British Energy has demonstrated how to create a secure network
for remote access that meets stringent security requirements at low
cost using the internet and
thin client technology.
The electricity producer, which manages eight nuclear power
stations, has to meet stringent safety requirements. These include
physical measures to protect access to plants, as well as
protecting sensitive data and technologies.
The Nuclear Installations Inspectorate arm of the Health and
Safety Executive and the Office for Civil Nuclear Security (OCNS),
set these security rules.
Certain people need to be available 24/7 to ensure that safety
decisions relating to the maintenance of a nuclear plant can be
made quickly. But these individuals cannot simply be given laptop
PCs with remote access because that would be in breach of the OCNS
directives.
By using
Citrix XenApp thin client technology to interface with
applications, users require only a web browser and a secure token
ID to connect to the British Energy network.
Networks and applications manager Bob Barker and his team
created a network pilot, which was tweaked four times following
consultation with
Communications-Electronics Security Group (CESG), the
Information Assurance (IA) arm of GCHQ. "British Energy was the
first network design to gain CESG approval," says Barker.
The initial project went live with 70 users in July 2007. A year
on there are now more than 1500 employees using the remote access
system to access operational information such as inventory
management, procurement of goods, work approval, and safety cases,
which exist on the corporate network.
Using Barker's approach it will cost British Energy only £100
per user per year to provide remote access. This cost includes all
the security and software licensing needed to ensure remote access
meets OCNS criteria. To provide users with secure laptops would
have cost about £2500 per user per year.
Paul Simmonds, of the Jericho Forum, says this is a case of well
thought out remote working and that British Energy's approach shows
how to make it easy to control and access sensitive data using
inherently secure protocols.
One of the advantages of using thin-client, browser-based
access, to corporate IT systems is that no sensitive data is stored
on the computer used to access the network. Nick Selby, research
director of The 451 Group's Enterprise Security Practice, says,
"Thin-client technology, especially in a deployment as sensitive as
that of an energy firm, is a good way to limit the scope of damage
that can be done while still providing workers with the tools they
need to be productive and creative".
So, it is possible to create a low cost secure network, by using
software such as Citrix XenApp to present Windows in a web browser
and encrypting network access with a secure token. But to succeed,
the client approach needs to be deployed to everyone, and not
considered "second best".
Structure of British Energy's secure network for remote
access
1. British Energy runs two dedicated servers for its Secure
Ticket Authority
2. Four Citrix Application Severs support remote access
3. These all run on IBM HS20 dual core 3Ghz Blade servers
configured with 4Gbytes Ram
4. Two NetScalers and two BigIP F5 Loadbalancers are used to
manage the traffic/load across the servers