NIST SPECIAL PUBLICATION 1800-32
Securing Distributed Energy Resources:
Securing Distributed Energy Resources¶
An Example of Industrial Internet of Things Cybersecurity
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jim McCarthy
Eileen Division
Don Faatz
Nik Urlaub
John Wiltberger
Tsion Yimer
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-32
NIST SPECIAL PUBLICATION 1800-32
Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jim McCarthy
National Cybersecurity Center of Excellence
National Institute of Standards and Technology
Eileen Division
Don Faatz
Nik Urlaub
John Wiltberger
Tsion Yimer
The MITRE Corporation
McLean, Virginia
FINAL
February 2022
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristic Analysis
- 5.1 Assumptions and Limitations
- 5.2 Build Testing
- 5.2.1 Test Scenario 1: Communication Between the Utility and a DER Is Secure
- 5.2.2 Test Scenario 2: Integrity of Command Register Data and Communication Is Verified
- 5.2.3 Test Scenario 3: Log File Information Can Be Captured and Analyzed
- 5.2.4 Test Scenario 4: Log File Analysis Can Be Shared
- 5.2.5 Test Scenario 5: Malicious Activity Is Detected
- 5.2.6 Test Scenario 6: Privileged User Access Is Managed
- 5.3 Scenarios and Findings
- 5.3.1 Identity Management, Authentication, and Access Control
- 5.3.1.1 PR.AC-1: Identities and Credentials Are Issued, Managed, Verified, Revoked, and Audited for Authorized Devices, Users, and Processes
- 5.3.1.2 PR.AC-3: Remote Access Is Managed
- 5.3.1.3 PR.AC-4: Access Permissions and Authorizations Are Managed, Incorporating the Principles of Least Privilege and Separation of Duties
- 5.3.1.4 PR.AC-5: Network Integrity Is Protected (e.g., Network Segregation, Network Segmentation)
- 5.3.2 Data Security
- 5.3.3 Anomalies and Events
- 5.3.3.1 DE.AE-1: A Baseline of Network Operations and Expected Data Flows for Users and Systems Is Established and Managed
- 5.3.3.2 DE.AE-2: Detected Events Are Analyzed to Understand Attack Targets and Methods
- 5.3.3.3 DE.AE-3: Event Data Are Collected and Correlated from Multiple Sources and Sensors
- 5.3.3.4 DE.AE-5: Incident Alert Thresholds Are Established
- 5.3.4 Security Continuous Monitoring
- 5.3.4.1 The Information System and Assets Are Monitored to Identify Cybersecurity Events and Verify the Effectiveness of Protective Measures
- 5.3.4.2 DE.CM-2: The Physical Environment Is Monitored to Detect Potential Cybersecurity Events
- 5.3.4.3 DE.CM-4: Malicious Code Is Detected
- 5.3.4.4 DE.CM-7: Monitoring for Unauthorized Personnel, Connections, Devices, and Software Is Performed
- 5.3.1 Identity Management, Authentication, and Access Control
- 6 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B References
- Appendix C Benefits of IoT Cybersecurity Capabilities
- 1 Introduction
- 2 Product Installation Guides
- 2.1 Anterix Long Term Evolution (LTE) Network
- 2.2 Cisco Cyber Vision
- 2.3 Cisco Identity Services Engine (ISE)
- 2.4 Radiflow iSID
- 2.5 Spherical Analytics Immutably TM
- 2.6 Sumo Logic
- 2.7 TDi Technologies ConsoleWorks
- 2.8 Xage Security Fabric
- 2.9 pfSense Open-source Firewall
- 2.10 Syslog-ng Open-Source Log Management
- Appendix A List of Acronyms
- Appendix B Software for Using Immutably
- Appendix C References