Centralizing Identity and Access Management in Energy Companies

October 21, 2015Comments Off on Centralizing Identity and Access Management in Energy Companies

By Pam Johnson Pam Johnson Headshot

Over the last several months, TDi Technologies has been working closely with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) on a cybersecurity project for the energy sector.
As the country’s national lab for cybersecurity, the NCCoE brings together people from industry, technology companies, government agencies, and academia to collaborate on applied cybersecurity to address broad challenges of national importance.

I’m excited to share that the NCCoE has just released a draft guide of this cybersecurity project, titled Identity and Access Management. The guide shows how utilities can control physical and logical access to resources across the enterprise using standards, best practices, and commercially available products. The draft is available for download on the NCCoE website, and they are seeking feedback on it.

The U.S. Department of Homeland Security reported that five percent of the cybersecurity incidents its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to in 2014 were tied to weak authentication, while four percent were tied to abuse of access authority.

The NCCoE worked with technology vendors like TDi to develop an example solution demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick. The step-by-step guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection standards.

This practice guide can help energy companies reduce their risk by showing how commercially available technologies, like ConsoleWorks,* can be used to control access to facilities and devices from a centralized platform. The NCCoE and we think the guide helps meet a critical cybersecurity need, but we’d like to hear from you. Download the guide and provide your thoughts on the NCCoE website.

* While the example solution uses certain products, including ConsoleWorks, the NCCoE does not endorse these products in particular. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.

Securing Configuration Ports for Utilities

July 29, 2014Comments Off on Securing Configuration Ports for Utilities

By Pam Johnson Pam Johnson Headshot

The diversity of devices and their geographical locations are significant parts of the challenge in securing these configuration ports. Many of these devices do not allow or support the installation of a local software agent to help logically secure them, and virtually no software agents can effectively manage the actual configuration ports themselves. Because of this, most control devices are only secured through physical security (locks, gates, walls, doors).

In order to effectively secure configuration ports while meeting NERC-CIP requirements, access to all configuration ports must be controlled and all activity over these ports must be automatically logged to provide a forensic record of this activity. These are both requirements.

These physical ports provide a special level of privileged access that can be used to:

  1. Change Configuration
  2. Upgrade Firmware or BIOS
  3. Build-out devices that have components (like servers)
  4. Perform a variety of Administrative functions
  5. Perform emergency repair or failure recovery when no other port is accessible

See how ConsoleWorks addresses this challenge at this link.

Per CIP-007-5, all ports should be secured or disabled

July 22, 2014Comments Off on Per CIP-007-5, all ports should be secured or disabled

By Pam Johnson Pam Johnson Headshot

Per CIP-007-5, all ports should be either secured or disabled. This obviously includes configuration ports. However, most substation devices do not allow the disabling of these ports nor should these ports be disabled as they serve important purposes, including being the primary configuration or emergency access port.

Instead, these ports must be secured.

Virtually all electronic devices with communication capability have configuration ports. For modern servers, baseboard management controllers that are networkable are the common configuration port technology. Older servers, routers, switches, firewalls, IED’s, RTU’s, etc. have serial privileged configuration ports, often network-enabled with terminal servers.

Configuration ports exist on almost every device used in Utility operations.  Control systems and control devices have configuration ports. Virtually every PLC, RTU, and IED has a configuration port (usually a privileged serial port with command and control access to the device‘s core program and operating system functions). In remote locations, such as substations and endpoints (poles), there are found many devices that have configuration ports.

From the control room to the sub-station to the pole, these physical ports provide a special level of privileged access that can be used to:

  1. Change Configuration
  2. Upgrade Firmware or BIOS
  3. Build-out devices that have components (like servers)
  4. Perform a variety of Administrative functions
  5. Perform emergency repair or failure recovery when no other port is accessible
Page 1 of 4712345»102030...Last »
Google Analytics Alternative