NIST SPECIAL PUBLICATION 1800-2

---

Identity and Access Management

for Electric Utilities

---

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)

Jim McCarthy

Don Faatz

Harry Perper

Chris Peloquin

John Wiltberger

Leah Kauffman

This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-2

The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/es-idam-nist-sp1800-2-draft.pdf

NIST SPECIAL PUBLICATION 1800-2

Identity and Access Management for Electric Utilities

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)

Jim McCarthy

National Cybersecurity Center of Excellence

Information Technology Laboratory

Don Faatz

Harry Perper

Chris Peloquin

John Wiltberger

The MITRE Corporation

McLean, VA

Leah Kauffman, Editor-in-Chief

National Cybersecurity Center of Excellence

Information Technology Laboratory

July 2018

U.S. Department of Commerce

Wilbur Ross, Secretary

National Institute of Standards and Technology

Walter Copan, Undersecretary of Commerce for Standards and Technology and Director

• Volume A
  • Executive Summary
    • Challenge
    • Solution
    • Benefits
    • Share Your Feedback
    • Technology Partners/Collaborators

• Volume B
  • 1. Summary
    • 1.1. Challenge
    • 1.2. Solution
    • 1.3. Benefits
  • 2. How to Use This Guide
    • 2.1. Typographical Conventions
  • 3. Introduction
  • 4. Approach
    • 4.1. Audience
    • 4.2. Scope
    • 4.3. Assumptions
      • 4.3.1. Security
      • 4.3.2. Modularity
      • 4.3.3. Human Resources Database/Identity Vetting
      • 4.3.4. Identity Federation
      • 4.3.5. Technical Implementation
      • 4.3.6. Limited Scalability Testing
      • 4.3.7. Replication of Enterprise Network
    • 4.4. Risk Assessment
      • 4.4.1. Assessing Risk Posture
      • 4.4.2. Managing Security Risk from Converged IdAM
      • 4.4.3. Risk
      • 4.4.4. Security Control Map
    • 4.5. Technologies
  • 5. Architecture
    • 5.1. Architecture Description
      • 5.1.1. Physical Access Control System Silo
      • 5.1.2. Operational Technology Silo
      • 5.1.3. Information Technology Silo
    • 5.2. Example Solution Relationship to Use Case
    • 5.3. Core Components of the Reference Architecture
      • 5.3.1. Build #1
      • 5.3.2. Build #2
      • 5.3.3. Implementation of the Use‑Case Illustrative Scenario
    • 5.4. Supporting Components of the Reference Architecture
    • 5.5. Build #3 – An Alternative Core Component Build of the Example Solution
    • 5.6. Build Implementation Description
      • 5.6.1. Build Architecture Components Overview
      • 5.6.2. Build Network Components
      • 5.6.3. Operational Technology Network
      • 5.6.4. Information Technology Network
      • 5.6.5. Physical Access and Control System Network
      • 5.6.6. Identity and Access Management Network
      • 5.6.7. Access Authorization Information Flow and Control Points
    • 5.7. Data
    • 5.8. Security Characteristics Related to NERC CIP Version 5
    • 5.9. Evaluation of Security Characteristics
      • 5.9.1. Scope
      • 5.9.2. Security Characteristics Evaluation Assumptions and Limitations
      • 5.9.3. Example Solution Analysis
      • 5.9.4. Security Characteristics Addressed
      • 5.9.5. Assessment of Reference Architecture
      • 5.9.6. Security Recommendations
      • 5.9.7. Security Characteristics Evaluation Summary
  • 6. Functional Evaluation
    • 6.1. IdAM Functional Test Plan
    • 6.2. IdAM Use‑Case Requirements
    • 6.3. Test Case IdAM-1
    • 6.4. Test Case IdAM-2
    • 6.5. Test Case IdAM-3

