CybersecurityNIST seeking comments on energy industry security scenarios

Published 30 July 2013

The National Cybersecurity Center of Excellence (NCCoE) works with industry, academic, and government experts to create open, standards-based, modular, end-to-end solutions to cybersecurity challenges that are broadly applicable across a sector. The solutions are customizable to the needs of individual businesses, and help them more easily comply with relevant standards and regulations. The work is organized around use cases that describe sector-specific challenges.

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology is inviting industry to help address two information technology challenges faced by the energy sector. The center would like feedback on two proposed “use cases” whose solution would provide centralized control of access to structures and systems and reduce security blind spots in their operations.

A NIST release reports that the NCCoE works with industry, academic, and government experts to create open, standards-based, modular, end-to-end solutions to cybersecurity challenges that are broadly applicable across a sector. The solutions are customizable to the needs of individual businesses, and help them more easily comply with relevant standards and regulations. The work is organized around use cases that describe sector-specific challenges.

“These use cases represent sector-wide cybersecurity challenges that we will address through a collaborative effort between the NCCoE, the energy sector, and technology partners,” said Nate Lesser, deputy director of the NCCoE. “Before inviting participation from our technology partners, we are seeking public input on the use cases to ensure that the resulting solutions are as useful as possible.”

The first proposed use case is focused on energy companies’ need to control physical and logical access to their resources, including buildings, equipment, information technology and industrial control systems. This requires the ability to authenticate identity with a high degree of certainty and to enforce access controls consistently, uniformly and quickly — and across all resources.

The second use case solution would allow security analysts to see operational and information technologies as a cohesive whole, making it easier for them to detect issues that could disrupt services. Energy companies rely on two distinct types of IT systems. Business enterprise systems run their billing, personnel and other enterprises functions while operational systems, which rely heavily on so-called cyber-physical systems, allow them to generate, distribute and meter power. While standard IT security products are available to protect and monitor enterprise IT, those products are often an imperfect fit for operational technology and may need augmenting to avoid security blind spots.

Security analysts strive to ensure correct behavior in operational technology and identify the connections between IT data and unwanted operational behavior (that is, disruptions to systems or services to consumers), and improve detection and remediation of those unwanted behaviors. Analysts, however, can only correct what they can actually see. Without proper sensors in place, an analyst might never see an event, either as it happens or after the fact.

Successful solutions would provide blueprints for improving cybersecurity based on standards and best practices to help reduce the probability of attacks or anomalous system behaviors and make them easier to detect, mitigate and investigate after the fact. They would support energy companies’ business needs by reducing risks, system complexity and costs.

Copies of the two proposed use cases can be viewed here.