The National Cybersecurity Center of Excellence (NCCoE) is requesting comments on a draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology and industrial control systems. The center, part of the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), works with IT developers and providers to help businesses reduce their cyber risk.
The U.S. Department of Homeland Security reported that 5 percent of the cybersecurity incidents its Industrial Control Systems Cyber Emergency Response Team responded to in fiscal year 2014 were tied to weak authentication. Four percent were tied to abuse of access authority. The guide, Identity and Access Management for Electric Utilities, could help energy companies reduce their risk by showing them how they can control access to facilities and devices from a single console.
“The guide demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management,” said Donna Dodson, director of the NCCoE. “It provides step-by-step instructions to help organizations as they tackle the challenges of identity and access management.”
To develop the guide, NCCoE researchers met with representatives from the energy sector to identify their cybersecurity challenges. Often, identity management is controlled by numerous departments within a single company. For example, different people and systems control the company’s information technology (e.g., business systems), operational technology (which controls the production and distribution of energy), and physical access to facilities. Yet, unauthorized access to any one of these systems could affect the entire company.
This decentralization of identity management makes it difficult to trace the sources of attack or disruption, and to establish accountability.
The draft guide includes two versions of an end-to-end identity management solution that provides access control capabilities to reduce opportunities for cyber attack or human error. It also takes into account the risks that centralized control can present.
In collaboration with experts from the energy sector (mainly electric power companies) and those who provide equipment and services to them, NCCoE staff developed a use case scenario to describe a security challenge based on normal day-to-day business operations. The scenario centers on a utility technician who has access to several physical substations and to remote terminal units connected to the company’s network in those substations. She leaves the company, and her privileges need to be revoked, but without a centralized identity management system, managing routine events like this one can become cumbersome and time-consuming. A centralized access control system would make changing or revoking her privileges simple and quick.
While the reference solution was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with an energy provider’s existing tools and infrastructure.
The draft guide provides detailed example solutions using multiple products that achieve the same result, and instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration and integration.
The draft guide also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection standards. The guide is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants and substations. They can adopt this solution or one that adheres to these guidelines in whole, or use the guide as a starting point for tailoring and implementing parts of a solution.