• Volume C
  • 1. Introduction
    • 1.1. Practice Guide Structure
    • 1.2. Typographical Conventions
  • 2. Build Overview
    • 2.1. Build Implementation Overview
    • 2.2. Build Implementation Descriptions
    • 2.3. IP Network Address Assignments
  • 3. Build Infrastructure
    • 3.1. Operating Systems
      • 3.1.1. Windows Installation and Hardening Details
      • 3.1.2. SUSE Linux Enterprise Server 11 Installation and Hardening Details
      • 3.1.3. Base Linux Installation and Hardening Details
    • 3.2. Firewall Configurations
    • 3.3. Network Services
      • 3.3.1. IT Network – Network Services (AD and Certificate Authority) Installation and Configuration Settings
      • 3.3.2. OT Network – Network Services (AD, DNS Server, and Certificate Authority) Installation and Configuration Settings
      • 3.3.3. PACS Network – Network Services (AD, DNS Server, and Certificate Authority) Installation and Configuration Settings
      • 3.3.4. IdAM Network – Network Services (DNS Server) Installation and Configuration Settings
  • 4. Remote Terminal Units
    • 4.1. Transmission-Control-Protocol/Internet-Protocol RTU
    • 4.2. Serial RTU
  • 5. Identity Services Engine and TrustSec‑Enabled Switch: Cisco
    • 5.1. Security Characteristics
    • 5.2. Pre-Installation Task
    • 5.3. Install and Configure
  • 6. Identity Manager: CA Technologies Installation – Build #1
    • 6.1. Security Characteristics
    • 6.2. Installation Prerequisites
    • 6.3. Install CA Directory
    • 6.4. Install CA Identity Manager
    • 6.5. Create the Sample NeteAuto Directory
    • 6.6. Create the Provisioning Directory
    • 6.7. Create the NeteAuto Environment
    • 6.8. Configure Connection to AlertEnterprises Database
    • 6.9. Policy Xpress Policy Review
    • 6.10. Update Create User and Modify User Screens
    • 6.11. Install Active Directory Certificate
    • 6.12. Acquire Active Directory Endpoint
    • 6.13. Explore and Correlate Active Directory
    • 6.14. Create the Active Directory Account Template and Provisioning Role
    • 6.15. Modify Create AE User Policy to Include the New Provisioning Role
    • 6.16. Add Workflow Control Over Create User and Any Other Task as Desired
    • 6.17. Test Creation of a User Manually
    • 6.18. Test Creation of a User with a CSV file
  • 7. Identity Management and Governance: RSA (Build #2)
    • 7.1. Security Characteristics
    • 7.2. IMG Installation
    • 7.3. IMG Configuration and Integration with Directories
      • 7.3.1. Set Up Custom Attributes
      • 7.3.2. Set Up Organization Users
      • 7.3.3. Populate the HR Directory
      • 7.3.4. Configure Adaptive Directory Container
      • 7.3.5. Create an Account Collector
      • 7.3.6. Edit the Unification Configuration Participating Collectors
      • 7.3.7. Edit User Attribute Source
      • 7.3.8. Edit Unification Configuration Attribute Source
      • 7.3.9. Start Data Collection
      • 7.3.10. Review Data Collected
      • 7.3.11. Configure Business Rules
      • 7.3.12. Create Automated Rules
      • 7.3.13. Create Provisioning Template
      • 7.3.14. Configure AFX Module
      • 7.3.15. Configure Adaptive Directory to Use AFX Connector
      • 7.3.16. Adding a New User
      • 7.3.17. Moving a User
      • 7.3.18. Terminating a User
      • 7.3.19. User Attribute Synchronization
  • 8. Adaptive Directory: RSA (Build #2)
    • 8.1. Security Characteristics
    • 8.2. RSA Adaptive Directory Is Installed on the IdAM Network, on a VM That Is Running CentOS 7
    • 8.3. Additional Steps Required After Installation Is Complete
    • 8.4. Custom Attribute Configuration
    • 8.5. RSA Adaptive Directory Optimization and Tuning
      • 8.5.1. Disable Referral Chasing
      • 8.5.2. Limit Attributes Requested from the LDAP Backend
      • 8.5.3. Process Joins and Computed Attributes Only When Necessary
      • 8.5.4. Use the Client Sizelimit Value to Query the Backend
  • 9. Enterprise Guardian: AlertEnterprise
    • 9.1. Security Characteristics
    • 9.2. Installation on Tomcat and Windows
      • 9.2.1. Installation Prerequisites
      • 9.2.2. Pre-Installation Verification
      • 9.2.3. Installing Mandatory Software Applications
      • 9.2.4. Deploying the Application
    • 9.3. AlertEnterprise Application Configurations for the RSA Build
      • 9.3.1. System Type Import of DB Connector
      • 9.3.2. System Type Parameters of DB Connector
      • 9.3.3. Identity & Access– User Field Mapping
    • 9.4. AlertEnterprise Enterprise Guardian Configuration for the CA Build
      • 9.4.1. System Type Import of DB Connector
      • 9.4.2. System Type Parameters of DB Connector
      • 9.4.3. Create System Connectors for all Target Systems
      • 9.4.4. Identity & Access > User Field Mapping
  • 10. PACS Server: RS2 Access It! Universal Server Installation
