Case Study EnergieSüdwest Netz GmbH

    NAC solution: holistic security for critical infrastructure – EnergieSüdwest Netz relies on macmon for ISMS

    EnergieSüdwest Netz GmbH fulfills an important part of the CRITIS requirements and optimizes the management of the entire network with macmon NAC. EnergieSüdwest Netz GmbH is a subsidiary of EnergieSüdwest AG and was founded in 2007 with headquarters in Landau in der Pfalz. It manages the electricity, gas, water and district heating infrastructure in and around Landau with over 60 employees.

    In addition to the planning, construction and operation of the supply networks, this includes: regulation management, grid billing,the implementation of customer switching processes, maintaining contractual relationships in the liberalized markets,metering point operation etc.The location has approx. 100 network devices in use.

    Key Facts about Case Study EnergieSüdwest

    Biggest challenges:

    • Meeting the requirements of the KRITIS regulation
    • Implementation of holistic network protection

    Reasons for macmon NAC:

    • Powerful topology detection
    • High degree of automation
    • BSI IT security certificate

    Successes through macmon NAC:

    • Seamless real-time monitoring
    • Reduction of administration effort
    • Implementation of situation-effective VLAN management

    A holistic approach is necessary

    As an energy provider, EnergieSüdwest Netz GmbH falls into the area of critical infrastructures (CRITIS) under the IT Security Act, to which the first part of the CRITIS regulation has applied since May 2016. Accordingly, the organizations concerned must implement special measures to ensure the availability and security of their IT systems. This also includes the so-called ISMS as described in the "IT Security Catalog pursuant to Section 11 (1a) of the Energy Industry Act" (as of August 2015):

    “To ensure an appropriate level of security for telecommunications and IT systems, necessary for secure network operation, the mere implementation of individual measures, such as the use of anti-virus software, firewalls etc. is not sufficient. To achieve the security goals a holistic approach is required, which must be continuously checked for performance and effectiveness and adapted if necessary. Such a holistic approach is an information security management system (ISMS).

     

    Thomas Gallion, EnergieSüdwest Netz GmbH

    "In addition to the convincing functionalities the short communication channels and the competent, uncomplicated support from macmon and BWG, the BSI certification of the solution was one of the main arguments for our decision."

     

    Due to the increasing number of network-enabled devices, such as printers and IP telephones within the company network, surface for cyberattacks gets bigger. Therefore, the holistic security of this network through network access control (NAC) is one of the most important measures for setting up an ISMS.

    Little effort and powerful functions

    To ensure the security of the network within the framework of an ISMS based on the IT security catalog, EnergieSüdwest Netz was looking for a partner who could provide comprehensive protection for the network with as little effort as possible. During the extensive market research, the NAC solution from macmon presented by the BWG Systemhaus Group emerged as the top candidate. For a detailed evaluation macmon was initially used in a limited production environment for detailed evaluation. The powerful topology recognition with LLDP and CDP and the high degree of automation of the solution stood out positively. macmon NAC enables visibility even in complex or widely branched networks and simplifies their management.  As macmon is a German vendor based in Berlin and the solution has been awarded with the IT security certificate by the BSI there was no concerns about security or policy compliance.

    The decision was therefore ultimately made in favor of the Premium bundle from macmon, which includes: NAC, Advanced Security, VLAN Manager, Guest Service, IEEE 802.1X, graphical topology and extensive mechanisms to check the compliance/security status of endpoints. EnergieSüdwest Netz operates macmon as a cluster on physical appliances. In the monitored areas, industrial switches from the manufacturer Microsense are used. To fully map the ISMS ESW Netz uses additional security solutions alongside macmon NAC such as a firewall and two antivirus solutions. The solution was implemented with the support of partner BWG and macmon itself.

    Maximum security and control with minimum management effort

    With macmon, the five employees responsible for network technology at EnergieSüdwest Netz GmbH can monitor their network efficiently and comprehensively while concentrating fully on their core non-IT tasks.

    The ESW Netz GmbH network has little fluctuation and the majority of the connected devices work autonomously at widely distributed locations. Therefore, the main task of macmon is the seamless real-time monitoring of the entire network. The solution is manufacturer-agnostic and has no "blind spots", as it is the case with appliance- or client-based approaches.

    If a new endpoint enters the network at switches or interfaces with the wrong VLAN configuration, they are automatically and dynamically moved to the correct VLAN, without manually writing a rule for this. On the one hand, this reduces the extent and complexity of the rules themselves and on the other hand the administration effort is extremely minimized.

    Points of contact with the solution that require manual intervention only occur if unauthorized access is detected and automatically secured. The introduction of authentication of guest devices - e.g. employee notebooks - via 802.1X using a RADIUS server is planned for the future. This function is already included in macmon and mixed operation of SNMP and 802.1X with real-time monitoring is also possible.

    macmon and its consulting partners are always available for advice and support. The manufacturer's service staff are all located directly at the company's headquarters in Berlin, so that support and problem solving can always be provided quickly and competently.

     

    Thomas Gallion, EnergieSüdwest Netz GmbH

    "The main function Network Access Control for identifying unauthorized devices was decisive for us. It works extremely reliably, so that intruders in the network are detected at any time, automatically isolated in a VLAN and the administrators are informed immediately. In this way, we fulfill a central part of the holistic approach of the IT Security Act."

     

    Conclusion

    With the implementation of macmon EnergieSüdwest Netz fulfills an important part of the requirements of an information security management system for critical infrastructures. In addition, the solution enables the management and monitoring of the entire network. macmon NAC is manufacturer-agnostic so there is no need for additional hardware investments to use the solution. Long-term planned developments are also covered by the functions in macmon NAC, so that the network of ESW Netz GmbH is protected for the future.

    © macmon secure GmbH