The energy sector sets the standard for collaboration. When an ice storm causes a massive power outage, utilities across North America come together to restore power in the impacted area. It’s a term called mutual aid and, more and more, the same principle applies in cyberspace.
Southern Company, along with all critical infrastructure, is a major target for cyber actors. As the second largest energy provider in the
US, the Atlanta-based company serves nine million customers across six states. Like any utility, Southern Company is focused onresiliency and reliability – goals that are increasingly challenged by hackers working to steal information or disrupt electric and gas operations.
“We face cyber attacks every day,” explains Tom Wilson, VP and CISO at Southern Company. And Southern Company isn’t alone – attacks are occurring across critical infrastructure. While Southern Company maintains a mature cybersecurity posture, the role of its security leadership is to ensure that the company is always anticipating and planning for the next attempt to compromise its facilities and services. Southern Company invested in its partnership with IronNet to increase its ability to detect Advanced Persistent Threats (APTs), reduce dwell time and more quickly recover in the event of an attack.
A platform for automated information sharing
GEN (Ret.) Keith Alexander, IronNet’s founder and co-CEO, says, “Companies sometimes compete on their level of security as a selling point for customers. But if security isn’t your primary business, you’re better off collaborating instead of competing — like the energy sector does. This way, more organizations can benefit from collective intelligence and everyone can defend against cyber attacks more effectively.”
In keeping with the spirit of collaboration and mutual aid already so familiar to the energy sector, it made sense to Southern Company to add IronNet’s Collective Defense approach to its security program. In a Collective Defense system, organizations work together within a sector, or even across sectors and geographies, to defend against targeted cyber threats by sharing and receiving actionable threat information within a secure ecosystem. It’s like traditional mutual aid, though instead of a hurricane impacting the grid, a cyber attack is responsible.
As we work with IronNet and our other partners, I look forward to more international companies joining us in the spirit of Collective Defense, in whatever way makes sense, to give companies more situational awareness of what’s happening around the globe and address threats collectively.
- Tom Wilson, VP and CISO, Southern Company
“Cybersecurity is one of many threats to reliability all utilities deal with,” says Wilson. “The North American grid is the world's largest interconnected machine, and we all play a role in keeping the grid and our gas operations running, making sure the American public has the resilient energy they count on. Southern Company is focused on ensuring we provide clean, safe, reliable and affordable energy.”
Southern Company uses IronDome to share and receive actionable intelligence derived from cyber anomalies detected in the network environments of participating customers. This helps the entire community see the suspicious and malicious behaviors that their peers are reporting in the Collective Defense “dome.” Southern Company, in turn, receives early warning from other utility companies of attacks that may be heading their way.
Wilson adds that the energy industry sets a high standard for collaboration; working within the Collective Defense platform with other companies is only one of many ways the company is collaborating across the energy sector and with government agencies: “A lot of parties are partnering tirelessly, including energy’s sector-specific agencies — the Department of Energy and its National Labs, the Department of Homeland Security (DHS), the North American Electric Reliability Corporation (NERC), and the Electric Subsector Coordinating Council — to help create an environment of joint collaboration and situational awareness for both large and small utilities,” he says.
“We work closely with our energy sector Information Sharing and Analysis Center (E-ISAC) organization, as well as our Downstream Natural Gas (DNG), and Oil and Natural Gas (ONG) ISACs, and directly with multiple agencies across the government. Our goal is to always have the broadest possible perspective on the threat landscape,” Wilson says. “This is one of the reasons we engaged with IronNet in the first place: to get high quality, automated situational awareness and move away from relying on manual methods.”
“Broad situational awareness within sectors and across sectors is something we believe in,” Wilson says, “and why we are doing work with IronNet and many other partners in energy and other critical sectors, both nationally and internationally.”
General Alexander credits the energy sector, and Southern Company in particular, with helping mature IronNet’s Collective Defense approach — and, in fact, the nation’s overall security posture. He says, “The energy industry, and CISOs like Tom Wilson in particular, are motivated not only by securing their operations, but in doing that, better securing the U.S. as a whole.” Thanks to the collaboration with these energy companies, General Alexander says, IronNet has been able to mature a product that provides a Collective Defense solution that brings together companies, sectors, states and nations to provide an elevated level of cyber defense.
Collective Defense around the world
While the energy sector collaborates against cyber attacks primarily to defend the grid, the technical competence, intelligence and observations within the industry can be shared to also benefit companies and entities in other sectors, and at the state, national and even international levels in a Collective Defense model.
Wilson explains, “Big companies like Southern Company have a large technical competency in the cyber area, but many smaller companies don’t. With a Collective Defense approach, we can help smaller companies benefit from a high volume of information sharing. And the large companies benefit because attacks can hit smaller companies, almost as a test run, before turning toward larger companies.”
Though its operations are based in the U.S., Southern Company has a vested interest in cybersecurity worldwide. Bad actors can test campaigns in one region and then deploy them in the U.S. So, by having access to shared threat information from energy providers around the globe, Southern Company can be better prepared for when foreign actors strike.
“While we are a U.S.-only entity, we can’t have a U.S.-only mindset,” Wilson says. “The adversaries are all the same, much of the equipment and software is the same, even across sectors. We have to find ways to work together to raise the level of awareness for all of us. And that’s not going to happen if every company focuses only on their own company, sector or country. As we work with IronNet and our other partners, I look forward to more international companies joining us in the spirit of Collective Defense, in whatever way makes sense, to give companies more situational awareness of what’s happening around the globe and address threats collectively.”
In the tradition of mutual aid, Southern Company sees Collective Defense as a way to help other companies in the cybersecurity realm, for the common good. “We’re an industry that truly collaborates,” says Wilson. “And when you can work together as an industry, there’s strength in situational awareness, capability and creative solutions.”