    • 10.1. Security Characteristics
    • 10.2. System Environment
    • 10.3. AIUNIVERSAL Installation
    • 10.4. Post Installation
      • 10.4.1. Connect Access It! Universal to Door Controller
      • 10.4.2. Enable TCP/IP to SQL 2008 R2 Server
  • 11. Privileged User Access Control: TDi ConsoleWorks Server Installation
    • 11.1. Security Characteristics
    • 11.2. ConsoleWorks Server Installation
      • 11.2.1. System Environment
      • 11.2.2. ConsoleWorks Server Installation on the OT Network
      • 11.2.3. Post-Installation Configuration of ConsoleWorks on the OT Network
      • 11.2.4. Configuring External Authentication for the OT Network ConsoleWorks Server
  • 12. ICS/SCADA Firewall: RADiFlow
    • 12.1. Security Characteristics
    • 12.2. OT Network RADiFlow Management Workstation Installation
      • 12.2.1. Installing iSIM
      • 12.2.2. iEMS
  • 13. Ozone: MAG Installation
    • 13.1. Security Characteristics
    • 13.2. Ozone Console Installation and Authority Configuration
    • 13.3. Ozone Authority Installation
    • 13.4. Ozone Console Server Configuration
    • 13.5. Ozone Server Installation
    • 13.6. Ozone Envoy Installation
    • 13.7. Ozone Console Envoy Configuration
  • 14. Physical Access Control: XTec XNode
    • 14.1. Security Characteristics
  • 15. Enterprise Public-Key-Infrastructure Platform: GlobalSign
    • 15.1. Overview
      • 15.1.1. Managing the Account
      • 15.1.2. What Is a Profile? / Profile Management
      • 15.1.3. What Is a License?
    • 15.2. Security Characteristics
    • 15.3. How To Order Certificates
      • 15.3.1. Step 1: Get a GlobalSign GCC Account
      • 15.3.2. Step 2: Order Certificate License Pack
      • 15.3.3. Step 3: Set Up Organization Profile
      • 15.3.4. Step 4: Vetting
      • 15.3.5. Step 5: Register for Your EPKI Administrator Certificate
      • 15.3.6. Step 6: Register and Issue Certificates to Individual Users
    • 15.4. GlobalSign’s Identity and Access Management Solution for Managing External Users
    • 15.5. Getting Help
  • 16. Industrial Firewall: Schneider Electric
  • 17. Operating System STIG Compliance Reports
    • 17.1. SQL Server on IdAM Network STIG Compliance Report
    • 17.2. RSA IMG SUSE Linux Server STIG Compliance Report
      • 17.2.1. Evaluation Characteristics
      • 17.2.2. Compliance and Scoring
      • 17.2.3. Rule Results
      • 17.2.4. Severity of Failed Rules
      • 17.2.5. Score
    • 17.3. RSA Adaptive Directory CentOS 7 Server STIG Compliance Report
      • 17.3.1. Test Result
      • 17.3.2. Target Information
      • 17.3.3. Score
      • 17.3.4. Rule Results Summary
    • 17.4. AlertEnterprise Microsoft Server STIG Compliance Report
      • 17.4.1. Score
      • 17.4.2. System Information
      • 17.4.3. Results
    • 17.5. IT Domain Controller STIG Compliance Report
      • 17.5.1. Score
      • 17.5.2. System Information
      • 17.5.3. Results
    • 17.6. IT Windows 7 Workstations STIG Compliance Report
      • 17.6.1. Score
      • 17.6.2. System Information
      • 17.6.3. Results
    • 17.7. Ozone Authority and Ozone Server CentOS 6 Server STIG Compliance Report
      • 17.7.1. Test Result
      • 17.7.2. Target Information
      • 17.7.3. Score
      • 17.7.4. Rule Results Summary
    • 17.8. Ozone Envoy CentOS 6 Server STIG Compliance Report
      • 17.8.1. Test Result
      • 17.8.2. Target Information
      • 17.8.3. Score
      • 17.8.4. Rule Results Summary
    • 17.9. OT Domain Controller STIG Compliance Report
      • 17.9.1. Score
      • 17.9.2. System Information
      • 17.9.3. Results
      • 17.9.4. OT ConsoleWorks Windows Server 2012 STIG Compliance Report
      • 17.9.5. Score
      • 17.9.6. System Information
      • 17.9.7. Results
    • 17.10. OT Windows 7 Workstations STIG Compliance Report
      • 17.10.1. Score
      • 17.10.2. System Information
      • 17.10.3. Results
    • 17.11. PACS Domain Controller STIG Compliance Report
      • 17.11.1. Score
      • 17.11.2. System Information
      • 17.11.3. Stream Information
      • 17.11.4. Results
    • 17.12. PACS Console Windows Server 2012 STIG Compliance Report
      • 17.12.1. Score
      • 17.12.2. System Information
      • 17.12.3. Results
    • 17.13. Baseline CentOS 7 Linux Configuration
      • 17.13.1. Baseline CentOS 7 Configuration Files
      • 17.13.2. Audit.rules File Contents
      • 17.13.3. Audit.conf File Contents
      • 17.13.4. iptables File Contents
      • 17.13.5. Password_auth-ac File Contents
      • 17.13.6. rules_d-audi.rules File Contents
      • 17.13.7. Sysctl.conf Files Contents
      • 17.13.8. system-auth File Contents
      • 17.13.9. system-auth-ac File Contents
    • 17.14. Baseline CentOS 7 STIG Compliance
      • 17.14.1. Test Result
      • 17.14.2. Target Information
      • 17.14.3. Score
      • 17.14.4. Rule Results Summary