Identity and Access Management (IdAM)

Many utilities have separate identity and access management (IdAM) systems for access to IT and operational technology (OT) systems, substations, and equipment. Absent a central system to manage access to all critical resources, utilities open themselves to security risks.  

Cybersecurity guidance helping energy companies manage the people and things accessing their resources and facilities

The NCCoE developed an example solution that electric utilities can use to centrally manage access to the networked devices and facilities on which power generation, transmission, and distribution depend. Our solution uses commercially available products to demonstrate a converged IdAM platform. This platform provides a comprehensive view of users across all the entity’s business and utility operation silos, and the access rights granted those users.
Status: Finalized Practice Guide

The NCCoE released the NIST Cybersecurity Practice Guide, SP 1800-2, Identity and Access Management for Electric Utilities. For ease of use, the draft guide is available to download or read in volumes.

Project Abstract

To protect power generation, transmission, and distribution, energy companies need to control physical and logical access to their resources, including substations, equipment, and IT and OT resources. They must authenticate authorized individuals to these devices and facilities with a high degree of certainty. In addition, they need to enforce access control policies (e.g., allow, deny, inquire further) consistently, uniformly, and quickly across all their facilities.  

In this project, the NCCoE demonstrates a converged, standards-based technical approach that unifies identity and access management (IdAM) functions across OT networks, physical access control systems, and IT systems. These networks often operate independently, which can result in identity and access information disparity, increased costs, inefficiencies, and a loss of capacity and service delivery capability. Also, these networks support different infrastructures, each with unique security risks. A converged IdAM solution can help effectively secure a utility’s complex infrastructure.  

This NIST Cybersecurity Practice Guide provides a modular, end-to-end example solution of a converged IdAM system that can be tailored and implemented by energy providers of varying sizes and levels of IT sophistication. It shows energy providers how we met the IdAM security challenge using open-source and commercially available tools and technologies that are consistent with cybersecurity and NERC CIP standards.

A converged IdAM solution can help effectively secure a utility’s complex infrastructure.  

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. We communicate regularly with members through email or web conference calls, and participation is voluntary. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home