New Illinois-developed company gets training through NSF I-Corps program
Because of the vulnerability of IT infrastructures, the power industry has mandated critical infrastructure protection regulations that must be followed by all large electric utilities. Utilities are audited every three years and the price of non-compliance is steep: If they're found to be in violation of any of the regulations, they can face penalties of up to $1 million per day.
To ensure that critical security regulations are met—and, at the same time, make the audits less burdensome for utility companies—ITI research scientist Robin Berthier, along with ITI Director David Nicol, ITI engineer Edmond Rogers, Interim ECE Department Head William H. Sanders and ITI research programmer Mouna Bamba, created a software application, NP-View, that supports utilities and auditors in assessing whether networks are secure and in compliance with government NERC/CIP standards. The team recently received a $50,000 grant through the NSF I-Corps program to learn how to commercialize the tool, which performs automated and comprehensive network path analysis of firewall and router configurations.
The program gives us a guideline to move forward really fast, Berthier said. If we didn't have the program, we may have reached the same conclusions, but as you're making mistakes along the way, the program allowed us to condense those early failures in a short time span. In just seven weeks, we learned a lot and having that constant pressure really caused us to move forward quickly. It's hard, but it's worth it.
The NP-View tool makes it easier for companies in the power industry to determine whether they comply with NERC/CIP regulations. Those regulations include standards for identifying all computers that are connected to critical systems in the grid, making sure they are isolated and ensuring that there would be no problems with distribution of electricity if a critical computer were to become infected.
When large utility companies are audited on-site every three years, they are required to present a map of their network, show critical assets and print the configurations of firewalls. NP-View automates that process. It automatically maps networks, saving time for both the auditors and utility companies. Additionally, the tool keeps track of any changes made to the network between audits, which is a requirement utilities previously had to meet manually.
Audits are extremely stressful tasks for utilities, Berthier said. A violation can lead to a fine of up to $1 million per day. This tool helps reduce that stress because a utility can have a much deeper understanding of their network and have a checklist to make sure they meet all the requirements. It allows them to go into an audit knowing they have confidence in the protections they have.
For NP-View, the future is looking bright. Last summer, the team incorporated a startup company named Network Perception, and also signed a license agreement with Illinois' Office of Technology Management (OTM), which allows the company to license code developed under research contracts the team acquired in their roles as University employees.
Through the I-Corps program, the NP-View team was able to refine their target market, as well as increase confidence in their decision to commercialize, after receiving positive feedback from many potential customers.
When we went into the program, we were generally thinking we had a wide scope of markets to go into, Berthier said. We still believe we can do that because the tool has value for other industries. Anyone who has a firewall needs to analyze and map networks. However, we learned we needed to focus on a very precise customer segment and design our tool and our marketing strategy around that.
The team is currently focusing on the power industry, but may expand its mission to additional application areas; the banking industry, for example, presents a promising opportunity, since it uses a similar auditing process to ensure banks comply with regulations. For now, Berthier is providing potential customers with an evaluation version of the product and is creating a roadmap for adding new features and testing different pricing models. He anticipates that he will soon work full-time for Network Perception, as the company grows and begins generating revenue during 2014.
Through this process, we learned how the audit really helps the electric power industry, how it works and where our tool can best be used, Berthier said. I can now go to a utility and tell them how much time they can save with our tool. It has helped us focus on what's really important in our market.