CXO / IT Leadership , Information Security

Transforming Power Sector With PAM Solutions

KEC's Pradipta Patro Advises a Platform-Centric Approach to Future-Ready Security
Transforming Power Sector With PAM Solutions
Pradipta Patro, head of cyber security and IT platform, KEC International Limited

KEC International Limited, an RPG Group company, is India's second largest manufacturer of electric power transmission towers and one of the largest power transmission engineering, procurement and construction companies in the world. It implements projects in more than 100 countries, and users with privileged access include numerous ecosystem partners, who work from multiple locations. KEC's extensive workforce of over 5,000 employees grappled with the need to manage numerous passwords, resulting in challenges related to privilege escalation and permission creep. The $2.1 billion infrastructure company resolved these issues with single sign-on, or SSO, and privileged access management, or PAM, solutions from CyberArk.

See Also: Rethinking Browser Security: From Risk to Asset

KEC has a highly complex IT infrastructure because of the diversity of its businesses across geographies and sectors, including power transmission and distribution, railways, civil, urban infrastructure, solar, smart infrastructure, oil and gas pipelines, and cables. In addition, it engages with multiple vendors, system integrators, contractors and service providers for its projects.

Workloads are dispersed across private and public clouds and via colocation as a hybrid setup, said Pradipta Patro, head of cyber security and IT platform at KEC.

Security Challenges in Hybrid IT Environments

"Looking into this kind of setup, we had challenges in administrating users who are on-premises and on the cloud, especially with increased usage of SaaS applications," Patro said.

A highly dispersed and decentralized IT infrastructure is susceptible to cyberattacks, and power infrastructure - regarded as critical infrastructure - represents a significant target for threat groups including Red Echo.

"We observed that 90% of the attacks are through privilege escalation or credential theft. Policies may not have been enforced appropriately on the endpoint, making it vulnerable," Patro said. "In certain instances, there was no multifactor authentication."

Vulnerabilities also existed in the cloud, as business partners could remotely access KEC's infrastructure through different cloud platforms.

"We realized that this is a very complex environment, not just from a technology perspective but also from a process perspective, because they [KEC] were using a lot of third-party vendors," said Rohan Vaidya, regional director, India and SAARC, CyberArk. "Those third-party vendors would have administrators who would change every second or third day. KEC had no control on this."

KEC's Criteria for an Advanced Access Management Tool

To improve identity visibility and offer more control on partners and employees accessing the infrastructure, KEC needed a tool that could track all accesses and activity, record all sessions, and protect credentials.

"It is a heterogeneous and hybrid environment with multiple accesses, so multiple authorization, authentication, and identification was required," Patro said. "What we needed was a tool to summarize all accesses and give us better visibility. This would secure the administration."

The tool was required to go beyond "just putting credentials in a vault and rotating them," Vaidya said.

CyberArk's PAM Solution

After shortlisting three vendors and conducting proof of concept or POC trials, the KEC team opted for CyberArk's PAM solution.

"We chose the CyberArk solution as its functionalities are tightly integrated with our ecosystem and compatible with our systems. We also considered technological functions and ease-of-use," Patro said.

KEC also benefitted from CyberArk's robust partner ecosystem and diverse suite of solutions.

"CyberArk has a complete portfolio of identity and access management solutions. We prefer if one vendor can cater to all our requirements so that we do not have to go to another third party for those," Patro said.

PAM Integration Challenges

The integration of the CyberArk's PAM solution commenced in February 2023 and was completed within three months. Since it was being implemented for the first time in the KEC environment, conducting a POC trial was crucial in addressing several teething problems.

"While regulation does not top the list of requirements in the manufacturing sector, privilege account management is crucial because of the nature of attacks on these accounts," Patro said.

The team had to address change management issues during the implementation stage. Authorizations had to be defined based on user application access and profiles. Patro and his team had to convince users they were implementing a productivity tool and not a monitoring mechanism.

Streamlining Access Management

Post implementation, the time-consuming manual process of recertification was eliminated. Recertification is a process of checking which users log into the system and what they access.

The PAM solution also keeps track of inactive accounts, especially those that were set up for third parties. Such accounts can be deactivated when a project is completed, a contractor or service provider has terminated their services, or an employee has resigned or is transferred to another project or department. This helps in preventing account misuse, privilege escalation and permission creep.

With SSO, password vault and PAM features, users no longer need to memorize multiple passwords.

"With this new solution, we have more control on these privileged accounts as we know who is accessing what, and when they access. So, I can give an assurance to senior management," Patro said.

He noted that the solution helped in managing five processes: identification, authentication, authorization, accounting and auditing.

Enhancing Security Governance

With the PAM solution deployed, KEC next wants to focus on SSO and MFA. Patro and his team aim to implement SSO for all applications and extend this functionality to all users in the system, and not just for admins.

"Identity is crucial for us today, and we also want to protect our data on the network. So, we need to [focus on] identity, profiling and posturing. Only then can we provide the right access to users, regardless of where they are located," Patro said.

The team at KEC is also considering [enhanced] system management and data governance.

Key Takeaways

Patro emphasized the need for a holistic approach before finalizing any solution. "Think about the platform first, and not the type of solution. Consider your challenges and how you can mitigate these through the right platform in the long term," he said.

Additionally, he recommended comprehensive control within hybrid and heterogeneous environments to ensure better visibility to monitor, detect, and protect more effectively.


About the Author

Brian Pereira

Brian Pereira

Sr Executive Editor - CIO.inc, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cio.inc, you agree to our use of cookies.