“How To” Guide for ID and Access Management in the Electric Industry

By: William Jackson
August 28, 2015

Facebooktwitterredditpinterestlinkedinmail

A NIST panel, working with the electric industry, has developed a guide for centralizing ID and access management to better protect the evolving Smart Grid from online and internal threats.

As the electric power industry upgrades its legacy systems to an interactive Smart Grid that enables remote monitoring and a two-way flow of information, vulnerabilities can be introduced that threaten the security of this critical infrastructure. A NIST panel has developed a cybersecurity practice guide to help the industry control access to its systems.

The National Cybersecurity Center of Excellence (NCCoE) has released a draft of the guide for public comment. Developed in cooperation with the electric power industry, Special Publication 1800-2 offers two versions of an off-the-shelf end-to-end identity management solution that provides effective access control capabilities.

According to the Homeland Security Department, nearly 10 percent of incidents reported to the Industrial Control Systems Cyber Emergency Response Team are the result of weak authentication or abuse of access privileges.

“Our conversations with utility company employees confirmed that current identity and access management (IdAM) implementations are often decentralized and controlled by numerous departments within a company,” the authors of the NCCoE guide write. These siloed systems can increase the risk of service disruptions, by online attack, insider threats or human error, and complicate accountability. With no central management, simple tasks such as provisioning and de-provisioning access privileges for employees who join and leave the organization are complicated.

“Electric companies need to be able to control access to their networked resources,” the authors write. “We show how an electric utility can implement a centralized IdAM platform to provide a comprehensive view of all users…using commercially available products.”

As a non-regulatory agency, NIST does not oversee cybersecurity controls in industry. But it cooperates in the development of standards, best practices and technical specifications that can be used in the private sector as well as in government.

The guide maps its IdAM solution to guidance and best practices from NIST and other standards organizations, and to the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards. It includes:

  • A detailed example solution using commercially available products that are interoperable with existing IT infrastructure;
  • A demonstrated approach using different products to achieve the same result; and
  • Instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration, and integration.

The demonstrated solution is modular and intended to be suitable for organizations of all sizes, including corporate and regional business offices, power generation plants, and substations. Benefits of implementing a centralized IdAM solution include:

  • Reduced risk of unauthorized access to critical infrastructure components,
  • Rapid provisioning and de-provisioning access privileges so IT personnel can spend more time on critical tasks,
  • Improved situational awareness of access privileges and authorizations,
  • Improved security posture by tracking and auditing access requests and other IdAM activity across all networks, and
  • Enhanced productivity and improved delivery of services

Comments on the draft of Identity and Access Management for Electric Utilities should be sent by Oct. 23 to energy_nccoe@nist.gov.