November 19, 2017

Guidelines for Planning an Integrated Security Operations Center

February 18, 2014

The EPRI Cyber Security team published a report titled, “Guidelines for Planning an Integrated Security Operations Center.”

This report describes strategies and guidelines for utilities to plan and implement an Integrated Security Operations Center (ISOC) that includes corporate systems, control systems and physical security. Currently, multiple groups and operators independently gather and analyze information from a datacenter, workstation networks, physical security, supervisory control and data acquisition (SCADA) systems, energy management systems (EMS), historians, and field equipment. Data is also collected and analyzed from Computer Emergency Readiness Teams (CERTs) and Information Sharing and Analysis Centers (ISACs). Correlating this data to find suspicious activity can be extremely challenging and often only occurs long after an incident happens. 

An ISOC is designed to collect, integrate, and analyze alarms and logs from these traditionally siloed organizations, providing much greater situational awareness to the utility’s security team. Additionally, an ISOC allows utilities to transition to an intelligence-driven approach to incident management, which is much more effective for handling advanced threats. Because of these advantages, creating an ISOC may provide significant value to utilities. However, building an ISOC requires significant technical resources, staff, and time.

This research focuses on the initial steps in the process of setting up an ISOC: developing the business case, potential organizational challenges, tradeoffs for different ISOC architectures, and planning the implementation process. These results are based on current research, engagement with utilities, and an examination of ISOC implementations outside of the electric sector.

Three takeaways from this report are:

  • Strong executive support is critical to the success of an ISOC deployment
  • Organizational challenges to integrating security functions can exceed the technical challenges
  • There is not a ‘one size fits all’ approach to designing an ISOC