NIST SPECIAL PUBLICATION 1800-2
Identity and Access Management¶
for Electric Utilities
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Jim McCarthy
Don Faatz
Harry Perper
Chris Peloquin
John Wiltberger
Leah Kauffman
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-2
The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/es-idam-nist-sp1800-2-draft.pdf
NIST SPECIAL PUBLICATION 1800-2
Identity and Access Management for Electric Utilities
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B), and How-To Guides (C)
Jim McCarthy
National Cybersecurity Center of Excellence
Information Technology Laboratory
Don Faatz
Harry Perper
Chris Peloquin
John Wiltberger
The MITRE Corporation
McLean, VA
Leah Kauffman, Editor-in-Chief
National Cybersecurity Center of Excellence
Information Technology Laboratory
July 2018
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter Copan, Undersecretary of Commerce for Standards and Technology and Director
- Volume B
- 1. Summary
- 2. How to Use This Guide
- 3. Introduction
- 4. Approach
- 5. Architecture
- 5.1. Architecture Description
- 5.2. Example Solution Relationship to Use Case
- 5.3. Core Components of the Reference Architecture
- 5.4. Supporting Components of the Reference Architecture
- 5.5. Build #3 – An Alternative Core Component Build of the Example Solution
- 5.6. Build Implementation Description
- 5.6.1. Build Architecture Components Overview
- 5.6.2. Build Network Components
- 5.6.3. Operational Technology Network
- 5.6.4. Information Technology Network
- 5.6.5. Physical Access and Control System Network
- 5.6.6. Identity and Access Management Network
- 5.6.7. Access Authorization Information Flow and Control Points
- 5.7. Data
- 5.8. Security Characteristics Related to NERC CIP Version 5
- 5.9. Evaluation of Security Characteristics
- 6. Functional Evaluation
- Volume C
- 1. Introduction
- 2. Build Overview
- 3. Build Infrastructure
- 3.1. Operating Systems
- 3.2. Firewall Configurations
- 3.3. Network Services
- 3.3.1. IT Network – Network Services (AD and Certificate Authority) Installation and Configuration Settings
- 3.3.2. OT Network – Network Services (AD, DNS Server, and Certificate Authority) Installation and Configuration Settings
- 3.3.3. PACS Network – Network Services (AD, DNS Server, and Certificate Authority) Installation and Configuration Settings
- 3.3.4. IdAM Network – Network Services (DNS Server) Installation and Configuration Settings
- 4. Remote Terminal Units
- 5. Identity Services Engine and TrustSec‑Enabled Switch: Cisco
- 6. Identity Manager: CA Technologies Installation – Build #1
- 6.1. Security Characteristics
- 6.2. Installation Prerequisites
- 6.3. Install CA Directory
- 6.4. Install CA Identity Manager
- 6.5. Create the Sample NeteAuto Directory
- 6.6. Create the Provisioning Directory
- 6.7. Create the NeteAuto Environment
- 6.8. Configure Connection to AlertEnterprises Database
- 6.9. Policy Xpress Policy Review
- 6.10. Update Create User and Modify User Screens
- 6.11. Install Active Directory Certificate
- 6.12. Acquire Active Directory Endpoint
- 6.13. Explore and Correlate Active Directory
- 6.14. Create the Active Directory Account Template and Provisioning Role
- 6.15. Modify Create AE User Policy to Include the New Provisioning Role
- 6.16. Add Workflow Control Over Create User and Any Other Task as Desired
- 6.17. Test Creation of a User Manually
- 6.18. Test Creation of a User with a CSV file
- 7. Identity Management and Governance: RSA (Build #2)
- 7.1. Security Characteristics
- 7.2. IMG Installation
- 7.3. IMG Configuration and Integration with Directories
- 7.3.1. Set Up Custom Attributes
- 7.3.2. Set Up Organization Users
- 7.3.3. Populate the HR Directory
- 7.3.4. Configure Adaptive Directory Container
- 7.3.5. Create an Account Collector
- 7.3.6. Edit the Unification Configuration Participating Collectors
- 7.3.7. Edit User Attribute Source
- 7.3.8. Edit Unification Configuration Attribute Source
- 7.3.9. Start Data Collection
- 7.3.10. Review Data Collected
- 7.3.11. Configure Business Rules
- 7.3.12. Create Automated Rules
- 7.3.13. Create Provisioning Template
- 7.3.14. Configure AFX Module
- 7.3.15. Configure Adaptive Directory to Use AFX Connector
- 7.3.16. Adding a New User
- 7.3.17. Moving a User
- 7.3.18. Terminating a User
- 7.3.19. User Attribute Synchronization
- 8. Adaptive Directory: RSA (Build #2)
- 9. Enterprise Guardian: AlertEnterprise
- 10. PACS Server: RS2 Access It! Universal Server Installation
- 11. Privileged User Access Control: TDi ConsoleWorks Server Installation
- 12. ICS/SCADA Firewall: RADiFlow
- 13. Ozone: MAG Installation
- 14. Physical Access Control: XTec XNode
- 15. Enterprise Public-Key-Infrastructure Platform: GlobalSign
- 16. Industrial Firewall: Schneider Electric
- 17. Operating System STIG Compliance Reports
- 17.1. SQL Server on IdAM Network STIG Compliance Report
- 17.2. RSA IMG SUSE Linux Server STIG Compliance Report
- 17.3. RSA Adaptive Directory CentOS 7 Server STIG Compliance Report
- 17.4. AlertEnterprise Microsoft Server STIG Compliance Report
- 17.5. IT Domain Controller STIG Compliance Report
- 17.6. IT Windows 7 Workstations STIG Compliance Report
- 17.7. Ozone Authority and Ozone Server CentOS 6 Server STIG Compliance Report
- 17.8. Ozone Envoy CentOS 6 Server STIG Compliance Report
- 17.9. OT Domain Controller STIG Compliance Report
- 17.10. OT Windows 7 Workstations STIG Compliance Report
- 17.11. PACS Domain Controller STIG Compliance Report
- 17.12. PACS Console Windows Server 2012 STIG Compliance Report
- 17.13. Baseline CentOS 7 Linux Configuration
- 17.13.1. Baseline CentOS 7 Configuration Files
- 17.13.2. Audit.rules File Contents
- 17.13.3. Audit.conf File Contents
- 17.13.4. iptables File Contents
- 17.13.5. Password_auth-ac File Contents
- 17.13.6. rules_d-audi.rules File Contents
- 17.13.7. Sysctl.conf Files Contents
- 17.13.8. system-auth File Contents
- 17.13.9. system-auth-ac File Contents
- 17.14. Baseline CentOS 7 STIG Compliance