Over the last several months, TDi Technologies has been working closely with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) on an Energy Sector Asset Management Project (ESAM).
As the country’s national lab for cybersecurity, the NCCoE brings together people from industry, technology companies, government agencies, and academia to collaborate on applied cybersecurity to address broad challenges of national importance.
I’m excited to share that the NCCoE has just released a draft guide of this cybersecurity project, titled Identity and Access Management. The guide shows how utilities can control physical and logical access to resources across the enterprise using standards, best practices, and commercially available products. The draft is available for download on the NCCoE website, and they are seeking feedback on it.
The U.S. Department of Homeland Security reported that five percent of the cybersecurity incidents its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to in 2014 were tied to weak authentication, while four percent were tied to abuse of access authority.
The NCCoE worked with technology vendors like TDi to develop an example solution demonstrating a centralized identity and access management system that would make changing or revoking privileges simple and quick. The step-by-step guide, which is modular and suitable for organizations of all sizes, also maps security characteristics to guidance and best practices from NIST and other standards organizations, and to North American Electric Reliability Corporation’s Critical Infrastructure Protection standards.
This practice guide can help energy companies reduce their risk by showing how commercially available technologies, like ConsoleWorks,* can be used to control access to facilities and devices from a centralized platform. The NCCoE and we think the guide helps meet a critical cybersecurity need, but we’d like to hear from you. Download the guide and provide your thoughts on the NCCoE website.
* While the example solution uses certain products, including ConsoleWorks, the NCCoE does not endorse these products in particular. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.