WIXLIB

NIST SPECIAL PUBLICATION 1800-2BIdentity and AccessManagementfor Electric UtilitiesVolume B:Approach, Architecture, and Security CharacteristicsJim McCarthyNational Cybersecurity Center of ExcellenceInformation Technology LaboratoryDon FaatzHarry PerperChris PeloquinJohn WiltbergerThe MITRE CorporationMcLean, VALeah Kauffman, Editor-in-ChiefNational Cybersecurity Center of ExcellenceInformation Technology LaboratoryJuly 2018This publication is available free of charge from:https://doi.org/10.6028/NIST.SP.1800-2The first draft of this publication is available free of charge s/library/sp1800/es-idam-nist-sp1800-2-draft.pdf

DISCLAIMERCertain commercial entities, equipment, products, or materials may be identified in this document inorder to describe an experimental procedure or concept adequately. Such identification is not intendedto imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that theentities, equipment, products, or materials are necessarily the best available for the purpose.This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-2.National Institute of Standards and Technology Special Publication 1800-2B, Natl. Inst. Stand. Technol.Spec. Publ. 1800-2B, 99 pages, (July 2018), CODEN: NSPUE2FEEDBACKAs a private-public partnership, we are always seeking feedback on our Practice Guides. We areparticularly interested in seeing how businesses apply NCCoE reference designs in the real world. If youhave implemented the reference design, or have questions about applying it in your environment,please email us at energy nccoe@nist.gov.National Cybersecurity Center of ExcellenceNational Institute of Standards and Technology100 Bureau DriveMail Stop 2002Gaithersburg, MD 20899Email: nccoe@nist.govNIST SP 1800-2B: Identity and Access Management for Electric Utilitiesi

NATIONAL CYBERSECURITY CENTER OF EXCELLENCEThis publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-2.The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standardsand Technology (NIST), is a collaborative hub where industry organizations, government agencies, andacademic institutions work together to address businesses’ most pressing cybersecurity issues. Thispublic-private partnership enables the creation of practical cybersecurity solutions for specificindustries, as well as for broad, cross-sector technology challenges. Through consortia underCooperative Research and Development Agreements (CRADAs), including technology partners—fromFortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standardsand best practices to develop modular, easily adaptable example cybersecurity solutions usingcommercially available technology. The NCCoE documents these example solutions in the NIST SpecialPublication 1800 series, which maps capabilities to the NIST Cyber Security Framework [1] and detailsthe steps needed for another entity to recreate the example solution. The NCCoE was established in2012 by NIST in partnership with the State of Maryland and Montgomery County, Md.To learn more about the NCCoE, visit https://nccoe.nist.gov. To learn more about NIST, visithttps://www.nist.gov.NIST CYBERSECURITY PRACTICE GUIDESNIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecuritychallenges in the public and private sectors. They are practical, user-friendly guides that facilitate theadoption of standards-based approaches to cybersecurity. They show members of the informationsecurity community how to implement example solutions that help them align more easily with relevantstandards and best practices and provide users with the materials lists, configuration files, and otherinformation they need to implement a similar approach.The documents in this series describe example implementations of cybersecurity practices thatbusinesses and other organizations may voluntarily adopt. These documents do not describe regulationsor mandatory practices, nor do they carry statutory authority.ABSTRACTTo protect power generation, transmission, and distribution, energy companies need to control physicaland logical access to their resources, including buildings, equipment, information technology (IT), andoperational technology (OT). They must authenticate authorized individuals to the devices and facilitiesto which the companies are giving access rights with a high degree of certainty. In addition, they need toenforce access-control policies (e.g., allow, deny, inquire further) consistently, uniformly, and quicklyacross all of their resources. This project resulted from direct dialog among NCCoE staff and members ofthe electricity subsector, mainly from electric power companies and those who provide equipmentand/or services to them. The goal of this project is to demonstrate a converged, standards-basedtechnical approach that unifies identity and access management (IdAM) functions across OT networks,physical access control systems (PACS), and IT systems. These networks often operate independently,which can result in identity and access information disparity, increased costs, inefficiencies, and a loss ofcapacity and service delivery capability. Also, these networks support different infrastructures, eachwith unique security risks. The converged IdAM solution must be constructed to effectively address thehighest-risk infrastructure. This guide describes our collaborative efforts with technology providers andNIST SP 1800-2B: Identity and Access Management for Electric Utilitiesii

