Situational Awareness

Electric utilities rely on networked operational technology (OT) to control the generation, transmission, and distribution of power. While there are many useful products on the market for monitoring enterprise networks for possible security events, these products tend to be an imperfect fit for the unusual requirements of industrial control system (ICS) networks. 

Cybersecurity guidance helping energy companies capture, transmit, analyze, and store real-time or near real-time security event data from across both IT and ICS networks and systems

To improve the security of IT and OT, including industrial control systems, energy companies need mechanisms to capture, transmit, analyze and store real-time or near-real-time data from these networks and systems. With such mechanisms in place, energy providers can more readily detect and remediate anomalous conditions, investigate the chain of events that led to the anomalies, and share findings with other energy companies. Obtaining real-time and near-real-time data from networks also has the benefit of helping to demonstrate compliance with information security standards.
Status: Finalized Practice Guide

The NCCoE released a final version of the NIST Cybersecurity Practice Guide, Situational Awareness for Electric Utilities. For ease of use, the guide is available in volumes.

Project Abstract

The monitoring model used by some electric utilities includes separate physical, operational, and IT silos, a practice that lacks efficiency and can negatively affect response time to incidents.  

The NCCoE has developed Situational Awareness for Electric Utilities to augment existing and disparate physical, operational, and IT situational awareness efforts by using commercial and open-source products to collect and converge monitoring information across these silos. The aggregated and correlated information is analyzed, and relevant alerts are provided to each domain’s monitoring capabilities, improving the situational awareness of security analysts. The converged data can facilitate a more effective, efficient, and appropriate response to an event, compared with a response that relies on isolated data.  

The NCCoE sought existing technologies that provided the following capabilities:  

  • security information and event management (SIEM) or log analysis software  

  • ICS equipment (e.g., remote terminal units, programmable logic controllers and relays) along with associated software and communications equipment (e.g., radios and encryptors)  

  • “bump-in-the-wire” devices for augmenting operational technology with encrypted communication and logging capabilities  

  • software for collecting, analyzing, visualizing, and storing operational control data (e.g., historians, outage management systems, distribution management systems, human-machine interfaces)  

  • products that ensure the integrity and accuracy of data collected from remote facilities  

The monitoring model used by some electric utilities includes separate physical, operational, and IT silos, a practice that lacks efficiency and can negatively affect response time to incidents.  

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. We communicate regularly with members through email or web conference calls, and participation is voluntary. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home