Ameresco Relies on UTM Firewall to Safeguard, Access, and Control Equipment and Data at Remote Plants

Ameresco, Inc. is an independent energy solutions company delivering long-term customer value through innovative systems, strategies and technologies. Ameresco works with customers to reduce operating expenses, upgrade and maintain facilities, stabilize energy costs, improve occupancy comfort levels, increase energy reliability and enhance the environment. Founded in 2000 with headquarters in Framingham, Massachusetts, Ameresco now has nearly 600 employees nationwide. The company’s Renewable Energy Group develops, designs, builds, owns, and operates renewableenergy plants; to date the group has developed more than thirty-five energy producing facilities.

The need for protection: more at risk than bits and bytes
In 2002, Ameresco’s Renewable Energy Group placed a firewall system on the first plant it designed and built. “Our first thought was to protect the plant itself, to make sure no one could get on our local network and use it to control large, heavy-duty industrial equipment,” says Jeff Palmer, Ameresco senior project engineer, specialty control systems. “You have to remember that, on the other end of all those bits and bytes, there really is capital equipment such as compressors, flares, blowers, balance of plant equipment, and more.”

The Renewable Energy Group designs its plants for remote support and visibility. The information served up by this information portal — a web application providing users with access to live data on current operations as well as billing data for monthly reporting — must also be protected. “We need the website because it makes the plant visible for legitimate purposes, but we need protection to make sure the website isn’t too accessible,” says Palmer.

The right solution — right from the start
Ameresco’s first firewall solution consisted of WatchGuard Firebox SOHO appliances, but the Firebox SOHO didn’t support VPN right out of the box. By the time the Renewable Energy Group began building its second gas sales plant, Palmer realized the plants needed VPN capabilities, but he wasn’t willing to accept the extra licensing required with the Firebox SOHO solution. After in-depth research, Ameresco chose McAfee Unified Threat Management (UTM) Firewall (formerly SnapGear SG560) appliances, in part because the boxes ran on the standard Microsoft VPN client. Initially, Palmer was leery. “It was a total relief when the firewalls came online without mishap,” he says. “And they just kept doing everything they were supposed to do.” The McAfee firewalls also provided the muchneeded flexibility required to set up an IPSec VPN tunnel running from firewall to firewall.

Ameresco’s second plant captured methane gas at a landfill and delivered it via pipeline to the company’s customer four miles away. “We needed a way to move gas quality data from the front end of the pipeline to the back end, and to pull the actual metering data from the customer use point back to our plant, while encrypting all the data flowing between those two points via VPN tunnels,” says Palmer. “To anyone looking at or operating the set-up, it appears to be a single facility, which is exactly what we want.”

Ameresco’s Renewable Energy Group has deployed McAfee UTM Firewalls in every one of its plants since the first deployment.

Remote capabilities make it possible
“If it weren’t for McAfee UTM Firewall’s built-in VPN and remote access capabilities letting us put our plants on the Internet, remotely connect to servers, and grab software and data, I’d have to find another job — or clone myself three or four times,” says Palmer. “The plants are spread out across the country, so placing an IT specialist on-site wouldn’t be cost-effective.” Because Palmer can handle firewall security by remote control, he saves money and time (no travel expenses and travel time incurred) and also avoids extensive system downtime.

"If it weren’t for McAfee UTM Firewall’s built-in VPN and remote access capabilities, I’d have to find another job—or clone myself three or four times."

Jeff Palmer
Senior Project Engineer, Specialty Control Systems, Ameresco

While Palmer is not an IT specialist, he easily became the company’s VPN security expert. With a master’s degree in mechanical engineering, specialty dynamic systems and controls, his primary role is automating and controlling the operation of the company’s renewable energy plants. But the Ameresco corporate IT department doesn’t get involved with plant security and connectivity. So, to keep plant operations completely in-house, Palmer became the VPN security guru for Ameresco’s Renewable Energy Solutions Group. “I never expected to be playing with firewalls and web portals, .net programming and all the rest,” says Palmer. Even so, Palmer estimates his time spent managing the network is “maybe 1/25 of my work week.”

All of these factors make the UTM Firewall’s ease of deployment, ease of use, and bulletproof reliability absolutely critical to Ameresco.

Perfect for the infrequent, low-tech, or remote user
Palmer is grateful for UTM Firewall’s ease of use and reliability, both for himself and for the isolated plant operator who tends to be more mechanically inclined than high-tech savvy.

“The McAfee menu-driven interface helps me navigate the firewall setup, and there’s a nice help button on every screen describing each setting,” Palmer explains. He doesn’t doubt that a command-line interface might work really well if he was more involved in using the system. But because Palmer puts on his network security hat only so often, he says, “I need a GUI that’s really going to help me speed things up.”

The appliance’s intuitive operation is perhaps even more critical for the plant operator. For example, when an operator mistakenly pushed the box’s reset button, Palmer was able to walk him through the configuration reload procedure over the phone. The operator connected to the default IP firewall and uploaded the right configuration, and, says Palmer, “In no time we were up and running again.”

In worst-case scenarios, the UTM Firewall’s low price point makes for another attractive option. On the rare occasion when the plant operator has managed to thoroughly compromise the appliance and can’t be coached to fix it over the phone, Palmer just sends out another unit. “It costs less than me making a trip out there, and all the operator has to do then is unplug the old one and plug in the new one,’’ says Palmer. “I’ll take it from there.”

With numerous plants in locations that stretch from coast to coast, Ameresco’s Renewable Energy Group places a high premium on product reliability. “UTM Firewalls are rock solid; they just sit there and run,” concludes Palmer.

Ameresco

Customer profile

Largest independent provider of energy optimization services and renewable energy plants in North America

Industry

Energy

IT environment

The Renewable Energy Solutions group supports numerous energy facilities coast to coast

Challenges

Dispersed plant locations have no onsite IT support, requiring firewalls to be operated remotely. Heavy equipment, which can be manipulated online, must be protected from tampering. VPN tunneling is critical for plant/ customer data interaction

McAfee solution

McAfee Unified Threat Management (UTM) Firewall (formerly SnapGear SG560) appliances

Results

  • Remote operation saves hundreds of man hours each year
  • Firewall-to-firewall IPSec VPN tunneling enables secure multi-location data exchange
  • Simple GUI and excellent uptime performance make part-time security officer a reality