LADWP Plugs in New Endpoint Access Management Solution

Imagine, for a moment, millions of people in a densely populated area without water or power for several hours — disruptive, at the very least. Now, imagine that timeframe extended by several days or weeks and the situation gets exponentially worse, fast.

It wouldn’t take long for crime to spike and social order to completely unravel, like it did when Hurricane Katrina made its devastating landfall in 2005. That’s part of the reason foreign adversaries and other bad actors are so attracted to critical utility infrastructure — a little work, a lot of potential chaos.

The other reason they like critical infrastructure so much is the technology, often a jumble of ancient and modern control systems that have been beaten to fit and painted to match. What’s more, hackers can sometimes buy access in the form of stolen credentials and walk right through the digital front door.

And while the vulnerability of these organizations is a spectrum ranging from sophisticated and well-funded to bootstrapped, most seem to have read the writing on the wall and are taking steps to harden their networks as much as budgets will allow.

In Los Angeles, officials with the Department of Water and Power (LADWP) opted for a solution meant to stop unwelcome guests in their tracks while still allowing staff to get to the systems they need to.

A new Endpoint Privilege Management (EPM) tool from BeyondTrust is doing just that, said Marketing Director for Public Sector Bill Venteicher, allowing LADWP’s Service Desk Endpoint Management team to define specific permissions based on a task or application, rather than the user, who may or may not be legitimate.

“You have to shift your mindset left, and you have to be more proactive in your approach to cybersecurity and eliminate the risk that has to do with identities, so that when an attacker gets in, they can't move laterally, they can't escalate privileges, and they can't get into areas of the company where they can exfiltrate sensitive information, customer data, other passwords, or totally shut things down,” Venteicher said.

LADWP’s move away from its legacy solution was well timed; Venteicher noted that some 90 percent of attacks now have some identity compromise component related to stolen usernames and passwords, failed multifactor authentication, etc. While many cybersecurity tools on the market today focus on threat detection and response, the EPM solution aims to stop unverified users from ever making it through the front door, stolen credentials or not.

“If you can tighten your controls on identity and on endpoints, like Los Angeles did, then that closes those paths before an attack happens, and that's the proactive mindset where it doesn't matter if somebody gets in. It doesn't matter if you have a scattered spider attack where two-factor authentication fails, because now it keeps a single mistake or a single compromised identity from turning into an outage where systems are shutting down,” he said.

Earlier attempts to get a handle on inconsistencies in local administrative rights created problems for LADWP field technicians, who would then have to rely on an overwhelmed service desk to access job-critical applications.

Since adopting the least-privilege security principles, Venteicher reports that the agency has seen a 42 percent drop in service desk calls.

“In this case, not only is it helping to secure identities, but it's enabling the IT department, in partnership with the security department, to be more efficient, and it's enabling them to work together better,” Venteicher said.

Officials with LADWP declined to comment on the implementation of the tools, but said in a white paper published by the company that the solution had “allowed users to continue doing what they need to without IT providing carte blanche admin rights.”