as to detect the protection status of antimalware that registers its existence using the Windows Security Center APIs.

If you are interested in participating in this program, please contact your Microsoft Account Executive, or Larry Cochrane (L.Cochrane@Microsoft.com), Azure Energy Principal Program Manager.