Asset Management

Energy companies face many challenges in cybersecurity asset management, from aggregating disparate data sets to setting up real-time visibility into operational technology (OT) assets in a fluid environment. Without an effective asset management solution, organizations may unnecessarily expose themselves to cybersecurity risks.

An example cybersecurity solution helping utilities and the oil and gas industry better manage their OT assets

Keeping track of OT resources is often a manual, error-prone process. To remain fully operational, energy sector organizations should be able to effectively identify, control, and monitor all their OT assets. Through this project, the NCCoE supplies guidance on how to enhance OT asset management practices by using capabilities that may already exist in an energy organization’s operating environment, as well as implementing new capabilities. The guide describes methods for managing, monitoring, and baselining assets, along with alerting capabilities to help identify threats to these OT assets.
Status: Finalized Practice Guide

The NCCoE released the NIST Cybersecurity Practice Guide, SP 1800-23, Energy Sector Asset Management. For ease of use, the final guide is available to download or read in volumes.

Project Abstract

Energy companies own, run, and support critical OT assets that have unique requirements for availability and reliability. These assets must be monitored and managed to reduce the risk of cyber attacks on ICS-networked environments. Key factors in strengthening OT asset management capabilities include knowing which tools can collect asset information and what type of communications infrastructure is needed to send this information. 

The capabilities demonstrated in this NCCoE cybersecurity practice guide were selected to address several key tenets of asset management: establish a baseline of known assets; establish a dynamic asset management platform that can alert operators to changes in the baseline; capture as many attributes about the assets as possible via the automated capabilities implemented.  

In addition to these key tenets, this practice guide offers methods of asset management that address particular challenges in an OT environment, including the need to: account for geographically dispersed and remote assets; have a consolidated view of the sum total of OT assets; be able to readily identify an asset’s disposition, or level of criticality, in the overall operational environment. 

Key factors in strengthening OT asset management capabilities include knowing which tools can collect asset information and what type of communications infrastructure is needed to send this information.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. We communicate regularly with members through email or web conference calls, and participation is voluntary. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home