Major power utility automates PKI management with Revocent’s CertAccord Enterprise
Power utility companies have a critical need to protect just about everything in their entire infrastructure from cyberattacks. There’s no lack of rogue actors and nation states looking for ways into the US power grid whether for profit or to disrupt operations. Like many other companies and industries, utilities often base their core IT infrastructure on Microsoft Windows Server in conjunction with Unix and Linux based platforms. For a strong security posture, many utilities manage their own Public Key Infrastructure (PKI) often based on Microsoft Active Directory Certificate Services (ADCS) to support a broad range of security needs.
It’s been well established that PKI is the foundation of any cybersecurity infrastructure. Within a Microsoft environment, ADCS makes managing that infrastructure much easier. According to Microsoft,
“ADCS is the server role that allows you to build a PKI and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.”
For users and systems with a Microsoft Window server environment, ADCS provides a number of important benefits, particularly around certification administration, including automated certificate provisioning and lifecycle management. Without automation, certificate management at scale can become a nightmare. But with ADCS, certificates can be set to automatically renew, allowing the use of short-lived certificates without concerns about unexpected expiration and gaps in coverage.
This is all well and good for companies that have a homogeneous Windows-only landscape. But the reality for most companies is that they have a much more diverse IT infrastructure that includes a cross-section of Linux distributions such as Red Hat Enterprise Linux, CentOS, Ubuntu, macOS, and Unix based systems. Such was the case at one of the top five largest electric and gas utilities in the United States. As the number of non-Microsoft endpoints proliferated into the hundreds at this utility, so too did the problems associated with managing and updating digital certificates. There was simply no easy method to manage the entire network using ADCS alone.
Error prone manual processes
Without centralized management of the PKI the utility faced a number of challenges. Instead of being able to automatically issue new certificates, each certificate had to be generated and tracked manually which was not only labor intensive but potentially prone to human error. More concerning, it was difficult to a gain a comprehensive inventory of certificates across the organization, meaning that an expired certificate could lead to a sudden and costly system outage. For hospitals and other vital infrastructure that depend on the utility to sustain operations, unexpected outages can be disastrous.
“We were only managing what we could see, but we needed to manage the certificates that we didn't know about and make them part of our automated PKI management processes,” said an IT manager responsible for managing the utility’s PKI. “When you have an environment as big as ours, it can get really ugly, really fast.”
To address such scenarios, this utility explored a number of methods to gain comprehensive control over its PKI landscape. One approach the team considered was to use open source tools to coordinate across the Microsoft and Unix/Linux environments, but this brought new concerns about the effectiveness of a cobbled together solution and the challenge of managing and supporting it in house.
In looking across the vendor landscape, the utility discovered a number of tools that would allow it to completely replace ADCS and go with an alternative approach to PKI management and automation. But since the utility already had a functional PKI and a team that knew how to manage it, there was little interest in rip and replace. And while these alternatives could have provided a bridge to Unix/Linux, they proved to be problematic due to the high cost involved and an inflexible per-certificate pricing model.
“The price structure led to a situation where our people would be making decisions about when to issue certificates based on the cost involved and not based on accepted best practices,” said the IT manager at the firm. “Since we tend to issue a lot of certificates for testing and other applications, a solution based around per certificate pricing was basically unworkable.”
Enter CertAccord Enterprise
While searching for a better solution, the utility learned about Revocent’s CertAccord Enterprise product during a training session with PKI Solutions, a partner of Revocent. Particularly appealing to the utility was Revocent’s endpoint-based pricing model and the fact that it was focused on the critical problem they faced. Unlike the all-encompassing PKI offerings, CertAccord Enterprise is a point solution that extends certificate enrollment, automatic renewal and trust of an ADCS PKI certificate authority to Linux, Unix and macOS computers as well as Java applications running on Windows systems.
Through the use of CertAccord, the utility was able to begin identifying and managing X.509 digital certificates across its network without forcing team members to learn new processes for managing certificates. Similarly, for the Unix and Linux teams, instead of having to work through complex manual processes, they now just install a CertAccord Enterprise agent using common RPM or YUM commands.
Going a step further, the utility has made the CertAccord Enterprise agent part of its default Linux install across its entire environment. Now when teams deploy a new Linux system off a “gold” image, the CertAccord Enterprise agent is already pre-installed so they can start managing certificates immediately. And because CertAccord Enterprise supports MS SQL databases, the utility was able to discover the full set of existing certificates that needed management, effectively eliminating concerns about certificates expiring unexpectedly.
“The use of CertAccord has made a tremendous improvement in the way we are able to create and renew certificates in our Linux and Unix systems, as well as Java applications running on Windows systems,” the IT manager noted. “Revocent has also proven to be an excellent partner and we look forward to working with them to further enhance our use of PKI.”