Practice Guide for Utilities from NIST

Tuesday, September 1, 2015 @ 03:09 PM gHale

Electric utilities are growing targets for cyber attacks and industry continues to face mounting challenges to keeping itself safe and secure.

That is why the National Cybersecurity Center of Excellence (NCCoE) just released “Identity and Access Management for Electric Utilities, NIST Special Publication 1800-2” for public comment.

Collaborators Sought for Security Projects
Guide to Cut Cyber Risk for Energy Firms
FTC Ruling Puts ICS Firms on Alert
Cryptographic Hash Standard Released

The U.S. Department of Homeland Security reported 5 percent of the cyber security incidents its Industrial Control Systems Cyber Emergency Response Team responded to in fiscal year 2014 ended up tied to weak authentication. Four percent tied to abuse of access authority. The guide could help energy companies reduce their risk by showing them how they can control access to facilities and devices from a single console.

“The guide demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management,” said Donna Dodson, director of the NCCoE. “It provides step-by-step instructions to help organizations as they tackle the challenges of identity and access management.”

The guide addresses one of the key cyber security challenges faced by utilities today — identity and access management (IdAM).

Quite a few utilities have decentralized IdAM systems, which end up controlled by numerous departments. Among potential negative outcomes resulting from this situation are:
• An increased risk of attack and service disruption
• An inability to identify potential sources of a problem or attack
• A lack of overall traceability and accountability regarding who has access to critical and noncritical assets

Security experts at NCCoE collaborated with the energy sector and technology vendors to develop an example solution to help energy companies better manage and control who has access to their networked resources, including buildings, equipment, information technology, and industrial control systems, using a centralized platform.

This practice guide provides IT implementers and security engineers with a detailed architecture so they can recreate the security characteristics of the example solution with the same or similar technologies. The solution relies upon NIST standards, best practices, and industry regulations, including the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP).

NCCoE is seeking comments on the draft guide — the approach, the architecture, and possible alternatives. The comment period is open through October 23, 2015. Comments will be public after review and can end up submitted anonymously. Submit comments online or via email to

NCCoE is a public-private collaboration for accelerating the widespread adoption of integrated cyber security tools and technologies organization, established by NIST in 2012.