Federal agency updates guidance on grid protection

By Blake Sobczak, Peter Behr | 08/26/2015 07:11 AM EDT

The National Institute of Standards and Technology is stepping up its efforts to help energy companies keep their critical networks under lock and key.

The National Institute of Standards and Technology is stepping up its efforts to help energy companies keep their critical networks under lock and key.

The nonregulatory agency announced yesterday that it’s seeking input on a draft how-to guide for managing access to electric utilities, from their physical control rooms to any Internet-connected computers.

Separately, NIST recently updated its voluminous advisory for the vital industrial control systems (ICS) that operate the electric power grid and other critical infrastructure facilities.

Advertisement

Both documents reflect the U.S. government’s concern for the security of the modern grid as operators face off against increasingly complex threats.

The access control publication, for instance, showed how an energy company could streamline the way its employees gain or lose access to certain work environments. In its Maryland labs, NIST’s National Cybersecurity Center of Excellence modeled an electricity company’s entire information technology system to test-run its how-to guide.

The final product "demonstrates how organizations can reduce their risk and gain efficiencies in identity and access management," said Donna Dodson, director at the Center of Excellence. "It provides step-by-step instructions to help organizations as they tackle the challenges of identity and access management."

NIST pointed out that 5 percent of the cybersecurity incidents reported through the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team involved weak authentication, while 4 percent of cases had to do with improper access authority.

The agency hopes that utilities will be able to effectively copy and paste the sample use case into their own facilities, although NIST pointed out that it is not endorsing any particular product or solution. In the past, NIST has acknowledged that it can be hard to keep track of private-sector participation, as the guides the agency produces are voluntary.

Still, NIST assembled the document with input from the energy sector, including major utility equipment vendors Cisco Systems Inc. and Schneider Electric.

While the access control guide focused on one aspect of grid security — identity management — NIST’s nearly 250-page "Guide to Industrial Control Systems Security" takes a much broader approach in light of rapid technological changes.

"Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters," NIST said in the guide’s newly released second revision.

The report’s authors highlight expanding cybersecurity risks as Internet-linked digital controls, monitors and smart meters replace one-of-a-kind proprietary control systems and other legacy systems. NIST said it is supporting a review of cybersecurity threats involving advanced electric meters, cloud computing, cyberthreats linked to infrastructure companies’ vendors and privacy issues.

"As ICS are adopting IT [information technology] solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems," NIST said.

NIST’s message to industry: Be prepared

NIST noted that for critical infrastructure systems — power networks, emergency services and fuel pipelines topping the list — major cyber breaches can cause death and injury, not just financial losses and privacy compromises. It urged the industry to create and rehearse contingency plans for a full range of real-world attacks or failures.

"Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cybersecurity intrusions, and alternatives to achieve necessary interfaces and coordination," NIST said.

Attorneys for law firm Ballard Spahr, in a commentary yesterday, said that "the NIST guide serves as a pointed reminder to manufacturing and energy companies and other providers of critical infrastructure that securing the ICS should be made a top priority and systematically addressed before irreversible consequences are suffered."

"The fact that the NIST updated this report, and saw fit to republish it, means that this is a matter that still needs to be addressed," said Odia Kagan, one of the authors of the law firm’s comment. "There is still more work to be done."

In addition to the ICS guide, NIST issued its 2014 voluntary Cybersecurity Framework of best cyberdefense practices, developed after lengthy consultation with U.S. businesses, and it continues to support the framework’s adoption, the agency said.

The high-voltage, interstate power network is the only critical infrastructure sector with mandatory and enforceable cybersecurity standards, drafted by NERC. "It’s difficult to know to the extent to which the NIST recommendations are being implemented. And I don’t know that this will ever be public knowledge," Kagan said.