The National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology and industrial control systems. The Center, part of the US Commerce Department’s National Institute of Standards and Technology (NIST), works with IT developers and providers to help businesses reduce their cyber risk.
The guide, ‘Identity and Access Management for Electric Utilities’, could help energy companies reduce their risk by showing them how they can control access to facilities and devices from a single console.
“The guide demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management,” said Donna Dodson, director of the NCCoE. “It provides step-by-step instructions to help organizations as they tackle the challenges of identity and access management.”
To develop the guide, NCCoE researchers met with representatives from the energy sector to identify their cybersecurity challenges. Often, identity management is controlled by numerous departments within a single company. For example, different people and systems control the company’s information technology (e.g., business systems), operational technology (which controls the production and distribution of energy), and physical access to facilities. Yet, unauthorized access to any one of these systems could affect the entire company. This decentralization of identity management makes it difficult to trace the sources of attack or disruption, and to establish accountability.
The draft guide includes two versions of an end-to-end identity management solution that provides access control capabilities to reduce opportunities for cyber attack or human error. It also takes into account the risks that centralized control can present.
In collaboration with experts from the energy sector (mainly electric power companies) and those who provide equipment and services to them, NCCoE staff developed a use case scenario to describe a security challenge based on normal day-to-day business operations. The scenario centers on a utility technician who has access to several physical substations and to remote terminal units connected to the company’s network in those substations. She leaves the company, and her privileges need to be revoked, but without a centralized identity management system, managing routine events like this one can become cumbersome and time-consuming. A centralized access control system would make changing or revoking her privileges simple and quick.
The draft guide also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection standards. The guide is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants and substations. They can adopt this solution or one that adheres to these guidelines in whole, or use the guide as a starting point for tailoring and implementing parts of a solution.
The draft guide can be found on the NCCoE website here. Comments should be submitted via an online form or to energy_nccoe@nist.gov by October 23, 2015.
