British Energy: how to build a secure government network on the cheap

British Energy has demonstrated...

British Energy has demonstrated how to create a secure network for remote access that meets stringent security requirements at low cost using the internet and thin client technology.

The electricity producer, which manages eight nuclear power stations, has to meet stringent safety requirements. These include physical measures to protect access to plants, as well as protecting sensitive data and technologies.

The Nuclear Installations Inspectorate arm of the Health and Safety Executive and the Office for Civil Nuclear Security (OCNS), set these security rules.

Certain people need to be available 24/7 to ensure that safety decisions relating to the maintenance of a nuclear plant can be made quickly. But these individuals cannot simply be given laptop PCs with remote access because that would be in breach of the OCNS directives.

By using Citrix XenApp thin client technology to interface with applications, users require only a web browser and a secure token ID to connect to the British Energy network.

Networks and applications manager Bob Barker and his team created a network pilot, which was tweaked four times following consultation with Communications-Electronics Security Group (CESG), the Information Assurance (IA) arm of GCHQ. "British Energy was the first network design to gain CESG approval," says Barker.

The initial project went live with 70 users in July 2007. A year on there are now more than 1500 employees using the remote access system to access operational information such as inventory management, procurement of goods, work approval, and safety cases, which exist on the corporate network.

Using Barker's approach it will cost British Energy only £100 per user per year to provide remote access. This cost includes all the security and software licensing needed to ensure remote access meets OCNS criteria. To provide users with secure laptops would have cost about £2500 per user per year.

Paul Simmonds, of the Jericho Forum, says this is a case of well thought out remote working and that British Energy's approach shows how to make it easy to control and access sensitive data using inherently secure protocols.

One of the advantages of using thin-client, browser-based access, to corporate IT systems is that no sensitive data is stored on the computer used to access the network. Nick Selby, research director of The 451 Group's Enterprise Security Practice, says, "Thin-client technology, especially in a deployment as sensitive as that of an energy firm, is a good way to limit the scope of damage that can be done while still providing workers with the tools they need to be productive and creative".

So, it is possible to create a low cost secure network, by using software such as Citrix XenApp to present Windows in a web browser and encrypting network access with a secure token. But to succeed, the client approach needs to be deployed to everyone, and not considered "second best".

Structure of British Energy's secure network for remote access

1. British Energy runs two dedicated servers for its Secure Ticket Authority

2. Four Citrix Application Severs support remote access

3. These all run on IBM HS20 dual core 3Ghz Blade servers configured with 4Gbytes Ram

4. Two NetScalers and two BigIP F5 Loadbalancers are used to manage the traffic/load across the servers

Read more on Networking hardware