How Encryption Consulting strengthened an Energy company’s Security with PKI Assessment and Support Services

Company Overview 

This leading energy infrastructure company in North America aims to provide clean and economical energy and invest in sustainability. It is one of the key players in the domain and serves over 300,000 industrial, commercial, and domestic gas customers while maintaining safety and reliability with environmental sustainability. 

It operates seamlessly by employing 1,000 people, with customer satisfaction (CX) as the major priority. The company is involved in innovative energy infrastructure development to increase access to sustainable energy resources and improve its capabilities. To continue being an essential service provider, its objective is to maintain operational excellence. Therefore, it prioritizes strong security protocols, risk management practices, and compliance along with cryptographic standards to protect its infrastructure and data. By enforcing access controls, implementing strong encryption methods, and continuous monitoring, it continues to build trust and value for its customers while contributing to a cleaner energy future. 

Challenges 

Being a gas provider company, it realized the need to ensure that its systems are both reliable and scalable. This includes enforcing strong security measures to protect sensitive data. The advancements in cyber threats compelled the company to improve its security. One way to achieve this was by strengthening its Public Key Infrastructure (PKI), which is a system used to manage digital certificates and encryption keys. PKI helps in making sure that only trusted users and devices can access the company’s systems.  

To achieve this, the company was required to strengthen its existing PKI environment to manage these certificates and keys, ensuring everything is secure and follows the correct encryption rules. As a result, the company would protect itself against digital threats more effectively. 

The assessment revealed considerable flaws in PKI within the organization. There was insufficient monitoring and inefficient risk detection, and the Certificate Revocation List (CRL) updates were inconsistent.  Also, it was revealed that there were critical vulnerabilities in their security measures to address the increased threats and drawbacks in PKI infrastructure, such as the use of expired certificates, weak cryptographic algorithms, and the possibility of misconfigured certification authorities (CAs). Furthermore, there was a lack of logging mechanisms within the PKI ecosystem, which created problems during anomaly detection in log analysis. 

We identified a lack of basic policies such as Certificate Policy (CP) and Certificate Practice Statements (CPS), which resulted in inconsistencies in certificate issuance and management, thereby increasing the risk of misconfigurations, unauthorized access, and security vulnerabilities. This is because, without an established CP and CPS, different individuals or teams within the organization might issue certificates with different levels of validity and usage restrictions.

To worsen it, the organization did not establish specific guidelines for key security settings, such as which cryptographic algorithms are used for generating encryption keys, the appropriate lengths of encryption keys, the methods for generating hash values, and the structure of digital certificates. Without these defined standards, different systems or departments might adopt varied approaches, leading to interoperability issues.  

The PKI operations were not centralized and inefficient in scaling in response to increasing security requirements due to the absence of a Target Operating Model (TOM). TOM is a well-defined model or strategic framework that describes how an organization should operate to be efficient and effective in delivering value to its customers in an ideal setting. 

Various vulnerabilities related to certificate lifecycle management activities were identified in the assessment, including manual processes for certificate management. This lack of automation for certificate management led to inefficiencies, human errors, increased operational costs, limited scalability of PKI infrastructure, and unmanaged certificates led to frequent service outages, which further led to a 10% increase in operational costs, while incomplete backup and recovery processes left the organization vulnerable to data loss. 

Furthermore, there were no guidelines defined for utilizing the self-signed and wild card certificates. This led to the creation of blind spots for unauthorized access and caused disruptions in operations respectively. This is because self-signed certificates are not issued by trusted Certificate Authorities (CAs) and, therefore, result in security warnings and failed authentication. The lack of processes for key destruction, de-registration, and key discovery capabilities led to inefficacies and caused violations of compliance.      

Additionally, this organization lacked a strong PKI and a formal risk assessment or compliance monitoring. This left the organization exposed to unexpected security breaches as they were not able to identify and address the potential vulnerabilities in their infrastructure proactively. Due to this, they were not able to ensure adherence to industry standards and regulations such as the National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS), Payment Card Industry Data Security Standard (PCI DSS), etc., which led to the violations of compliance. 

Solution 

Encryption Consulting specializes in PKI services, including PKI assessment and PKI support services. Therefore, the organization approached us seeking an assessment of their existing PKI environment and implementation roadmap to remediate the identified gaps.   

We began the assessment process by evaluating existing cryptographic policies, standards, and the PKI architecture and their associated use cases across the organization to confirm the scope. To develop an initial understanding, we conducted a review of their existing procedures, which include certificate and key management policies and existing CP/CPS documents across their environment for on-premises, cloud, and hybrid PKI. Following this, we conducted workshops with the relevant stakeholders to evaluate their PKI operations.

