Guide to Cut Cyber Risk for Energy Firms

Friday, August 28, 2015 @ 04:08 PM gHale

A draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology and industrial control systems is now ready and the National Cybersecurity Center of Excellence (NCCoE) is seeking comments.

The center, part of the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), works with IT developers and providers to help businesses reduce their cyber risk.

FTC Ruling Puts ICS Firms on Alert
Cryptographic Hash Standard Released
NIST Revises Random Number Generation
NIST Updates ICS Security Guide
Grant Money for Security Projects

Five percent of the cyber security incidents the Industrial Control Systems Cyber Emergency Response Team responded to in fiscal year 2014 tied to weak authentication, according to the U.S. Department of Homeland Security (DHS). Four percent linked to abuse of access authority. The guide, “Identity and Access Management for Electric Utilities,” could help energy companies reduce their risk by showing them how they can control access to facilities and devices from a single console.

“The guide demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management,” said Donna Dodson, director of the NCCoE. “It provides step-by-step instructions to help organizations as they tackle the challenges of identity and access management.”

To develop the guide, NCCoE researchers met with representatives from the energy sector to identify their cyber security challenges.

Often, identity management ends up controlled by numerous departments within a single company. For example, different people and systems control the company’s information technology (e.g., business systems), operational technology (which controls the production and distribution of energy), and physical access to facilities. Yet, unauthorized access to any one of these systems could affect the entire company.

This decentralization of identity management makes it difficult to trace the sources of attack or disruption, and to establish accountability.

The draft guide includes two versions of an end-to-end identity management solution that provides access control capabilities to reduce opportunities for cyber attack or human error. It also takes into account the risks that centralized control can present.

In collaboration with experts from the energy sector (mainly electric power companies) and those who provide equipment and services to them, NCCoE staff developed a use case scenario to describe a security challenge based on normal day-to-day business operations.

The scenario centers on a utility technician that has access to several physical substations and to remote terminal units connected to the company’s network in those substations. She leaves the company, and her privileges need revoking, but without a centralized identity management system, managing routine events like this one can become cumbersome and time-consuming. A centralized access control system would make changing or revoking her privileges simple and quick.

While the reference solution ended up demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can integrate quickly and cost-effectively with an energy provider’s existing tools and infrastructure.

The draft guide provides detailed example solutions using multiple products that achieve the same result, and instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration and integration.

The draft guide also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards. The guide is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants and substations. They can adopt this solution or one that adheres to these guidelines in whole, or use the guide as a starting point for tailoring and implementing parts of a solution.

Click here to download the draft guide.

Comments should end up submitted via an online form or to by October 23.