One of Europe’s largest energy providers meets a BalaBit solution
- By Gábor Marosvári
- May 01, 2016
The CEZ Group Nuclear Power Plant’s recent
challenges included monitoring an
increasing number of devices, increasing
productivity while reducing headcount,
and protecting the confidentiality of documents
about the new block of the nuclear
power plant under construction—all of
which called for a heavyweight solution to optimize their
SIEM and authorize privileged users (administrators, third
parties, VDI users) and record administrative sessions. The
challenge was accepted by BalaBit’s syslog-ng Store Box
log management appliance and Shell Control Box privileged
user monitoring solutions.
Introducing the Customer:
A Nuclear Power Plant
The CEZ Group is one of the largest energy companies in Eastern
and Southern Europe. Its main business is the production,
distribution and sale of electricity and heat. It employs 30,000
people, operates in 10 countries in the region, and serves approximately
9.3 million customers. In terms of its market size based on customers, CEZ Group is the 7th largest energy company in
Europe. CEZ ICT Services, a subsidiary of CEZ, provides information
and telecommunications services for the entire group.
High Security Standards in the
Nuclear Power Plant to Prevent
Leakage of Information
CEZ recently faced several challenges, including a large increase
of IT devices to be monitored, pressure to increase work efficiency
and reduce the number of employees at the same time. They
also wished to improve the security of the document management
system of a special team who would select the general contractor
for building the new blocks of the nuclear power plant in
Temelín. Team members work on VDI-clients to access a Share-
Point application to collect, process and evaluate all documents
arriving from tender candidates. CEZ management specified strict
IT and legal security requirements against this system to avoid
legal disputations or possible lawsuits later
Consequently, CEZ needed a heavyweight solution to meet
two key expectations: advanced management of logs and audit
of privileged users.
“Our main goal was to prevent leakage of information or any
action which would harm our IT system,” said Pavel Hejduk,
head of the ICT Security Department for CEZ ICT Services.
“These incidents could have led us to choose another contractor
for building the new blocks of the power plant, which represented
a great security risk for us.”
Requirements of the log management part of the new project,
meeting the more strict regulations were web-GUI, fast log
search, easy backup/archive of logs, WORM (Write Once Read
Many) log storage, encryption and time stamping of logs, and
high availability (HA) support.
Requirements of the auditing part of the new project, meeting
the more strict regulations, included a single tool capable of authorizing
administrators and recording administrative sessions,
and support of all standard remote administration protocols
such as SSH, Citrix ICA and RDP.
A Solid Combination of
Previously the plant’s IT team was using the syslog-ng Open
Source Edition log management tool to optimize their SIEM solution’s
performance, but the due to the new requirements they
needed to look for a commercial solution. They choose BalaBit’s
syslog-ng Store Box (SSB) appliance.
“With syslog-ng Store Box you get a real log management
tool without the need to know Linux/Unix, unlike with other
tools on the market,” Hejduk said. “SSB is a log management
tool, and that’s exactly what it does. Many competitors are talking
about log management, but, actually, their solutions are
event management. If you have, for example, 40 types of logs,
implementation of an event management solution is a painful
and time-consuming exercise. In the same scenario, SSB can be
implemented in a few days.”
Log Management solutions implemented by CEZ:
- A high availability SSB cluster to collect the log messages of
their production systems including 250 log source hosts.
- An additional SSB virtual appliance that runs on the VMware
ESX platform for testing and development.
- syslog-ng Agent for Windows with TLS encryption and mutual
authentication to collect logs from Windows servers.
CEZ choose BalaBit’s Shell Control Box (SCB) activity monitoring
appliance, as they did not find any competitive offering for
transparently auditing privileged users. SCB audits and monitors
the administrative access to more than one hundred servers and
external communication stations (communication stations are
special thin clients with strict policies, such as controlled email
“Shell Control Box brought much more than we expected. It
is not only an auditing solution, but an advanced authorization
and OCr search tool, as well,” Hejduk said. “With its transparent
Man-In-The-Middle architecture, SCB is a unique product
on the market. Support of SSH/ICA/RDP/HTTP(S) auditing
and replaying, as well as OCR-based indexing and searching in a
single box is amazing.”
In terms of auditing privileged users’ activities, CEZ implemented
a high availability SCB cluster; an additional SCB virtual
appliance was also purchased for testing purposes.
The new log management and auditing solutions serve 150
users and 50 thin clients simultaneously, monitor eight IT and
security administrators, and protect 100 servers in 3 environments
(production, test, development). Supported by strict SLA,
the production environment is “hermetically” separated from the
outside world (no Internet, no phones, no papers, etc.).
Planning, testing and implementation of the whole project took
two months. The new BalaBit solutions have been in productive
operation since July 2012.
The SSB log server appliance was easy to deploy and configure.
Archiving logs to WORM media and fast log search was a
perfect combination for CEZ security experts for daily operations
management and forensics investigations, as well. Indexing of
logs based on B-trees* results in extremely fast searching for any
parts of the VDI-client and Active Directory server logs.
SCB was a bit harder to implement, but easy to operate. CEZ
benefits not just from its primary function (user authorization,
audit and record sessions), but from a secondary one, as well - it
provides complete documentation and replay of all configuration
changes performed by implementation partners and internal administrators.
This article originally appeared in the May 2016 issue of Security Today.