The NCCoE released the NIST Cybersecurity Practice Guide, SP 1800-2, Identity and Access Management for Electric Utilities. For ease of use, the draft guide is available to download or read in volumes.
To protect power generation, transmission, and distribution, energy companies need to control physical and logical access to their resources, including substations, equipment, and IT and OT resources. They must authenticate authorized individuals to these devices and facilities with a high degree of certainty. In addition, they need to enforce access control policies (e.g., allow, deny, inquire further) consistently, uniformly, and quickly across all their facilities.
In this project, the NCCoE demonstrates a converged, standards-based technical approach that unifies identity and access management (IdAM) functions across OT networks, physical access control systems, and IT systems. These networks often operate independently, which can result in identity and access information disparity, increased costs, inefficiencies, and a loss of capacity and service delivery capability. Also, these networks support different infrastructures, each with unique security risks. A converged IdAM solution can help effectively secure a utility’s complex infrastructure.
This NIST Cybersecurity Practice Guide provides a modular, end-to-end example solution of a converged IdAM system that can be tailored and implemented by energy providers of varying sizes and levels of IT sophistication. It shows energy providers how we met the IdAM security challenge using open-source and commercially available tools and technologies that are consistent with cybersecurity and NERC CIP standards.
A converged IdAM solution can help effectively secure a utility’s complex infrastructure.
Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.
A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. We communicate regularly with members through email or web conference calls, and participation is voluntary. Share your expertise and consider becoming a member of this project's COI.