By analysing these aspects, we identified key areas for improvement through our assessment, such as monitoring and risk detection, certificate lifecycle management, and compliance processes. Therefore, we built a strategy and implementation roadmap to remediate the identified gaps and recommended the integration of solutions designed to mitigate these security gaps and enable the organization to achieve a future-ready PKI system.    

Once the organization successfully put our recommendations into practice, they decided to sign up for our round-the-clock PKI Support Services. This is a subscription-based service, which means that they pay a recurring fee for ongoing help. As a subscriber, they receive personalized assistance customized to their specific needs, including the restoration of their Public Key Infrastructure (PKI) in case of any error, diagnosing and fixing issues, i.e., troubleshooting, and providing additional support whenever required. 

After the successful implementation of our recommendations, the organization subscribed to our PKI Support Services, a subscription-based 24/7 support model. Due to this, it gained access to customized support for its various needs, including PKI restoration, troubleshooting, and assistance as and when needed.   

Unexpected PKI-related downtimes, such as certificate expirations or HSM failures, can be expensive and cause costly outages for this industry-leading company. Therefore, by utilizing our support services, the organization was able to quickly restore and minimize the impact, ensuring business continuity. This resulted in quick response time and in-depth restoration plans to ensure their PKI was running in no time.  Also, they faced challenges with certificate distribution across endpoints. To address this, we guided them on implementing the Network Device Enrolment Service (NDES) to ensure seamless operations of certificate provision and management. 

Furthermore, our support services came to the rescue to aid in the transition to a new HSM while maintaining the operations of the organization’s existing Microsoft AD CS-based PKI setup. We provided end-to-end assistance, from the planning phase to the execution of the transition through our support services to upgrade their HSMs to the nShield 5s series. 

The organization faced various issues regarding governance, given the missing key policies such as Certificate Policy (CP) and Certificate Practice Statements (CPS). Therefore, to address the vulnerabilities, the organization utilized our support services to build a Certificate Policy (CP), a document that defines the rules and practices utilized by the organization for issuing and using digital certificates and Certificate Practice Statements (CPS) to define the operations of how CA will implement the policies mentioned in the CP.   

Our support services also included the creation and publication of Certificate Revocation Lists, which was done by facilitating the list of revoked certificates to ensure that such certificates are no longer used for authenticating or encrypting data. Our team recommended best practices, including implementation of strong key management policies, enforcement of certificate lifecycle automation, and strict access control for private key protection to ensure the organization complied with industry standards and regulatory issues in terms of certificate management. 

For operational inefficiencies, we assisted the organization in automating all the key processes of certificate renewals, CRL updates, and certificate status monitoring. This automation of processes would eliminate human interference and, therefore, minimize the possibility of human errors, such as incorrect CRL updates, missed renewal deadlines, etc. For this, we recommended the implementation of our certificate management solution, CertSecure Manager. 

Impact 

As a result of our PKI assessment and ongoing support services, the organization transformed its infrastructure into a secure, efficient, and scalable one while improving resource utilization. Establishing a strong governance framework ensures that the PKI environment is compliant with industry standards and allows the organization to meet evolving security requirements and regulatory compliance, leading to reduced operational costs. 

The adoption of a microservices-based PKI model enhanced the level of security, flexibility, and automation in certificate lifecycle management. Separating PKI functions into independent services allowed the organization to scale certificate issuance, revocation, and validation processes on demand. This improved the efficiency and performance of the business operations and enhanced overall security. 

Our support services have enhanced the critical operational processes, including the automation of certificate renewals and revocations. As a result, manual errors decreased, which improved operational efficiency and allowed for smoother operations, improving business continuity. Additionally, centralized management of cryptographic assets provided better visibility and control and helped the organization maintain critical operations, reduced service disruptions, and enhanced business agility.     

The establishment of real-time monitoring capabilities aided the organization in detecting and responding to risks proactively. Therefore, this facilitates service availability while minimizing exposure to risks. The various measures taken for the management of the CRL strengthened security by providing the facility for the speedy rejection of outdated or compromised certificates. This led to enhanced trust across the systems and further enhanced customer trust. 

With our continuous support, the organization enhances its security posture and ensures continual updates on the latest cryptographic standards and best practices.

Conclusion 

When faced with security challenges, we at Encryption Consulting convert them into opportunities for growth. We are committed to providing organizations with various evaluations and equipping them with the tools and support services they require to secure operations today and for the evolving cybersecurity challenges. 

Hence, it partnered with us and was able to establish itself as a highly secure, scalable, and resilient organization. Our team worked around the clock to identify critical vulnerabilities, recommended action plans to remediate them, and created a future-proof foundation for their infrastructure. Therefore, we delivered to them an ever-evolving and ever-growing, future-proof, secure system against threats that would be adaptable to further developments.