Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been working on a cybersecurity project involving asset management to help energy utilities and the oil the gas industry develop an automated solution to better manage their industrial control system (ICS) assets.
The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. The NCCoE has just released draft practice guide NIST Special Publication 1800-23, Energy Sector Asset Management.
This project explores methods for managing, monitoring, and baselining assets and includes information to help identify threats to these OT assets. Both standards and best practices were used to develop reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.
TDi’s flagship product, ConsoleWorks Cybersecurity & Operations Platform, is one of the solutions along with others in the NIST cybersecurity framework for this project.
To complete this guide, the NCCoE collaborated with other technology vendors, including Dragos, Forescout, FoxGuard Solutions, KORE Wireless Group, Splunk, and Tripwire. The NCCoE believes the guide helps meet a critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on November 25, 2019.
FAQ’s related to ESAM
Below are a set of FAQs specific to NIST SP 1800-23, Energy Sector Asset Management (ESAM) Practice Guide. Please share this information with your communications/public relations departments as they may use them as a basis for personalized talking points. If significant changes will be made to better appeal to your primary audience, please send to Lauren Acierto (lacierto@mitre.org) for review, allowing for a five-business-day turnaround.
Why did the National Cybersecurity Center of Excellence (NCCoE) create this guide?
Industrial control system assets provide command and control information as well as key functions on OT networks. These assets are primary targets of cyber attacks and any vulnerabilities in these assets can present opportunities for malicious actors to disrupt both the electric grid and oil and natural gas infrastructure. Such disruptions can result in economic loss and interruption of critical services to millions of people. This guide was created to provide a reference architecture and an example solution for managing, monitoring, and baselining assets, and includes information to help identify threats to these OT assets.
What is this practice guide about?
This guide describes methods for managing, monitoring, and baselining assets and also includes information to help identify threats to these OT assets. The guide includes a reference design and uses commercially available technologies in an example solution that will help energy organizations address the security challenges of OT asset management.
What is energy sector asset management?
Asset management is defined in the NIST Cybersecurity Framework as the identification and management of data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes, consistent with their relative importance to business objectives and the organization’s risk strategy. In this guide we are addressing the following characteristics of asset management in the energy sector:
- Asset Discovery: establishment of a full baseline of physical and logical locations of assets
- Asset Identification: capture of asset attributes, such as manufacturer, model, operating system (OS), Internet Protocol (IP) addresses, media access control (MAC) addresses, protocols, patch-level information, and firmware versions
- Asset Visibility: continuous identification of newly connected or disconnected devices, and IP (routable and non-routable) and serial connections to other devices
- Asset Disposition: the level of criticality (high, medium, or low) of a particular asset, its relation to other assets within the OT network, and its communication (to include serial) with other devices
- Alerting Capabilities: detection of a deviation from the expected operation of assets
Will energy sector executives find value in this practice guide?
Yes! The NCCoE’s Energy Sector Asset Management Practice Guide can help an organization:
- Reduce cybersecurity risk and potentially reduce impact to safety and operational risk such as power disruption.
- Develop and executing a strategy that provides continuous OT asset management and monitoring.
- Enable faster responses to security alerts through automated cybersecurity event/attack capabilities.
- Implement current cybersecurity standards and best practices while maintaining the performance of energy infrastructures
Will energy sector technology (IT) professionals find value in this practice guide?
Yes! This guide assumes that IT professionals have experience implementing security products within the enterprise. The practice guide builds on this knowledge, so that IT professionals who opt to implement ESAM in their organizations will find practical and actionable information throughout the entire guide. Here’s why:
- Clear instructions — The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than recreating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to recreate the example implementations.
- The technology is commercially available and adaptable — A suite of commercial products was used to build the example implementations (this guide does not endorse these products) in our lab. An organization can replicate the example implementation(s) in its online environment or can use this guide as a starting point for tailoring and implementing parts of the e-commerce fraud-reducing capabilities demonstrated. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
- The guide maps to both cybersecurity standards and best practices — IT professionals can use our step-by-step guide to inform and develop a strategy by selecting from several different asset management capabilities that best meet their organization’s needs. For example, Volume B, Section 1.2.1, lists the standards and guidance that influenced development of the example implementations. Section 3.5 in Volume B lists the products and technology used in this project and the NIST Cybersecurity Framework security control(s) subcategory that the product addresses in the example implementation. Finally, work roles are mapped to the NICE Cybersecurity Framework to assist IT managers with understanding what skills are needed to execute and manage ESAM example implementations.
- Expert-vetted architecture and reference designs — The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the energy sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing utilities, gas & oil industries, and other enterprises with the detailed information they need to replicate ESAM example implementations.
*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.
