EEMag May June 2008

Electric Energy T&D - Index

Electric Energy T&D - EEMag May June 2008 - Index

Their Associated Mitigations,” published in
March of 007 (http://www.nerc.com/~filez/
cipfiles.html), NERC and the U.S. Department
of Energy identified the following as critical
vulnerabilities in the energy industry:
• Inadequate policies, procedures and
culture that govern control system
security;
• Inadequately designed control system
networks lacking sufficient defense-indepth
mechanisms;
• Remote access to the control system
without appropriate access control;
• System administration mechanisms and
software used in control systems are not
adequately scrutinized or maintained;
• Use of inadequately secured Wi-Fi wireless
communication for control;
• Use of a non-dedicated communications
channel for command and control and/
or inappropriate use of control system
network
purposes;
bandwidth for non-control
•
•
•
•
Insufficient application of tools to detect
and report anomalous or inappropriate
activity;
Unauthorized or inappropriate applications
or devices on control system networks;
Control systems command and control
data not authenticated; and
Inadequately managed, designed, or
implemented critical support infrastructure.
In the report, NERC and the U.S. Department
of Energy also issued a set of recommended
mitigations for these vulnerabilities, which
include the following:
• Document, implement and regularly update
a cyber security policy that represents
management’s commitment and ability to
secure its critical infrastructure assets;
• Ensure policies and procedures
•
comprehensively include other parts of
the enterprise, vendors, or contractors as
appropriate;
Implement strong procedural or technical
controls at the access points to the
electronic security perimeter to ensure
authenticity of the accessing party (e.g.,
restrict remote access to field devices);
Don’t allow unauthenticated remote
access to the control system;
• Implement physical security of network
access points, including access control, or
electronic methods for restricting access
(e.g., MAC address filtering);
18 I May-June 2008 Issue
•
•
•
Develop and implement policy for
managing user and system access,
including password policies; Change all
default passwords where possible;
Use secure communication technology
when the Internet is used for sensitive
communications (e.g., VPN, SSH, SSL,
IPSEC)
External connections should be controlled
and secured with an authentication
•
•
•
•
•
•
method, firewall, or physical disconnection
when not in use;
Define levels of access based on roles or
work requirements. Assign access level
and unique identifiers for each operator.
Isolate user access to compartmentalized
areas based on specific user needs;
Use multifactor authentication (e.g., twofactor,
non-re-playable credentials);
Use proximity based authentication
technology, such as RFID Tokens;
Revoke authorization rights and access
privileges of users upon termination
or transfer; Automate removal of user
accounts tied to badge systems or human
resources upon employee termination;
Remove, disable or rename administrator,
shared and other generic account privileges
including factory default accounts where
possible; and
Establish methods, processes and
procedures that generate logs of sufficient
detail to create historical audit trails of
individual user account access activity.
Identity Management to the Rescue
The above “to do” list may seem daunting—
and to many energy companies, it probably
is. However, all of the recommended steps
to compliance from NERC and the U.S.
Department of Energy are based on real
security technologies and policies that are in
use today—and can be put into use within
your company.
Given the shortened timeframe for complying
with these regulations—and the fact that
many in the energy industry have not
started their compliance efforts yet, energy
companies will need to look at solutions that
are cost-effective, are not intrusive to the
existing network or security environment—
and are easy for users to work with. These
additional requirements are leading many
energy companies to closely examine identity
management solutions as a way to jump-start
their compliance efforts and improve the
overall security of their organization.
With identity management solutions,
companies can establish and enforce
policies to reliably verify the identity of each
user accessing the company’s IT resources;