The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released a final cybersecurity practice guide involving asset management to help energy utilities and the oil the gas industry develop an automated solution to better manage their industrial control system (ICS) assets. To complete this guide, the NCCoE collaborated with other technology vendors, including Dragos, Forescout, FoxGuard Solutions, KORE Wireless Group, Splunk, and Tripwire.
Energy sector companies rely on industrial control system (ICS) assets within OT environments to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. Given the growing complexity and critical role of these ICS assets, energy companies must be able to effectively identify, control, and monitor all of their OT assets to strengthen cybersecurity. We show how OT asset management practices can be enhanced by leveraging tools that may already exist in their environment or by implementing new capabilities.
This practice guide aims to help energy sector companies implement an asset management solution to monitor and manage OT assets at all times. Standards and best practices were used to deploy strong asset management solutions using commercially available technology.
This project explores methods for managing, monitoring, and baselining assets and includes information to help identify threats to these OT assets. Both standards and best practices were used to develop reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.
ConsoleWorks and Other Vendors Collaborate | The Third in a Series of Cybersecurity Guides for the Energy Sector
This publication caps off a body of work at the NCCoE that presents energy sector companies with a solid foundation for cybersecurity:
- Identity and Access Management: Control who is on your IT and OT networks and in your facilities
- Energy Sector Asset Management: Know what is on your IT and OT networks
- Situational Awareness for Electric Utilities: Understand what the people and things on your networks are doing
The NCCoE believes the guide addresses a critical cybersecurity and economic need. Please download the practice guide and let the NCCoE know if you implemented or adopted the solution in part or in whole.
The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. The NCCoE has just released final practice guide NIST Special Publication 1800-23, Energy Sector Asset Management.
Frequently Asked Questions (FAQs)
Below are a set of FAQs specific to NIST SP 1800-23, Energy Sector Asset Management Practice Guide. Please share this information with your communications/public relations departments as they may use them as a basis for personalized talking points. If significant changes will be made to better appeal to your primary audience, please send to Lauren Acierto (lacierto@mitre.org) or Eileen Division (edivision@mitre.org) for review, allowing for a five-business-day turnaround.
Why did the National Cybersecurity Center of Excellence (NCCoE) create this guide?
Industrial control system assets provide command and control information as well as key functions on OT networks. These assets are primary targets of cyber attacks and any vulnerabilities in these assets can present opportunities for malicious actors to disrupt both the electric grid and oil and natural gas infrastructure. Such disruptions can result in economic loss and interruption of critical services to millions of people. This guide was created to provide a reference architecture and an example solution for managing, monitoring, and baselining assets, and includes information to help identify threats to these OT assets.
What is this practice guide about?
This guide describes methods for managing, monitoring, and baselining assets and also includes information to help identify threats to these OT assets. The guide includes a reference design and uses commercially available technologies in an example solution that will help energy organizations address the security challenges of OT asset management.
What is energy sector asset management?
Asset management is defined in the NIST Cybersecurity Framework as the identification and management of data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes, consistent with their relative importance to business objectives and the organization’s risk strategy. In this guide we are addressing the following characteristics of asset management in the energy sector:
- Asset Discovery: establishment of a full baseline of physical and logical locations of assets
- Asset Identification: capture of asset attributes, such as manufacturer, model, operating system (OS), Internet Protocol (IP) addresses, media access control (MAC) addresses, protocols, patch-level information, and firmware versions
- Asset Visibility: continuous identification of newly connected or disconnected devices, and IP (routable and non-routable) and serial connections to other devices
- Asset Disposition: the level of criticality (high, medium, or low) of a particular asset, its relation to other assets within the OT network, and its communication (to include serial) with other devices
- Alerting Capabilities: detection of a deviation from the expected operation of assets
Will energy sector executives find value in this practice guide?
Yes! The NCCoE’s Energy Sector Asset Management Practice Guide can help an organization:
- Reduce cybersecurity risk and potentially reduce impact to safety and operational risk such as power disruption.
- Develop and executing a strategy that provides continuous OT asset management and monitoring.
- Enable faster responses to security alerts through automated cybersecurity event/attack capabilities.
- Implement current cybersecurity standards and best practices while maintaining the performance of energy infrastructures
Will energy sector technology (IT) professionals find value in this practice guide?
Yes! This guide assumes that IT professionals have experience implementing security products within the enterprise. The practice guide builds on this knowledge, so that IT professionals who opt to implement ESAM in their organizations will find practical and actionable information throughout the entire guide. Here’s why:
- Clear instructions — The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than recreating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to recreate the example implementations.
- The technology is commercially available and adaptable — A suite of commercial products was used to build the example implementations (this guide does not endorse these products) in our lab. An organization can replicate the example implementation(s) in its online environment or can use this guide as a starting point for tailoring and implementing parts of the e-commerce fraud-reducing capabilities demonstrated. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
- The guide maps to both cybersecurity standards and best practices — IT professionals can use our step-by-step guide to inform and develop a strategy by selecting from several different asset management capabilities that best meet their organization’s needs. For example, Volume B, Section 1.2.1, lists the standards and guidance that influenced development of the example implementations. Section 3.5 in Volume B lists the products and technology used in this project and the NIST Cybersecurity Framework security control(s) subcategory that the product addresses in the example implementation. Finally, work roles are mapped to the NICE Cybersecurity Framework to assist IT managers with understanding what skills are needed to execute and manage ESAM example implementations.
- Expert-vetted architecture and reference designs — The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the energy sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing utilities, gas & oil industries, and other enterprises with the detailed information they need to replicate ESAM example implementations.
Additional information on this Consortium can be found here.
