.svg){kind=logo}
SA Power Networks: Reducing the Attack Surface and Minimising Risk with Airlock Digital
Lindbergh Caldeira
Cyber Security Operations Manager | SA Power Networks
As a critical infrastructure provider responsible for distributing electricity to South Australians, SA Power Networks has a duty to maintain the reliability, availability, and safety of its electricity network.
The ever-increasing reliance of our business on technology means the consequences of a cyber-attack on critical infrastructure can be severe, with significant impact on network operations, the potential for prolonged electricity supply loss to customers, and harm to business reputation.
It is therefore prudent to continuously mature the cyber security systems, processes, practices and tools that are critical in preventing, detecting, reporting and remediating cyber threats.
As part of our continuous improvement cyber program, which aims to reduce our attack surface and achieve Level 1 compliance with the Defence Industry Security Program (DISP) so we can pursue external projects we selected Airlock Digital’s application control and allowlisting solution as the best fit for our needs.
Features and Ease of Management Ticked Our Boxes
While the features of Airlock Digital’s solution met all our requirements, the most important factor was the operational impact of its ongoing use in our environment.
For example, our organisation invests in best-in-class technology, meaning that a multitude of different tools are in place within the organisation commensurate to the cyber risks being mitigated. As a result, our Security Operations Centre (SOC) team often had to use multiple tool interfaces to complete a single process for endpoint-related business-as-usual activities.
However, integration of the Airlock Digital solution with CrowdStrike’s endpoint detection and response (EDR) software enabled us to streamline our endpoint cyber security strategies and deliver a return on investment.
Delivering Endpoint Security Without Compromising User Experience
We also needed a security solution with transparency and efficacy that did not negatively impact the user experience. To understand how the Airlock Digital solution performed against this requirement, we conducted an evaluation in our environment. The exercise demonstrated that the solution operated seamlessly for users, allowing them to continue their work without any disruption.
After we selected the Airlock Digital solution, we entered an approximate three-month period of auditing activity on our endpoint devices to create policies that would be implemented as we moved to enforcement. During this time, we assigned our users into groups, including a cohort that had two devices: one for the corporate component of their role and one for the field element. With the Airlock Digital solution, we could create policies that supported and ensured there was no conflict between the different enforcement requirements of each device.
A Seamless, User-friendly, One-Time Password Process
When we moved to enforcement across all in-scope endpoints, we implemented a range of complementary processes. These included generating forms through our IT service management platform for team members to raise issues and be directed to the Airlock Digital solution to request one-time passwords (OTPs) to use non-allowlisted applications. Users who receive passwords from our help desk can run these requested applications for a short time, while usage data is sent to the cyber security team to determine whether the application should be allowlisted for long-term use.
The addition of Trusted Installer to the Airlock Digital solution was also highly beneficial to us. This makes it easier for us to allowlist publishers, so we don't have to redo tickets multiple times, further reducing our ticket numbers and workload of our help desk agents.
With the Airlock Digital solution integrated smoothly into our cybersecurity stack, we are now looking for commonality in the legitimate, native tools and executables in our environment that malicious actors could exploit through living-off-the-land attacks. Where those tools don't have a compelling use for our server, desktop or other teams, we add them to our blocklist to reduce our attack surface and risk to our business.
So, what have we achieved with the Airlock Digital solution since its deployment to our organisation in early 2024?
- Less than a handful of EDR alerts on our systems, which represents a considerable reduction in our attack surface and a substantial time saving for our SOC analysts.
- Mitigation of sporadic false positives from our EDR solution, which reduces alert noise and allows our team to focus on other technology investments.
- Build of an operational process for new software requests that validates installs as authentic and advises users of similar software already available in the SA Power Networks catalogue.
- Blocked suspicious software downloaded from an app store or the internet that did not require administrative privileges for installation, which may otherwise have gone unnoticed.
- Worked collaboratively with the desktop support team to add any new software to the patching regimen and set up appropriate update schedules. This avoided ad-hoc and time-consuming activity for the desktop team to identify, investigate and remediate.
- Acquired a solution that a SOC team member of any technical skill level and working understanding of user requirements can implement and manage.
Airlock Digital is now a critical element of our endpoint cyber security strategy, minimising our attack surface, lowering risk and giving us the ability to pursue external projects through our Level 1 compliance with DISP.
About SA Power Networks
SA Power Networks is the sole electricity distributor for South Australia and supplies power to 1.7 million South Australians across about 900,000 homes and business. Its primary role is to build, maintain and upgrade a 90,000-kilometre distribution network.
.