Customer Solution Case Study
/ Separated business network and internet entirely through the desktop virtualization
Overview
Country or Region:Korea
Industry: Energy
Customer Profile
Korea Southern Power Co. is the energy corporate running 9,238MW of facilities in 7 operations such as Hadong Thermal Power Plant, its core plant.
Business Situation
A number of voices have been calling for being proactive against a variety of security threats coming into the plants, the key industry of the nation.
Solution
It adopted the desktop virtualization as a technology for separating network to let users access the internet only in the virtual machine.
Benefits
- Ensure the reliable power production through the network separation
- Reduced the energy consumption to fulfill green IT
- Block the malicious code entirely
- Became easier to manage though the number of points to manage increased
Cheong Choi, Section Chief, ICT Team, KOSPO
KOSPO is the energy plant company which is on one axe of the power production in Korea. KOSPO decided to meet the national security policy as well as play a leading role in innovating information security of public enterprise to start the information security enhancement project entirely in the end of 2011. In the 3 years of mid- and long-term plan, what the company tried to do first was the network separation. That is, the company separated the business network and the internet, the source of problems as well as the route of spreading the results from security violations. To do this, KOSPO implemented the desktop virtualization based on Microsoft's Windows Server Hyper-V and System Center management environment. The virtualization technology enabled the KOSPO to lay the foundation firmly to prevent and respond the cyber violations without a big change of its existing system.
Situation
KOSPO is one of the companies which are in the power sector split from Korea Electric Power Corp.by the 'Electricity Restructuring Promotion Act' in April 2, 2001. As of 2012, it has 7 electricity generation offices and is building 2,000MW of facilities in Samcheok Thermal Power Plant and 400MW of facilities in Andong Complex Power Plant.
One of what the company is concerned about is the information security. 7.7 DDoS in 2009 made the information security the nation-wide issue. In the situation of 3.4 DDoS in 2010 and the weeks of paralysis of Nonghyup, also known as the National Agricultural Cooperative Federation, the security became the major priority for public corporations and institutions. It is the case to KOSPO as well.
Regarding this, Cheong Choi, Section Chief, ICT Team, KOSPO said, “The influence from failure of providing electricity extends to the dimension of the national economy.” He also said, “To prevent the confusion in generation control system caused by the security breaches including hacking, we initiated to set the information security strategy in 2011.
He added, “At that time, the Ministry of Knowledge Economy andthe National IntelligenceService (NIS) recommended the improvement for securityvulnerability assessmentand analysis,and there wereopinions to create the security standard to set to work on its improvement in the dimension of KEPC Group.” He said, “In any case, if it is a work for us to do, to becomea model ofpublicleadership, we initiated the improvement for vulnerable sectors in the second halfof 2011.”
Prior to the information security improvement, KOSPO mapped out a strategy to be focused. The practice was divided into 5 parts including ▲Preventing and responding cyber breaches ▲Enhancing generation control system security ▲Making the internal information leakage into zero▲Establishing the foundation for information protection ▲Integrated security and surveillance linkage and mutual cooperation
In this plan, KOSPO set to work on network separation, the foundation for the next-generation information security system, in the end of 2011. It judged that the network separation would be required to respond proactively a variety of security threats.
Gihyun Kim, Team Manager, ICT Team, KOSPO, said, “While we had be concerned about how we could do business efficiently on the web in the past, we are now concerned about how we can protect the information and assets of our corporate.” He added, “To meet the demand of the national security policy, we thought the network separation would be required to block out the various security threats incoming via internet, which resulted in the separation into OA network and internet, followed by the separation into generation control network and OA network.
Solution
What the company selected to separate network was the virtualization technology. In the past, the separate PC for internet, besides PC for business connected to intranet, was deployed when separating network for certain department and users in public sector. In this case, it is easy to separate physically internal network and outer network, but there are so many inefficient factors.
Hosung Lee, Assistant General Manager, ICT Team, KOSPO, said, “When separating network, 2 PCs on the desk made the space narrow and installing network cable was painstaking work.” He explained, “There were lots of waste of energy and money caused by the separate software and staff to manage the PC connected the separated network.”
KOSPO thought the virtualization is the best solution to get the good point and avoid the bad point from physical separation of PCs for business and internet. Users can do their business in their PCs like the past and can use virtual machine when internet access is needed.
As a result of comparison of several solutions, the company selected Hyper-V technology from Windows Server 2008 R2 to develop server infrastructure and XenDesktop as a desktop solution for users. This was the best decision in performance, cost, etc. It introduced System Center Virtual Machine Manager 2008 R2 and System Center Configuration Manger 2007 R3 into its corporation as an integrated management tool for these environments. KOSPO, which completed selecting solutions, initiated to apply desktop virtualization on the basis of power plant after configuring servers.
