A hacking incident is one which can lose a company a large amount of money and leaves an organization open and vulnerable to bad press and loss of trust. In the Energy and Oil Sector, the risk is much greater and the cost also higher.
In order to lessen the likelihood of an attack, the National Cybersecurity Center of Excellence (NCCoE) has created a guide for Energy and Utility Companies to implement a centralized Identity and Access Management (IAM) Solution using National Institute of Standards and Technology (NIST) and industry standards.
The rise of cyberattacks has led every industry to think twice about their security regulations and access management. The Energy Sector has now come under an increased number of cyberattacks, some of the more notable including the Ukraine Power Grid attack just before Christmas and the January attack on Isreal's Electricity Authority. The Energy Sector is one of the most profitable in the world and so threats from information theft to terrorist attacks are possible.
Why do Energy and Utility companies need better cybersecurity?
NIST state in a press release:
"The U.S. Department of Homeland Security reported that five percent of the cybersecurity incidents its Industrial Control Systems Cyber-Emergency Response Team responded to in fiscal year 2014 were tied to weak authentication. Four percent were tied to abuse of access authority."
This guide was created in order to help decrease the risk by showing companies how they can control access to facilities and devices from a single console. The key is in centralizing identity and access management, so that it's easier to trace the sources of an attack or disruption.
As discussed in previous posts, bulk power system operators must prepare to up the ante around their cybersecurity posture by complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards approved by the Federal Energy Regulatory Commission (FERC). The deadline is fast approaching for Balancing Authorities, Distribution Providers, Generator and Transmission Operators, and Reliability and Interchange Coordinators to comply.
Today's post hones in on a few important new requirements identified in CIP-005: Electronic Security Perimeter that must be implemented by April 15, 2016.
Electronic Security Perimeter CIP – 005
Bulk Electric (cyber) Systems (BES) that affect all medium and high-impact systems will soon be required to implement much stricter controls around access controls, remote access encryption, and the use of multi-factor authentication for all remote sessions in order to protect their BESs from either misoperation or instability of these important grid assets.
Stronger Access Control measure:
The concept of denied access by default and the requirement for explicit access permission settings, including reasons for access to BES is tackled in CIP-005. Implementing a high assurance centralized identity and access management system that strongly authenticates both internal and remote users to both IT and OT operational systems is the Holy Grail for most large energy companies. NCCOE's NIST Cybersecurity Practice Guide, Special Publication 1800-2: "Identity and Access Management for Electric Utilities" is an excellent resource for IT, CISOs, NERC CIP compliance officers to meet many of the CIP requirements.
In it there are details as to how the NERC CIP was used to shape the guide, which can be found in Section 5.8 Security Characteristics Related to NERC-CIP of the practice guide.
Although NCCoE attempted to address the federation of external users, the scope of the practice guide was large enough around internal use cases, so external user management was set aside for future evaluation. However, addressing external user identity and access management, many whom often require limited and temporary access to networks, is becoming an increasingly vital user story for energy companies.
In fact, GlobalSign currently provides Electric Utility companies IAM federated solutions delivering cost efficient, high assurance, and scalable methods to open eServices, to customers, suppliers, regulators, and other energy providers by leveragingthird party Identity Providers.
Two-factor authentication:
Also in CIP-005, is the requirement to implement multi-factor authentication for all interactive remote sessions. Using PKI technology, specifically digital certificates tied to user's identities stored in Active Directory, is a cost efficient method to implement strong security in a highly scalable and flexible method. GlobalSign's Auto Enrollment Gateway Solution, makes it easy for organizations to automatically and often times silently install digital certificates to users and machines accessing the network, without the hassles of managing an internal PKI system.
Let's face it, cryptography is probably not your companies' core competency, nor do you have the staff to support the SLAs around a mission critical operations secured by PKI. I urge readers to examine the benefits of cloud based PKI solutions fully managed by GlobalSign's team of security experts.
Are you in the Energy or Utilities Sector? What do you think about the new guide on centralizing identity and access management systems? How is your business going to react to these changes? Tell us in the comments below.
