Third-Party Threats to Utility Management

Case Study

The following story is based on an actual third-party compromise that occurred in X. Customer names and titles have been changed to ensure their privacy.

Matt Ohmes is the IT Manager for SouthEastern Illinois Electric Cooperative, Inc. (SEIEC), an electric utility cooperative serving 24,000 members. The biggest challenge facing his organization comes from its reliance on third-party connections.

Supply chain management becomes a genuine problem as businesses spread their connections over hundreds, or thousands of vendors. Over the last three years, SEIEC has contracted with more than 1,200 vendors. 

As a result, Ohmes is tasked with ensuring his organization is protected from a compromise in any one of those varied connections.

“Being able to monitor these vendors all the time is extremely important. If I’m going to let them in my network, I want to know ahead of time—and permanently—that I’m working with a vendor that has security at the forefront.”

“Even if I have a layered defense around my network, I still have partners with VPN connections making inroads to my network. And if they get compromised, then I’m just as susceptible as they are,” Ohmes said. “How can I validate those connections and be sure they aren’t compromised?” 

The common fallout from a cyber intrusion in many organizations is theft of intellectual property, or customers’ personally identifiable information being leaked online. But the rise of smart meters within the utility industry has created a new horizon of targets for threat actors — the potential for power to be disconnected remotely. 

“In a worst-case scenario, we’re thinking about AMI (advanced metering infrastructures) abuse, where somebody might be able to remotely detonate a meter, creating a mass power outage for our members,” said Ohmes. “I had never found a way to manage that, and I’ve found it now.” 

Ohmes is a new customer with Prevailion, a cybersecurity solution that provides organizations with Evidence of Compromise instead of merely indicators of compromise. Prevailion allows SEIEC to monitor its third-party vendors in a new way, arming it with information IT teams can use to evaluate their vendors, current or prospective, and ensure they meet their standards for security. 

Ohmes said Prevailion gives his organization an extra tool to help verify whether a vendor is serious about security before it awards costly projects. If a vendor is found to be compromised, Ohmes can take that information to his CEO and the board to evaluate that relationship. 

Prevailion empowers Ohmes and his organization to:

  • Obtain verified evidence of compromise in their third-party vendors 
  • Act on that evidence by limiting a vendor’s access to their network 
  • Make informed business decisions about current and prospective vendors 

“Prevailion has given me some assurance. My vendors I have found in the platform were green and stable — that gave me a sigh of relief, because you never know what you’re going to find,” said Ohmes.

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.