Identity and Access Management (IdAM) for the Energy Sector

Many utilities have separate identity and access management (IdAM) systems for access to information technology (IT) and operational technology (OT) systems, substations, and equipment. Absent a central system to manage access to all critical resources, utilities open themselves to security risks.  

Cybersecurity guidance helping energy companies manage the people and things accessing their resources and facilities

The NCCoE developed an example solution that electric utilities can use to centrally manage access to the networked devices and facilities on which power generation, transmission, and distribution depend. Our solution uses commercially available products to demonstrate a converged IdAM platform. This platform provides a comprehensive view of users across all the entity’s business and utility operation silos, and the access rights granted those users.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-2: Complete Guide (HTML)Web Version NIST SP 1800-2: Complete Guide (HTML)
NIST SP 1800-2: Complete Guide (PDF)Document Version NIST SP 1800-2: Complete Guide (PDF)
NIST SP 1800-2A: Executive SummaryDocument Version NIST SP 1800-2A: Executive Summary
NIST SP 1800-2B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-2B: Approach, Architecture, and Security Characteristics

Project Abstract

To protect power generation, transmission, and distribution, energy companies need to control physical and logical access to their resources, including substations, equipment, and IT and OT resources. They must authenticate authorized individuals to these devices and facilities with a high degree of certainty. In addition, they need to enforce access control policies (e.g., allow, deny, inquire further) consistently, uniformly, and quickly across all their facilities.  

In this project, the NCCoE demonstrates a converged, standards-based technical approach that unifies identity and access management (IdAM) functions across OT networks, physical access control systems, and IT systems. These networks often operate independently, which can result in identity and access information disparity, increased costs, inefficiencies, and a loss of capacity and service delivery capability. Also, these networks support different infrastructures, each with unique security risks. A converged IdAM solution can help effectively secure a utility’s complex infrastructure.  

This NIST Cybersecurity Practice Guide provides a modular, end-to-end example solution of a converged IdAM system that can be tailored and implemented by energy providers of varying sizes and levels of IT sophistication. It shows energy providers how we met the IdAM security challenge using open-source and commercially available tools and technologies that are consistent with cybersecurity and NERC CIP standards.

Read the project description

A converged IdAM solution can help effectively secure a utility’s complex infrastructure.  

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name