This publication is available free of charge from: pany stakeholders to address the security challenges that energy providers face in the corefunction of IdAM. This guide offers a technical approach to meeting the challenge and also incorporatesa business-value mindset by identifying the strategic considerations involved in implementing newtechnologies. This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end examplesolution that can be tailored and implemented by energy providers of varying sizes and levels of ITsophistication. It shows energy providers how we met the challenge by using open-source andcommercially available tools and technologies that are consistent with cybersecurity standards. Theuse-case scenario is based on a normal day-to-day business operational scenario that provides theunderlying impetus for the functionality presented in this guide. While the reference solution wasdemonstrated with a certain suite of products, this guide does not endorse these specific products.Instead, this guide presents the characteristics and capabilities that an organization’s security expertscan use to identify similar standards-based products that can be integrated quickly and cost-effectivelywith an energy provider’s existing tools and infrastructure.KEYWORDScyber, physical, and operational security; cybersecurity; electricity subsector; energy sector; identity andaccess management; information technologyACKNOWLEDGMENTSWe are grateful to the following individuals for their generous contributions of expertise and time.NameOrganizationJasvir GillAlertEnterpriseSrini KakkeraAlertEnterpriseSrinivas AdepuAlertEnterprisePan KamalAlertEnterpriseMike DulleaCA TechnologiesTed ShortCA TechnologiesAlan ZhuCA TechnologiesPeter RomnessCisco SystemsLila KeeGlobalSignSid DesaiGlobalSignPaul TownsendMount Airey Group (MAG)Joe LloydMount Airey Group (MAG)Paul TimmelNational Security AgencyVictoria PillitteriNISTJonathan MarguliesQmulosAyal VogelRadiflowNIST SP 1800-2B: Identity and Access Management for Electric Utilitiesiii

This publication is available free of charge from: tionDario LobozzoRadiflowSteve SchmalzRSATony Kroukamp (The SCE Group)RSAKala Kinyon (The SCE Group)RSAUlrich SchulzRSADave BarnardRS2 TechnologiesDavid BenskyRS2 TechnologiesRich Gillespie (IACS Inc.)RS2 TechnologiesGeorge WrennSchneider ElectricMichael PyleSchneider ElectricBill JohnsonTDi TechnologiesPam JohnsonTDi TechnologiesClyde PooleTDi TechnologiesNadya BartolUtilities Telecom Council (UTC)Danny VitaleXTecThe Technology Partners/Collaborators who participated in this build submitted their capabilities inresponse to a notice in the Federal Register. Respondents with relevant capabilities or productcomponents were invited to sign a Cooperative Research and Development Agreement (CRADA) withNIST, allowing them to participate in a consortium to build this example solution. We worked with:Technology Partner/CollaboratorBuild InvolvementAlertEnterpriseUser access authorization provisioningCA TechnologiesIdAM workflow, provisions identities and authorizationsto Active Directory instancesCisco SystemsNetwork Access controlGlobalSignProvides North American Energy Standards Board(NAESB)-compliant X.509 certificatesMount Airey Group (MAG)Manages attributes that control access to high-valuetransactionsRadiflowControls communication among industrial control system(ICS) devicesNIST SP 1800-2B: Identity and Access Management for Electric Utilitiesiv

This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-2.Technology Partner/CollaboratorBuild InvolvementRSAIdAM workflow, provisions identities and authorizationsto Active Directory instancesRS2 TechnologiesControls physical accessSchneider ElectricControls access to devices in the ICS / Supervisory Controland Data Acquisition (SCADA) networkTDi TechnologiesControls and logs access to ICS devices by people (ICSengineers and technicians)XTecProvides Personal Identity Verification Interoperable(PIV-I) smart-card credentials and a physical-accesscontrol capability using the smart cardNIST SP 1800-2B: Identity and Access Management for Electric Utilitiesv

ContentsThis publication is available free of charge from: y . 74.3.2Modularity . 74.3.3Human Resources Database/Identity Vetting . 74.3.4Identity Federation . 74.3.5Technical Implementation . 84.3.6Limited Scalability Testing . 84.3.7Replication of Enterprise Network . 84.4.1Assessing Risk Posture . 84.4.2Managing Security Risk from Converged IdAM . 104.4.3Risk . 104.4.4Security Control Map . 115.1.1Physical Access Control System Silo . 25NIST SP 1800-2B: Identity and Access Management for Electric Utilitiesvi

This publication is available free of charge from: onal Technology Silo. 265.1.3Information Technology Silo. 285.3.1Build #1 . 315.3.2Build #2 . 335.3.3Implementation of the Use-Case Illustrative Scenario. 345.6.1Build Architecture Components Overview . 415.6.2Build Network Components . 445.6.3Operational Technology Network . 445.6.4Information Technology Network . 465.6.5Physical Access and Control System Network . 475.6.6Identity and Access Management Network . 485.6.7Access Authorization Information Flow and Control Points . 515.9.1Scope . 585.9.2Security Characteristics Evaluation Assumptions and Limitations . 595.9.3Example Solution Analysis . 605.9.4Security Characteristics Addressed . 625.9.5Assessment of Reference Architecture . 645.9.6Security Recommendations . 695.9.7Security Characteristics Evaluation Summary . 71NIST SP 1800-2B: Identity and Access Management for Electric Utilitiesvii

This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-2.viiiNIST SP 1800-2B: Identity and Access Management for Electric Utilities