Established in 2003, International Transmission Company (dba ITC Transmission) is a wholly owned subsidiary of ITC Holdings Corp., the nation’s largest fully independent electricity transmission company. Based in Novi, Michigan, ITC Holdings operates four operating companies including ITC Transmission, in seven states (Michigan, Iowa, Illinois, Minnesota, Missouri, Kansas, and Oklahoma) and maintains approximately 15,000 circuit miles of transmission line. With 520 employees and 1,000+ skilled labor contractors, ITC Holdings is the 9th largest transmission company in North America.
Since ITC serves such an important role in power transmission across multiple states, the company is no stranger to compliance mandates. Not only is ITC subject to SOX due to its publicly traded status, but as a transmission entity, ITC also has to comply with NERC CIP with regards to protecting its critical cyber assets.
Steeped in process and evidence, NERC CIP mandates that entities must perform annual scans of their critical cyber assets (CCA) in order to identify open ports, services and to help mitigate risks and vulnerabilities for those CCAs. As part of the ongoing security program reviews, ITC and VioPoint noted that annual CCA assessments did not adequately cover the rest of the information assets, especially non-CCA assets which make up a tremendous amount of the overall infrastructure. ITC also recognized that annual assessments and testing did not provide enough current data to help manage risks when viewing the organization’s risk profile on a weekly, monthly or even quarterly basis.
Vulnerability Management Approach: Beyond the Annual Scan
Because ITC Transmission has a strong commitment to improving and maturing components of their information security program, they engaged VioPoint to develop and implement a vulnerability management program. The goal of the program is to address technical and process risks across the entire IT infrastructure on a frequent basis…rather than review potential exposures on an annual basis. This approach represents a significant change in the security approach previously used, which was based on an annual vulnerability assessment and penetration testing.
VioPoint developed a 12 month phased approach that included assistance with the selection of an enterprise level vulnerability management tool as well as on-site and remote support for ongoing vulnerability management. The final approach mirrors a common belief that both VioPoint and ITC share…real-world risks should be tested on a periodic basis. In addition to the scanning tools and processes that were implemented, VioPoint also provides periodic penetration testing exercises designed in the spirit of red team testing. These tests help identify gaps in the security posture and augment vulnerability scanning tool results by providing more visibility into critical findings and exposures. These periodic red team tests also help create feedback loops that help fine-tune defensive tools and validate incident response capabilities.
VioPoint and ITC approached vulnerability management using a crawl, walk, run methodology. The program was designed to slowly introduce processes and help the key stakeholders adjust to the increased visibility into patch management, change control and other supporting processes. Additionally, risk tolerance and mitigation strategies were developed to help prioritize findings and align resource plans.
Ultimately, the team chose QualysGuard as the platform for vulnerability management. One of the most critical attributes in the tool selection process was the demonstrated capability to provide detailed trending. Trending reports are critical in order to show progress as well as develop metrics which help drive progress throughout the entire program…a key factor in management support. With ongoing focus and commitment ITC has effectively blended the Qualys vulnerability management platform and the maturing processes into their overall security program.
ITC and VioPoint succeeded in moving from an annual vulnerability scanning and penetration testing event to weekly scans and frequent red team exercises. “We honestly struggled with the changes early on in the program deployment”, commented John Miller, Infrastructure Manager, who continued, “but with incremental changes [crawl, walk, run approach] we have succeeded in making recurring scans part of our operations culture.” The end result of these efforts is a program that provides ITC with timely vulnerability data that refines the mitigation process, supports trending analysis, and reduces threat vectors in the network architecture.