The reason why it worked with a power plant as a unit was to minimize the issues it might encounter. Mr. Lee said, “Though the desktop virtualization is efficient in many parts including management innovation and green IT fulfillment, there are issues to be resolved for spreading across the market.”He explained, “Chief among them is the keyboard security tool’s blocking the access in the virtualized environment, which is to swim against the stream of times.” And he also said, “As for us, we made every effort to allow users to access to the certain site by accepting users’ feedback from local power plants to solve the problems about keyboard authentication in the internet banking and online class-related authentication.”
In this project, KOSPO benefited from the Active Directory infrastructure which was performed a few years ago. Mr. Lee said, “Both business PCs and virtual desktops are integrated onto the Active Directory information to be easy to manage.” He added, “Since Active Directory is linked to the personnel data, when the information about a new employee is created in the Human Resources Dept., his account will be issued and his virtual desktop will be created as well. Like this, the automated procedure can be established.”He said additionally, “We don’t have to create and manage accounts manually in resignation as well.
KOSPO has completed the transition into the environment where users have to open the virtual machine to use internet. Of course, it is not the case to all employees. Some employees are provided with PCs dedicated to internet access for productivity and convenience by the nature of task like the internet tax invoice issuing.
KOSPO built the data leaking prevention system and network separation at the same time. It is aimed at preventing the internal information from leaking out of PCs for OA through the data leaking prevention system while preventing the data from leaking through the web by separating OA and internet. The company prohibits the connection of outer devices such as USB storage to business PCs and the data can be moved to outer storage only with approval by the chief of the department, if the data copy is needed.
Benefits
Ensure the reliable power production through the separation of network
KOSPO increased the level of enterprise-wide network security by separation of OA network and internet in the end of 2011, followed by the separation of generation control network. Mr. Choi said, “For reliable power production, we separated the business network and internet through the desktop virtualization technology and enhanced the generation control security system.” He added, “At the same time, we made an agreement with KEPC to expand the technical collaboration and cooperation.”
Reduced the energy consumption to fulfill green IT
The desktop virtualization entitled KOSPO to a new brand value as a model of green management corporate in energy industry. For energy, it is important not only produce, but also to use efficiently. The company improved energy efficiency as well while performing what it has to do, the network separation. Mr. Lee said, “In general, the power consumption of PC is more than 100W. Given the additional devices such as network equipments, the virtualization can reduce the power consumption up to 100 times.””
Block the malicious code entirely
Internet use only in virtual machine made the company free from the malicious code. Actually, after network separation, the infection rate of malicious code to PCs was reduced significantly. Mr. Lee said, “User’s PC plays the role of CNC server in case of downloading the Bot while internet surfing and if we block the internet access, this bot will hang by the wall.” He also said, “It is the case to the malicious code, which invades via internet to take the data out of the hard disk in PCs or break the system, due to the disconnection to outer world.”
Became easier to manage though the number of points to manage increased
This network separation project seems to make the points to manage increased. However, the real administrator didn’t feel any burden. This is because System Center processed the security patch and application deployment centrally for the virtual desktop environment with Windows 7 installed, which resulted in no need of more cares to manage. The virtualization server can be processed with resources allocation and virtual machine creation and deployment by the System Center as well. Like this, all management tasks ranging from server to virtual desktop environment can be performed only in a tool, translating into non burden to administrators.
Mr. Lee said, “Separating the network using a way of investing another physical PC means that there is a pair of infrastructure of the existing business PC environment.” He also said, “if there are business bases in each site across the nation like KOSPO, at least 5 to 7 new staff is required, but only one person can cover the enterprise-wide desktop management thanks to the virtualization.”
Established the foundation for enterprise-wide clean zone
KOSPO is taking follow-up measure in the mid- and long-term roadmap to expand the virtualization to the enterprise-wide business PCs in the future. Mr. Lee said, “We plan to build the enterprise-wide clean zone through the virtualization of business PCs to enable users to view data any time and any where without the need of making the data existed in user’s terminal.” He also said, “As for the transition of business environment, since there are more considerations than network separation, for advance examination, we made the outsourcing IT staff and employees overseas use the virtual desktop environment through VPN.” He added, “The only outsourcing firm which can access to our internal business system is the IT service provider. This can help us reduce the trial and error without a concern of security and increase the security.”
Microsoft System Center
System Center solutions help IT pros manage the physical and virtual information technology (IT) environments across data centers, client computers, and devices. Using these integrated and automated management solutions, IT organizations can be more productive service providers to their businesses.
For more information on Microsoft System Center please visit: