Appendix A List of Acronyms

CISA

Cybersecurity and Infrastructure Security Agency

DER

Distributed Energy Resource

EPRI

Electric Power Research Institute

ICS

Industrial Control System

ICS-CERT

Industrial Control Systems–Computer Emergency Readiness Team

IIoT

Industrial Internet of Things

IT

Information Technology

LTE

Long-Term Evolution

NCCoE

National Cybersecurity Center of Excellence

NIST

National Institute of Standards and Technology

OT

Operational Technology

UMD

University of Maryland

VPN

Virtual Private Network

Appendix B References

B1

The Smart Grid Interoperability Panel-Smart Grid Cybersecurity Committee, Guidelines for Smart Grid Cybersecurity, National Institute of Standards and Technology (NIST) Interagency or Internal Report 7628 Revision 1, Gaithersburg, Md., Sept. 2014, 290 pp. Available: https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf.

B2

A. Gopstein et al., NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0, NIST SP 1108rev4, NIST, Gaithersburg, Md., February 18, 2021. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1108r4.pdf

B3

Cybersecurity and Infrastructure Security Agency, Industrial Control Systems Cyber Emergency Response Team, “Cyber Threat Source Descriptions.” Available: https://www.us-cert.gov/ics/content/cyber-threat-source-descriptions.

B4

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, NIST, Gaithersburg, Md., Apr. 16, 2018. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

B5

Mapping of NIST Cybersecurity Framework v1.1 to NERC CIP Reliability Standards, NIST, Gaithersburg, Aug. 8, 2020. Available: PDR: Mapping of NIST Cybersecurity Framework v1.1 to NERC CIP Reliability Standards

B6

NIST Cybersecurity for IoT Program, Feb. 2021. Available: https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program

B7

Designation of Public Trust Positions and Investigative Requirements, 5 C.F.R. § 731.106, 2013. Available: http://www.gpo.gov/fdsys/granule/CFR-2012-title5-vol2/CFR-2012-title5-vol2-sec731-106/content-detail.html.

B8

Information technology – Security techniques – Information security risk management, ISO/IEC 27005, International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), 2011. Available: http://www.iso.org/iso/catalogue_detail?csnumber=56742.

B9

D. Cooper et al., Internet X.509 Public Key Infrastructure Certification and Certificate Revocation List (CRL) Profile, Internet Engineering Task Force (IETF) Network Working Group Request for Comments (RFC) 5280, May 2008. Available: http://www.ietf.org/rfc/rfc5280.txt.

B10

Federal Information Security Management Act of 2002, Pub. L. 107-347 (Title III), 116 Stat 2946. Available: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf.

B11

E-Government Act of 2002, Pub. L. 107-347, 116 Stat 2899. Available: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf.

Appendix C Benefits of IoT Cybersecurity Capabilities

The National Institute of Standards and Technology’s (NIST’s) Cybersecurity for the Internet of Things (IoT) program [B6] supports development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and foster an environment that enables innovation on a global scale.

Computing devices that integrate physical and/or sensing capabilities and network interface capabilities are being designed, developed, and deployed at an ever-increasing pace. These devices are fulfilling customer needs in all sectors of the economy. Many of these computing devices are connected to the internet. A novel characteristic of these devices is their combination of connectivity and the ability to sense and/or affect the physical world. As devices become smaller and more complex, with an increasing number of features, the security of those devices also becomes more complex.

NIST’s Cybersecurity for IoT program has defined a set of capabilities that device manufacturers should consider integrating into their IoT devices and that consumers should consider enabling/configuring in those devices. Device cybersecurity capabilities are cybersecurity features or functions that IoT devices or other system components (e.g., a gateway, proxy, IoT Platform) provide through technical means (i.e., device hardware and software). Many IoT devices have limited processing and data storage capabilities and may not be able to provide these device cybersecurity capabilities on their own; consequently, they may rely on other system components to provide these technical capabilities on their behalf. Nontechnical supporting capabilities are actions that a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. Examples of nontechnical support include providing information about software updates, instructions for configuration settings, and supply chain information.

Used together, device cybersecurity capabilities and nontechnical supporting capabilities can help mitigate cybersecurity risks related to the use of IoT devices while assisting customers in achieving their goals. Device cybersecurity capabilities and nontechnical supporting capabilities—if properly defined and integrated into Industrial Internet of Things (IIoT) devices in a distributed energy resources (DER) environment—can assist in securely deploying and configuring an IIoT DER ecosystem.

C.1 IoT Cybersecurity Capabilities Mapping

Table 5‑7 below lists the device cybersecurity capabilities and nontechnical supporting capabilities as they map to the NIST Cybersecurity Framework Subcategories of particular importance to this project. It is acknowledged that IoT devices vary in their capabilities, and there may not be a clear delineation between the device cybersecurity capabilities that are provided by the IoT devices and those provided by another system component. It is also understood that the capabilities of cyber-physical components are evolving, so many of the mappings are not necessarily exact.

The mapping presents a summary of both technical and nontechnical capabilities that could enhance the security of an IIoT DER ecosystem. It is acknowledged that many of the device cybersecurity capabilities may not be available in modern IoT devices and that other system elements (e.g., proxies, gateways) or other risk mitigation strategies (e.g., network segmentation) may be necessary.

Table 5‑7 Mapping of Device Cybersecurity Capabilities and Nontechnical Supporting Capabilities to NIST Cybersecurity Framework Subcategories of the IIoT Project

Cybersecurity Framework v1.1 Subcategory

Device Cybersecurity Capabilities

Manufacturer Nontechnical Supporting Capabilities

Related NERC CIP ID(s)

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, revoked, and processes.

  • Ability to uniquely identify the IoT device logically.

  • Ability to uniquely identify a remote IoT device.

  • Ability for the device to support a unique device ID.

  • Ability to configure IoT device access control policies using IoT device identity.

  • Ability to verify the identity of an IoT device.

  • Ability to add a unique physical identifier at an external or internal location on the device authorized entities can access.

  • Ability to set and change authentication configurations, policies, and limitations settings for the IoT device.

  • Ability to create unique IoT device user accounts.

  • Ability to identify unique IoT device user accounts.

  • Ability to create organizationally defined accounts that support privileged roles with automated expiration conditions.

  • Ability to establish organizationally defined user actions for accessing the IoT device and/or device interface.

  • Ability to enable automation and reporting of account management activities.

  • Ability to establish conditions for shared/group accounts on the IoT device.

  • Ability to administer conditions for shared/group accounts on the IoT device.

  • Ability to restrict the use of shared/group accounts on the IoT device according to organizationally defined conditions.

  • Providing details for how to establish unique identification for each IoT device associated with the system and critical system components within which it is used.

  • Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.

  • Providing the details necessary to establish and implement unique identification for each IoT device associated with the system and critical system components within which it is used.

  • Providing the details necessary to require unique identifiers for each IoT device associated with the system and critical system components within which it is used.

  • Providing education explaining how to establish and enforce approved authorizations for logical access to IoT device information and system resources.

  • Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.

  • Providing education explaining how to enforce authorized access at the system level.

CIP- 004- 6-R4

CIP- 004- 6-R5

CIP- 007- 6-R5

PR.AC-3: Remote access is managed.

  • Ability to configure IoT device access control policies using IoT device identity.

    • Ability for the IoT device to differentiate between authorized and unauthorized remote users.

  • Ability to authenticate external users and systems.

  • Ability to securely interact with authorized external, third-party systems.

  • Ability to identify when an external system meets the required security requirements for a connection.

  • Ability to establish secure communications with internal systems when the device is operating on external networks.

  • Ability to establish requirements for remote access to the IoT device and/or IoT device interface, including:

    1. usage restrictions

    2. configuration requirements

    3. connection requirements

    4. manufacturer established requirement

  • Ability to enforce the established local and remote access requirements.

  • Ability to prevent external access to the IoT device management interface.

  • Ability to control the IoT device’s logical interface (e.g., locally or remotely).

  • Ability to detect remote activation attempts.

  • Ability to detect remote activation of sensors.

N/A

CIP- 003- 7-R2

CIP- 004- 6-R4

CIP- 004- 6-R5

CIP- 005- 5-R1

CIP- 005- 5-R2

CIP- 005- 6-R2

CIP- 013- 1-R1

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

  • Ability to assign roles to IoT device user accounts.

  • Ability to support a hierarchy of logical access privileges for the IoT device based on roles (e.g., admin, emergency, user, local, temporary).

    • Ability to establish user accounts to support role-based logical access privileges.

    • Ability to administer user accounts to support role-based logical access privileges.

    • Ability to use organizationally defined roles to define each user account’s access and permitted device actions.

    • Ability to support multiple levels of user/process account functionality and roles for the IoT device.

  • Ability to apply least privilege to user accounts.

    • Ability to create additional processes, roles (e.g., admin, emergency, temporary) and accounts as necessary to achieve least privilege.

    • Ability to apply least privilege settings within the device (i.e., to ensure that the processes operate at privilege levels no higher than necessary to accomplish required functions).

    • Ability to limit access to privileged device settings that are used to establish and administer authorization requirements.

    • Ability for authorized users to access privileged settings.

  • Ability to create organizationally defined accounts that support privileged roles with automated expiration conditions.

  • Ability to enable automation and reporting of account management activities.

  • Ability to establish conditions for shared/group accounts on the IoT device.

  • Ability to administer conditions for shared/group accounts on the IoT device.

  • Ability to restrict the use of shared/group accounts on the IoT device according to organizationally defined conditions.

  • Ability to implement dynamic access control approaches (e.g., service-oriented architectures) that rely on:

    • run-time access control decisions facilitated by dynamic privilege management.

    • organizationally defined actions to access/use device.

  • Ability to allow information sharing capabilities based upon the type and/or role of user attempting to share the information.

  • Ability to restrict access to IoT device software, hardware, and data based on user account roles, used with proper authentication of the identity of the user to determine type of authorization.

  • Ability to establish limits on authorized concurrent device sessions.

  • Ability to restrict updating actions to authorized entities.

  • Ability to restrict access to the cybersecurity state indicator to authorized entities.

  • Ability to revoke access to the IoT device.

  • Providing the tools, assistance, instructions, and other types of information to support establishing a hierarchy of role-based privileges within the IoT device.

  • Providing details about the specific types of manufacturer’s needs to access the IoT device interfaces, such as for specific support, updates, ongoing maintenance, and other purposes.

  • Providing documentation with instructions for the IoT device customer to follow for how to restrict interface connections that enable specific activities.

  • Providing descriptions of the types of access to the IoT device that the manufacturer will require on an ongoing or regular basis.

  • Providing detailed instructions for how to implement management and operational controls based on the role of the IoT device user, and not on an individual basis.

  • Providing documentation and/or other communications describing how to implement management and operational controls to protect data obtained from IoT devices and associated systems from unauthorized access, modification, and deletion.

  • Providing a detailed description of the other types of devices and systems that will access the IoT device during customer use of the device, and how they will access it.

  • Providing communications and detailed instructions for implementing a hierarchy of privilege levels to use with the IoT device and/or necessary associated information systems.

  • Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.

  • Providing education explaining how to establish and enforce approved authorizations for logical access to IoT device information and system resources.

  • Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.

  • Providing education explaining how to enforce authorized access at the system level.

  • Providing education and supporting materials explaining how to establish roles and responsibilities for IoT device data security, using the device capabilities and/or other services that communicate or interface with the device.

  • Providing education and supporting materials describing the IoT device capabilities for role-based controls, and how to establish different roles within the IoT device.

  • Providing education and supporting materials for how to establish roles to support IoT device policies, procedures, and associated documentation.

CIP- 004- 6-R4

CIP- 004- 6-R5

CIP- 005- 6-R2

CIP- 007- 6-R5

CIP- 013- 1-R1

PR.AC-5 Network integrity is protected (e.g., network segregation, network segmentation).

N/A

N/A

CIP- 005- 5-R1

CIP- 007- 6-R1

PR.DS-1: Data-at-rest is protected.

  • Ability to execute cryptographic mechanisms of appropriate strength and performance.

  • Ability to obtain and validate certificates.

  • Ability to perform authenticated encryption algorithms.

  • Ability to change keys securely.

  • Ability to generate key pairs.

  • Ability to store encryption keys securely.

  • Ability to cryptographically store passwords at rest, as well as device identity and other authentication data.

  • Ability to support data encryption and signing to prevent data from being altered in device storage.

  • Ability to secure data stored locally on the device.

  • Ability to secure data stored in remote storage areas (e.g., cloud, server).

  • Ability to utilize separate storage partitions for system and user data.

  • Ability to protect the audit information through mechanisms such as:

    • encryption

    • digitally signing audit files

    • securely sending audit files to another device

    • other protections created by the device manufacturer

  • Providing detailed instructions for how to implement management and operational controls for securely handling and retaining IoT device data, associated systems data, and data output from the IoT device.

  • Providing education describing how to securely handle and retain IoT device data, associated systems data, and data output from the IoT device to meet requirements of the IoT device customers’ organizational security policies, contractual requirements, applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and other legal requirements.

CIP -011 -2-R 2-R2

PR.DS-2: Data in transit is protected.

  • Ability to execute cryptographic mechanisms of appropriate strength and performance.

  • Ability to perform authenticated encryption algorithms.

  • Ability to change keys securely.

  • Ability to store encryption keys securely.

  • Ability to support trusted data exchange with a specified minimum-strength cryptography algorithm.

  • Ability to support data encryption and signing to prevent data from being altered in transit.

  • Ability to protect transmitted data from unauthorized access and modification.

  • Ability to use cryptographic means to validate the integrity of data transmitted.

  • Ability to protect the audit information through mechanisms such as:

    • encryption

    • digitally signing audit files

    • securely sending audit files to another device

    • other protections created by the device manufacturer

  • Providing documentation and/or other communications describing how to implement management and operational controls to protect data obtained from IoT devices and associated systems from unauthorized access, modification, and deletion.

  • Providing education describing how to securely handle and retain IoT device data, associated systems data, and data output from the IoT device to meet requirements of the IoT device customers’ organizational security policies, contractual requirements, applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and other legal requirements.

CIP- 003- 7-R2

CIP- 004- 6-R4

CIP- 004- 6-R5

CIP- 005- 5-R1

CIP- 005- 5-R2

CIP- 011- 2-R1

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity.

  • Ability to identify software loaded on the IoT device based on IoT device identity.

  • Ability to verify digital signatures.

  • Ability to run hashing algorithms.

  • Ability to perform authenticated encryption algorithms.

  • Ability to compute and compare hashes.

  • Ability to utilize one or more capabilities to protect transmitted data from unauthorized access and modification.

  • Ability to validate the integrity of data transmitted.

  • Ability to verify software updates come from valid sources by using an effective method (e.g., digital signatures, checksums, certificate validation).

  • Ability to verify and authenticate any update before installing it.

  • Ability to store the operating environment (e.g., firmware image, software, applications) in read-only media (e.g., Read Only Memory).

  • Providing documentation and/or other communications describing how to implement management and operational controls to protect data obtained from IoT devices and associated systems from unauthorized access, modification, and deletion.

  • Providing communications to IoT device customers describing how to implement management and operational controls to protect IoT device data integrity and associated systems data integrity.

  • Providing IoT device customers with the details necessary to support secure implementation of the IoT device and associated systems data integrity controls.

  • Providing IoT device customers with documentation describing the data integrity controls built into the IoT device and how to use them. If there are no data integrity controls built into the IoT device, include documentation explaining to IoT device customers the ways to achieve IoT device data integrity.

  • Providing details for how to review and update the IoT device and associated systems while preserving data integrity.

CIP- 010- 2-R1

CIP- 010- 3-R1

CIP- 010- 2-R2

CIP- 011- 2-R1

CIP- 013- 1-R1

DE.AE-1: A baseline of network operations expected data flows for users and systems is established and managed.

N/A

  • Providing documentation describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.

N/A

DE.AE-2: Detected events are analyzed to understand attack targets and methods.

N/A

  • Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.

CIP- 003- 7-R2

CIP- 005- 5-R1

CIP- 007- 6-R4

CIP- 008- 5-R1

CIP- 008- 5-R2

CIP- 008- 5-R4

DE.AE-3: Event data are collected and correlated from multiple sources and sensors.

  • Ability to provide a physical indicator of sensor use.

  • Ability to send requested audit logs to an external audit process or information system (e.g., where its auditing information can be checked to allow for review, analysis, and reporting).

  • Ability to keep an accurate internal system time.

  • Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.

CIP- 007- 6-R4

DE.AE-5: Incident alert thresholds are established.

  • Ability to generate alerts for specific events.

  • Ability to differentiate between when a device will likely operate as expected from when it may be in a degraded cybersecurity state.

N/A

CIP- 007- 6-R4

CIP- 007- 6-R5

CIP- 008- 5-R1

DE.CM-1: The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

  • Ability to monitor specific actions based on the IoT device identity.

  • Ability to access information about the IoT device’s cybersecurity state and other necessary data.

  • Ability to monitor for organizationally defined cybersecurity events (e.g., expected state change) that may occur on or involving the IoT device.

  • Ability to support a monitoring process to check for disclosure of organizational information to unauthorized entities. (The device may be able to perform this check itself or provide the information necessary for an external process to check).

  • Ability to monitor communications traffic.

  • Providing information that describes the types of system monitoring information generated from, or associated with, the IoT device and instructions for obtaining that information.

  • Providing documentation describing the types of monitoring tools with which the IoT device is compatible, and recommendations for how to configure the IoT device to best work with such monitoring tools.

  • Providing the details necessary to monitor IoT devices and associated systems.

  • Providing documentation describing how to perform monitoring activities.

CIP- 005- 5-R1

DE.CM-2: The physical environment is monitored to detect potential cybersecurity events.

N/A

  • Providing descriptions of the types of physical access practices, and manufacturer suggested hardware or other types of devices, that can be used to prevent unauthorized physical access to the IoT device.

  • Providing descriptions of the physical access security procedures the manufacturer recommends for limiting physical access to the device and to associated device controls.

  • Providing details of indications, and recommendations for how to determine, when unauthorized physical access to the IoT device was or is attempted or is occurring.

CIP- 003- 7-R2

CIP- 006- 6-R1

CIP- 006- 6-R2

CIP- 014- 2-R5

DE.CM-4: Malicious code is detected.

N/A

  • Providing education for how to implement malicious code protection in the IoT device and associated systems as well as how to detect and eradicate malicious code.

  • Providing education for how to update the IoT device and related systems malicious code protection mechanisms when new releases are available, in accordance with organizational configuration management policy and procedures.

  • If the IoT device manufacturer provides anti-malware for the associated IoT device, or if the IoT device has built-in anti-malware capabilities, the manufacturer should provide education to IoT device customers describing how to use and/or configure malicious code protection mechanisms in IoT devices, supporting anti-malware tools, and related systems.

  • Providing education that include the details necessary to implement management and operational controls for malicious code detection and eradication.

CIP- 003- 7-R2

CIP- 007- 6-R3

CIP- 007- 6-R4

CIP- 010- 2-R4

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.

  • Ability to support a monitoring process to check for disclosure of organizational information to unauthorized entities. (The device may be able to perform this check itself or provide the information necessary for an external process to check).

  • Ability to monitor changes to the configuration settings.

  • Ability to detect remote activation attempts.

  • Ability to detect remote activation of sensors.

  • Ability to take organizationally defined actions when unauthorized hardware and software components are detected (e.g., disallow a flash drive to be connected even if a Universal Serial Bus [USB] port is present).

  • Providing appropriate tools, assistance, instructions, or other details describing the capabilities for monitoring the IoT device and/or for the IoT device customer to report actions to the monitoring service of the manufacturer’s supporting entity.

  • Providing the details necessary to monitor IoT devices and associated systems.

  • Providing documentation describing details necessary to identify unauthorized use of IoT devices and their associated systems.

  • Providing documentation that describes indicators of unauthorized use of the IoT device.

CIP- 003- 7-R2

CIP- 005- 5-R1

CIP- 006- 6-R1

CIP- 007- 6-R3

CIP- 007- 6-R4

CIP- 007- 6-R5

CIP- 013- 3-R2

CIP- 010- 2-R4

C.2 Device Capabilities Supporting Security Characteristic Analysis Test Scenarios

Table 5‑8 below builds on the security characteristic analysis test scenarios included in Section 5.2 of this document. The table lists both device cybersecurity capabilities and nontechnical supporting capabilities that map to the requirements for each of the test scenarios. If IoT devices are integrated into an IIoT DER ecosystem, selecting devices and/or third parties that provide these capabilities can help achieve the respective test scenario requirements.

It is acknowledged that IoT devices vary in their capabilities, and there may not be a clear delineation between the device cybersecurity capabilities that are provided by the IoT devices and those provided by another system component. It is also understood that the capabilities of cyber-physical components are evolving, so many of the mappings are not necessarily exact.

It is acknowledged that many of the device cybersecurity capabilities may not be available in some IoT devices and that other system elements (e.g., proxies, gateways) or other risk mitigation strategies (e.g., network segmentation) may be necessary. It is also understood that not every capability in the table is applicable to every use case. The table provides utilities and/or DER operators a listing of technical and nontechnical capabilities that might be important in IIoT DER ecosystems.

Table 5‑8 Device Cybersecurity Capabilities and Nontechnical Supporting Capabilities that Map to Each of the Security Test Scenarios

Scenario ID and Description with CSF Subcategories

Device Cybersecurity Capabilities

Manufacturer Nontechnical Supporting Capabilities

Scenario 1: Communication between the utility and a DER is secure:

This test case will verify that authenticated and authorized systems on the utility network can communicate with a DER connected to the microgrid network.

  • Ability to uniquely identify the IoT device logically.

  • Ability to uniquely identify a remote IoT device.

  • Ability for the device to support a unique device ID.

  • Ability to configure IoT device access control policies using IoT device identity.

  • Ability to verify the identity of an IoT device.

  • Ability to add a unique physical identifier at an external or internal location on the device authorized entities can access.

  • Ability to set and change authentication configurations, policies, and limitations settings for the IoT device.

  • Ability to revoke access to the device.

  • Ability to create unique IoT device user accounts.

  • Ability to identify unique IoT device user accounts.

  • Ability to create organizationally defined accounts that support privileged roles with automated expiration conditions.

  • Ability to configure IoT device access control policies using IoT device identity.

  • Ability to authenticate external users and systems.

  • Ability to securely interact with authorized external, third-party systems.

  • Ability to identify when an external system meets the required security requirements for a connection.

  • Ability to establish secure communications with internal systems when the device is operating on external networks.

  • Ability to establish requirements for remote access to the IoT device and/or IoT device interface.

  • Ability to enforce the established local and remote access requirements.

  • Ability to prevent external access to the IoT device management interface.

  • Ability to assign roles to IoT device user accounts.

  • Ability to support a hierarchy of logical access privileges for the IoT device based on roles.

  • Ability to apply least privilege to user accounts

  • Ability to enable automation and reporting of account management activities.

  • Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.

  • Providing the details necessary to establish and implement unique identification for each IoT device associated with the system and critical system components within which it is used.

  • Providing the tools, assistance, instructions, and other types of information to support establishing a hierarchy of role-based privileges within the IoT device.

  • Providing details about the specific types of manufacturer’s needs to access the IoT device interfaces, such as for specific support, updates, ongoing maintenance, and other purposes.

  • Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.

  • Providing education explaining how to enforce authorized access at the system level.

  • Providing detailed instructions and guidance for establishing activities performed by the IoT device that do not require identification or authentication.

  • Providing documentation describing the specific IoT platforms used with the device to support required IoT authentication control techniques.

  • Providing documentation with details describing external authentication by IoT platforms and associated authentication methods that can be used with the IoT device

Scenario 2: Integrity of Command Register data and communications is verified.

This test case will verify data providence and integrity across the system for commands being exchanged between the utility and the DER microgrid.

  • Ability to execute cryptographic mechanisms of appropriate strength and performance.

  • Ability to obtain and validate certificates.

  • Ability to change keys securely.

  • Ability to generate key pairs.

  • Ability to store encryption keys securely.

  • Ability to cryptographically store passwords at rest, as well as device identity and other authentication data.

  • Ability to support data encryption and signing to prevent data from being altered in device storage.

  • Ability to secure data stored locally on the device.

  • Ability to secure data stored in remote storage areas (e.g., cloud, server).

  • Ability to utilize separate storage partitions for system and user data.

  • Ability to protect the audit information through mechanisms such as:

    • encryption

    • digitally signing audit files

    • securely sending audit files to another device

    • other protections created by the device manufacturer

  • Ability to support trusted data exchange with a specified minimum-strength cryptography algorithm.

  • Ability to support data encryption and signing to prevent data from being altered in transit.

  • Ability to protect transmitted data from unauthorized access and modification.

  • Ability to use cryptographic means to validate the integrity of data transmitted.

  • Ability to identify software loaded on the IoT device based on IoT device identity

  • Ability to verify digital signatures.

  • Ability to run hashing algorithms.

  • Ability to perform authenticated encryption algorithms.

  • Ability to compute and compare hashes.

  • Ability to utilize one or more capabilities to protect transmitted data from unauthorized access and modification.

  • Ability to validate the integrity of data transmitted.

  • Ability to verify software updates come from valid sources by using an effective method (e.g., digital signatures, checksums, certificate validation).

  • Ability to verify and authenticate any update before installing it.

  • Ability to store the operating environment (e.g., firmware image, software, applications) in read-only media (e.g., Read Only Memory).

  • Providing detailed instructions for securely handling and retaining IoT device data, associated systems data, and data output from the IoT device.

  • Providing education describing how to securely handle and retain IoT device data, associated systems data, and data output from the IoT device to meet requirements of the IoT device customers’ organizational security policies, contractual requirements, applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and other legal requirements.

  • Providing documentation and/or other communications describing how to protect data obtained from IoT devices and associated systems from unauthorized access, modification, and deletion.

  • Providing communications to IoT device customers describing how to protect IoT device data integrity and associated systems data integrity.

  • Providing IoT device customers with the details necessary to support secure implementation of the IoT device and associated systems data integrity controls.

  • Providing IoT device customers with documentation describing the data integrity controls built into the IoT device and how to use them. If there are no data integrity controls built into the IoT device, include documentation explaining to IoT device customers the ways to achieve IoT device data integrity.

  • Providing details for how to review and update the IoT device and associated systems while preserving data integrity.

Scenario 3: Log file information can be captured and analyed:

This test case will verify the capabilities of capturing and analyzing log data within the microgrid network.

  • Ability to provide a physical indicator of sensor use.

  • Ability to send requested audit logs to an external audit process or information system (e.g., where its auditing information can be checked to allow for review, analysis, and reporting).

  • Ability to keep an accurate internal system time.

  • Ability to generate alerts for specific events.

  • Ability to differentiate between when a device will likely operate as expected from when it may be in a degraded cybersecurity state.

  • Providing documentation describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.

  • Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.

  • Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.

Scenario 4: Log file analysis can be shared:

This test case will verify that the log analysis findings can be shared through proper channels.

  • Ability to provide a physical indicator of sensor use.

  • Ability to send requested audit logs to an external audit process or information system (e.g., where its auditing information can be checked to allow for review, analysis, and reporting).

  • Ability to keep an accurate internal system time.

  • Ability to generate alerts for specific events.

  • Ability to differentiate between when a device will likely operate as expected from when it may be in a degraded cybersecurity state.

  • Providing documentation describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.

  • Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.

  • Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.

Scenario 5: Malicious activity is detected:

This test case will verify the system’s ability to detect anomalous or malicious behavior on the network.

  • Ability to provide a physical indicator of sensor use.

  • Ability to send requested audit logs to an external audit process or information system (e.g., where its auditing information can be checked to allow for review, analysis, and reporting).

  • Ability to keep an accurate internal system time.

  • Ability to generate alerts for specific events.

  • Ability to differentiate between when a device will likely operate as expected from when it may be in a degraded cybersecurity state.

  • Ability to monitor specific actions based on the IoT device identity.

  • Ability to access information about the IoT device’s cybersecurity state and other necessary data.

  • Ability to monitor for organizationally defined cybersecurity events (e.g., expected state change) that may occur on or involving the IoT device.

  • Ability to support a monitoring process to check for disclosure of organizational information to unauthorized entities.

  • Ability to monitor communications traffic.

  • Ability to support a monitoring process to check for disclosure of organizational information to unauthorized entities.

  • Ability to monitor changes to the configuration settings.

  • Ability to detect remote activation attempts.

  • Ability to detect remote activation of sensors.

  • Ability to take organizationally defined actions when unauthorized hardware and software components are detected (e.g., disallow a flash drive to be connected even if a Universal Serial Bus [USB] port is present).

  • Providing documentation describing how to implement and securely deploy monitoring devices and tools for IoT devices and associated systems.

  • Providing documentation describing IoT device behavior indicators that could occur when an attack is being launched.

  • Providing documentation describing the types of usage and environmental systems data that can be collected from the IoT device.

  • Providing information that describes the types of system monitoring information generated from, or associated with, the IoT device and instructions for obtaining that information.

  • Providing documentation describing the types of monitoring tools with which the IoT device is compatible, and recommendations for how to configure the IoT device to best work with such monitoring tools.

  • Providing the details necessary to monitor IoT devices and associated systems.

  • Providing documentation describing how to perform monitoring activities.

  • Providing education for how to implement malicious code protection in the IoT device and associated systems as well as how to detect and eradicate malicious code.

  • Providing education for how to update the IoT device and related systems malicious code protection mechanisms when new releases are available, in accordance with organizational configuration management policy and procedures.

  • Providing the details necessary to monitor IoT devices and associated systems.

  • Providing documentation describing details necessary to identify unauthorized use of IoT devices and their associated systems.

  • Providing documentation that describes indicators of unauthorized use of the IoT device.

Scenario 6: Privileged user access is managed.

This test case will verify that privileged users are authenticated and authorized to access only those devices to which they have been given proper privileges.

PR.AC-1
PR.AC-3
PR.AC-4
PR.AC-5

  • Ability to uniquely identify the IoT device logically.

  • Ability to uniquely identify a remote IoT device.

  • Ability for the device to support a unique device ID.

  • Ability to configure IoT device access control policies using IoT device identity.

  • Ability to verify the identity of an IoT device.

  • Ability to add a unique physical identifier at an external or internal location on the device authorized entities can access.

  • Ability to set and change authentication configurations, policies, and limitations settings for the IoT device.

  • Ability to revoke access to the device.

  • Ability to create unique IoT device user accounts.

  • Ability to identify unique IoT device user accounts.

  • Ability to create organizationally defined accounts that support privileged roles with automated expiration conditions.

  • Ability to configure IoT device access control policies using IoT device identity.

  • Ability to authenticate external users and systems.

  • Ability to securely interact with authorized external, third-party systems.

  • Ability to identify when an external system meets the required security requirements for a connection.

  • Ability to establish secure communications with internal systems when the device is operating on external networks.

  • Ability to establish requirements for remote access to the IoT device and/or IoT device interface.

  • Ability to enforce the established local and remote access requirements.

  • Ability to prevent external access to the IoT device management interface.

  • Ability to assign roles to IoT device user accounts.

  • Ability to support a hierarchy of logical access privileges for the IoT device based on roles.

  • Ability to apply least privilege to user accounts

  • Ability to enable automation and reporting of account management activities.

  • Providing communications and documentation detailing how to perform account management activities, using the technical IoT device capabilities, or through supporting systems and/or tools.

  • Providing the details necessary to establish and implement unique identification for each IoT device associated with the system and critical system components within which it is used.

  • Providing the tools, assistance, instructions, and other types of information to support establishing a hierarchy of role-based privileges within the IoT device.

  • Providing details about the specific types of manufacturer’s needs to access the IoT device interfaces, such as for specific support, updates, ongoing maintenance, and other purposes.

  • Providing education explaining how to control access to IoT devices implemented within IoT device customer information systems.

  • Providing education explaining how to enforce authorized access at the system level.

  • Providing detailed instructions and guidance for establishing activities performed by the IoT device that do not require identification or authentication.

  • Providing documentation describing the specific IoT platforms used with the device to support required IoT authentication control techniques.

  • Providing documentation with details describing external authentication by IoT platforms and associated authentication methods that can be used with the IoT device