Identity and Access Management (IdAM)

Download the Practice Guide

The NCCoE has released the draft version of NIST Cybersecurity Practice Guide SP 1800-2, Identity and Access Management (IdAM). Use the button below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »

Summary

As the electric power industry upgrades older, outdated infrastructure to take advantage of emerging technologies, utilities are also moving towards greater information technology (IT) and operational technology (OT) convergence. This allows greater numbers of technologies, devices, and systems to connect to the grid to improve efficiency, provide access to data normally held in silos, and enhance productivity.

One such area that touches a utility’s IT and OT departments is identity and access management. Many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.

To help the energy sector address this cybersecurity challenge, security engineers at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.

Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

Read the two-page fact sheet or the press release from NIST. For archival purposes, you may download the project description.

To get the latest information on our work in the energy sector, sign up for our energy email topic. NCCoE energy sector team meeting presentations and notes can be found in the NCCoE library

If you are an energy sector stakeholder or a technology vendor, and you would like to collaborate with the NCCoE on energy sector projects, please email us at energy_nccoe@nist.gov.

Collaborating Vendors

Alert Enterprise logo
Ca Technologies logo
cisco logo
Global Sign logo
Mt. Airey Group logo
Radiflow logo
RS2 Technologies logo
RSA logo
Schneider Electric logo
TDI Technologies logo
Xtec logo

The technology vendors who participated in this project submitted their capabilities in response to a call in the Federal Register. Companies with relevant products were invited to sign a Cooperative Research and Development Agreement with NIST, allowing them to participate in a consortium to build this example solution.

 

Disclaimer: Certain commercial entities, equipment, products, or materials may be identified in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.