Menu
US agency tells electric utilities to shore up authentication

US agency tells electric utilities to shore up authentication

NIST's new publication focuses on authentication and access control

U.S. electric utilities should pay close attention to their authentication systems and access controls to reduce data breaches, a government agency says in a new cybersecurity guide.

About 5 percent of all cybersecurity incidents that the U.S. Department of Homeland Security's industrial control cyber team responded to in 2014 were tied to weak authentication, said the U.S. National Institute of Standards and Technology (NIST). Another four percent of industrial control incidents were related to abuses of access authority, the agency said.

The new cybersecurity guide, released in draft form by NIST's National Cybersecurity Center of Excellence (NCCoE) Tuesday, focuses on helping energy companies reduce their cybersecurity risks by showing them how they can control access to facilities and devices from a single console.

NIST electric cyber guide Screenshot
A new guide from the U.S. National Insititute of Standards and Technology offers advice to electric utilities on preventing cyberattacks through better access control.

"The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks," the guide says.

Part of the problem is that many energy utilities have decentralized identity and access management systems "controlled by numerous departments," according to the guide. That decentralized approach can lead to an inability to identify sources of a problem or attack and a lack of "overall traceability and accountability regarding who has access to both critical and noncritical assets."

The publication recommends a centralized access-control system, with the NCCoE developing an example system that utilities can use.

The guide offers step-by-step instructions allowing utilities to "reduce their risk and gain efficiencies in identity and access management," Donna Dodson, director of the NCCoE, said in a statement.

A 306-page document shows security engineers how to set up two versions of a centralized access-control system using commercially available products, with a focus on reducing opportunities for a cyberattack and for human error.

Working with security experts from the energy sector, the NCCoE staff also developed a scenario describing a security challenge based on normal day-to-day business operations.

The scenario centers on a utility technician who has access to several physical substations and to remote terminal units connected to the company's network in those substations. When she leaves the company, her privileges should be revoked, but without a centralized identity management system, managing routine events can be time-consuming.

NIST is seeking comments on the draft guide.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments