U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

SP 1800-2 (Draft)

Identity and Access Management for Electric Utilities

Date Published: August 2015
Comments Due: October 23, 2015 (public comment period is CLOSED)
Email Questions to: energy_nccoe@nist.gov

Author(s)

James McCarthy (NIST), Don Faatz (MITRE), Harry Perper (MITRE), Chris Peloquin (MITRE), John Wiltberger (MITRE)

Editor(s)

Leah Kauffman (NIST)

Announcement

The NCCoE has released a draft the latest NIST Cybersecurity Practice Guide 1800-2, Identity and Access Management for Electric Utilities, and invites you to download the draft and provide feedback.

The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks. Additionally, many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.

To help the energy sector address this cybersecurity challenge, security engineeres at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.

Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

Abstract

Keywords

energy sector; identity and access management; physical security; operational security; information technology; cybersecurity; electricity subsector; cyber security
Control Families

Access Control; Identification and Authentication; Physical and Environmental Protection

Documentation

Publication:
Draft SP 1800-2

Supplemental Material:
Project homepage (web)

Document History:
08/25/15: SP 1800-2 (Draft)
07/13/18: SP 1800-2 (Final)

Topics

Security and Privacy
identity & access management

Applications
cyber-physical systems

Sectors
energy