How NIST wants energy companies to reduce cyber risk
The National Institute of Standards and Technology released a guide that will help energy companies protect their industrial control systems, which have long been vulnerable to cyberattacks.
The draft guide focuses on identity and access management, showing people an example of how utilities can securely and efficiently manage access to systems that deal with power generation, transmission and distribution.
The guide presents practice situations that often mirror possible real-life scenarios: In one, a utility technician with physical access to substations and remote access to control units leaves a company and needs to have credentials revoked. The guide walks readers through a few scenarios where a centralized access control system would make changing or revoking his or her privileges simple and quick.
Identity management is a big security issue when it comes to these systems. A recent report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team found that access control was tied to three of the six biggest vulnerability points in utilities’ systems during fiscal year 2014.
Both the government and energy companies are concerned about the safety of their control systems. Seventy percent of respondents to a 2013 SANS survey believed their supervisory control and data acquisition, or SCADA, systems are highly aware of the risks their systems present, while a third believe their systems have already been infiltrated.
Visit the National Cybersecurity Center of Excellence’s website for more information on the guide. Comments on the draft guide are open until Oct. 23.