Feds Urge Energy Companies to Ramp Up Cyber Protections

Snvv/Shutterstock.com

NIST wants utilities companies to keep people from gaining unauthorized access to buildings, networks, data and control systems, potentially triggering power outages.

The federal government wants utilities companies to keep people from gaining unauthorized access to buildings, networks, data and control systems and potentially triggering power outages.

In a new guide, the National Institutes of Standards and Technology aims to teach energy companies to protect their digital and physical assets by using a platform that could let them see who has access to any part of a system at any time. 

NIST issued the draft guide, Identity and Access Management for Electric Utilities, after querying energy-sector representatives on their security challenges where,  NIST senior security engineer James McCarthy told Nextgov

Since the electrical power industry is continually upgrading old infrastructure, NIST found, utilities companies often reported that identity access and management was controlled by multiple departments throughout a company. 

For instance, if a technician authorized to get into several of a utility's company's assets quit her job, a decentralized identity management system would mean that managing her access after she left would be "cumbersome and time-consuming, even error-prone," the guide said. "Electric utilities need the ability to provide the right person with the right degree of access to the right resources at the right time, and quickly."

Without a good system, the guide said, utilities companies are more vulnerable to attack and power outages; they also are less likely to trace and attribute those attacks to individuals with access to particular assets. 

An effective system, according to NIST, would prevent unauthorized access by authenticating people, and thereby giving them access to devices and facilities, with a very high degree of certainty. These control policies -- to allow access, deny it or "inquire further" -- would need to be enforced consistently across all cyber and physical assets. 

(Image via / Shutterstock.com)