Power Plant

Understanding NIST CyberSecurity Practice Guide for Energy Sector Asset Management

by Paresh Borkar

In an earlier blog in May 2019 titled “Energy sector at risk of cyber attacks!”, we talked about how the energy sector is at the cusp of cyber attacks across the globe. This is a shared sentiment, as is evident from the recent special publication 1800-23 from NIST (link to complete publication for those interested) titled “Energy Sector Asset Management [ESAM] for Electric Utilities, Oil & Gas Industry”.  This publication has three volumes as below:

  • Volume A – Executive Summary
  • Volume B – Approach, Architecture, and Security Characteristics
  • Volume C – How-To Guides

To make things more real-life, the National CyberSecurity Center of Excellence at NIST built a laboratory to demonstrate how energy organizations can strengthen their Operational Technology (OT) asset management practices by leveraging capabilities that may already exist with their operating environment or by implementing new capabilities. This was done in collaboration with experts from the energy sector and technology vendors.

Energy companies own, operate and maintain critical OT assets (Industrial Control System [ICS], Programmable Logic Controllers [PLC], Intelligent Electronic Devices [IED], etc.) which must be monitored and managed to reduce the risk of cyber attacks. NIST publication volume B mentions that having an accurate OT asset inventory is a critical component of any overall cybersecurity strategy.

Section 3.4 “Risk Assessment” specifically talks about “Threats” and “Vulnerabilities” in sections 3.4.1 and 3.4.2 respectively. The publication mentions that a vulnerability may exist inherently within a device or within the design, operation and architecture of the system. These vulnerabilities can be classified into following categories (as per NIST SP 800-82):

  1. Policy and Procedure – incomplete, inappropriate, or nonexistent security policy, including its documentation, implementation guides and enforcement
  2. Architecture and Design – design flaws, development flaws, poor administration, and connections with other systems and networks
  3. Configuration and Maintenance – misconfiguration and poor maintenance
  4. Physical – lack of or improper access control, malfunctioning equipment
  5. Software Development – improper data validation, security capabilities not enabled, inadequate authentication privileges
  6. Communication and Network – nonexistent authentication, insecure protocols, improper firewall configurations

You will notice that apart from points #1 and #4 above, most of the categories are related to software in general.

Further in section 3.4.3 “Risk”, it is highlighted that one of the key tactical risks is “lack of knowledge of asset vulnerabilities and available patches”. In our earlier blog, we had described a Denial of Service attack which affected a Western utility company as a result of a missing patch.

It is critical that the OT Asset Management System (aka ESAM – Energy Sector Asset Management) receives threat and vulnerability information from external sources. This is mapped to requirement [ID.RA-2] for CyberSecurity Framework ESAM. Also, NIST NICE role of “Vulnerability Assessment Analyst” is an important role for the above requirement [ID.RA-2].

For more details on how ThreatWatch can help you improve your security posture as per NIST publication, please write to us at info@threatwatch.io

We are participating in the CyberCon at Anaheim Convention Center [November 19th – 21st 2019]. Drop us a note for a meeting.



Leave a Reply

Your email address will not be published. Required fields are marked *