Friday, September 4, 2015

NIST Cybersecurity Practice Guide - Identity & Access Management for Electric Utilities

In late August 2015, the National Cybersecurity Center of  Excellence (NCCoE) at the US National Institute of Standards and Technology (NIST) developed and released a set of draft documents entitled Identity and Access Management for Electric Utilities.  A "snapshot view" of the covers of these three documents is shown below.


https://nccoe.nist.gov/projects/use_cases/idam 

The NCCoE collaborated with experts from the energy sector to develop a use-case scenario based on day-to-day operations and worked with technology vendors to develop example solutions demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick.

The practice guide provides instructions on how to achieve a centralized identity and access management system and includes examples of all the necessary components and installation, configuration, and integration. The guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection(NERC CIP) standards.

The guide offered:
  • maps security characteristics to guidance and best practices from NIST and other standards organizations, and to NERC CIP standards
  • provides:
    • a detailed example solution with capabilities that address security controls
    • a demonstrated approach using multiple products that achieve the same result
    • instructions for implementers and security engineers, including examples of all the necessary components and installation, configuration, and integration
  • uses products that are readily available and interoperable with your existing information technology infrastructure and investments
  • is modular and suitable for organizations of all sizes, including corporate and regional business offices, power generation plants, and substations
The documents can be found and downloaded at the URL listed above in the caption.  

Call to Action

NIST and the NCCoE are asking for comments on these documents.  The comment period closes October 23, 2015. You can submit comments through the Web form via this link.