EEMag May June 2008

http://www.EETDBuyersGuide.com

http://www.eetdbuyersguide.com

Electric Energy T&D - Index

Electric Energy T&D - EEMag May June 2008 - Index

they can enable policies to be established that
govern how many users are permitted to gain
access to IT resources; and can ensure that
the identities of networked users, clients and
servers can be verified without transmitting
passwords over the network.
In order to get a full view into how identity
management can help, let’s take a more
specific look at some of the top vulnerabilities
that NERC and the U.S. Department of Energy
identified and how identity management
solutions can help energy companies answer
the CIP standards:
• One vulnerability was that several
energy companies were operating with
inadequate policies and procedures for
handling control system security. With
an integrated identity management
•
solution in place, energy companies are
empowered to define, enforce and confirm
(through auditing) that policies are in
place, applied and enforced evenly across
the organization. A strong solution can
give an energy company a comprehensive
way to track user access to buildings,
networks and applications, automatically
generating reports that show detailed
logs of user access activity for fast and
effortless audits.
Another common problem on the list was
that the networks that control access were
inadequately designed and did not provide
a deep enough defense against misuse.
In addition, remote access was seen as a
problem, as access control policies didn’t
always extend to mobile access. With
identity management solutions, such as
single sign-on, companies can implement
strong procedural or technical controls at
all access points to ensure that users are
prevented from accessing the network or
application unless they have the proper
authorization credentials (which are
based on their assigned role within the
organization). These rules can be put in
place for both on-site and remote access.
Identity management solutions can
automatically change passwords behind
the scenes at regular intervals—and often
can help ensure that external connections
are controlled and secured when not in use.
0 I May-June 2008 Issue
•
•
To further add to the defense against
unauthorized network access, several
identity management technologies allow
multi-factor authentication to be enabled
at an organization, tying network access
together with tokens, smart cards or
biometrics, for example. Network access
can also be correlated with physical
presence in the facility, adding yet
another layer of identity authorization and
protection for critical cyber assets. This is
especially helpful in setting up a system
to automate the removal of user accounts
upon termination from both the facility
access and the network access system.
Another important aspect of complying
with the CIP standards is ensuring that a
proper notification process is put in place,
so administrators are immediately made
aware of any violations or anomalies.
Identity management solutions typically
see this as a must-have and include the
ability to automatically generate reports
and store activity logs that prove there
was a violation of policy—and how severe
it was.
An organization that employs identity
management, access management, strong
authentication and regular audits is often
better equipped to identify system users,
govern how each user accesses IT resources,
keep user identity information confidential—
and prove that security policies are in place
and enforced—all helping to mitigate key
control system vulnerabilities and support
CIP compliance.
It is vital to remember, however, that
technology alone cannot achieve regulatory
compliance. The people leading the CIP
compliance effort must clearly define policies
and controls and follow the procedures to
execute these controls. Technology’s role is
to support policies and automate processes,
making it easier to establish and maintain
compliance without putting an onerous
burden on IT staff and users.
Meeting the CIP Challenge
With its detailed requirements, lack of
best practices and looming deadlines, CIP
compliance remains a formidable challenge
for the entire energy industry. However, it
also represents an opportunity for energy
companies to gain greater control over
their critical assets and facilities, to ensure
policies and procedures are in place and
followed and to improve service reliability
for their customers. Identity management
solutions can be essential components in
achieving, maintaining and demonstrating
CIP compliance—and in helping to ensure the
safety and reliability of an energy company’s
critical infrastructure. j
About the Author
David Ting is the CTO and founder of identity
and access management company Imprivata.
Named one of InfoWorld’s Top 25 CTO’s
of 2006, David has more than 20 years of
experience in developing advanced imaging
software and systems for high security,
high-availability systems. Prior to founding
Imprivata he developed biometric applications
for government programs and Web-based
applications for secure document exchange
at companies such as Eastman Kodak, Atex
System, Delphax Systems and eCopyIt. He
was also a member of the scientific staff at the
BNR/INRS Labs in Montreal, a collaborative
research institution jointly operated by Bell-
Northern Research and University of Quebec.
He holds six patents and has several patents
pending.