U.S. electric utilities should pay close attention to their authentication systems and access controls to reduce data breaches, a government agency says in a new cybersecurity guide.
About 5 percent of all cybersecurity incidents that the U.S. Department of Homeland Security’s industrial control cyber team responded to in 2014 were tied to weak authentication, said the U.S. National Institute of Standards and Technology (NIST). Another four percent of industrial control incidents were related to abuses of access authority, the agency said.
The new cybersecurity guide, released in draft form by NIST’s National Cybersecurity Center of Excellence (NCCoE) Tuesday, focuses on helping energy companies reduce their cybersecurity risks by showing them how they can control access to facilities and devices from a single console.
“The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks,” the guide says.
Part of the problem is that many energy utilities have decentralized identity and access management systems “controlled by numerous departments,” according to the guide. That decentralized approach can lead to an inability to identify sources of a problem or attack and a lack of “overall traceability and accountability regarding who has access to both critical and noncritical assets.”
The publication recommends a centralized access-control system, with the NCCoE developing an example system that utilities can use.
The guide offers step-by-step instructions allowing utilities to “reduce their risk and gain efficiencies in identity and access management,” Donna Dodson, director of the NCCoE, said in a statement.
A 306-page document shows security engineers how to set up two versions of a centralized access-control system using commercially available products, with a focus on reducing opportunities for a cyberattack and for human error.
Working with security experts from the energy sector, the NCCoE staff also developed a scenario describing a security challenge based on normal day-to-day business operations.
The scenario centers on a utility technician who has access to several physical substations and to remote terminal units connected to the company’s network in those substations. When she leaves the company, her privileges should be revoked, but without a centralized identity management system, managing routine events can be time-consuming.
NIST is seeking comments on the draft guide.