April 20, 2024

“Identity Management: Powering Compliance and Security in the Energy Industry”

by David Ting, CTO and founder, Imprivata
Twitter Facebook Google + Send Print

Energy companies today have more to deal with than ever before—from a complex and challenging regulatory environment, to ecological challenges and pressure from investors and shareholders to increase profits.  To survive, many energy companies have had to re-think the way they operate and make organizational changes to become more efficient.  However, at the same time, concerns have increased throughout the industry about the security of energy companies’ infrastructure and assets.  In response to these concerns and the increased government oversight from the Federal Energy Regulatory Commission (FERC) that soon followed, the energy industry, through the North American Electric Reliability Corporation (NERC), developed new security standards regarding the protection of critical infrastructure.


While the higher-level goals of these Critical Infrastructure Protection (CIP) standards have been clearly defined, NERC has left it up to each energy company to determine how best to achieve them operationally.  Although there has been a good deal of discussion and debate within the industry, best practices for CIP compliance have yet to be identified—and no clear consensus has emerged on how to proceed.  The only thing agreed upon at this point is that the earliest some organizations are required to be “substantially compliant” is by mid-2008 and “fully compliant” by mid-2010—meaning that most energy companies cannot wait until there is a consensus to act, as they could be facing the prospect of failed audits and substantial fines for non-compliance.


In order to comply with these standards quickly and easily and avoid any penalties, energy companies are turning to security technology solutions, such as identity management, that can assist in proving compliance, increasing overall security and providing a platform for future security enhancements.


The Challenge of Self-Defining and Self-Securing Assets

For many energy companies, the mandate to secure all critical assets—and in particular, critical cyber assets—is a daunting one.  Not only do energy companies have to organize and define critical assets for themselves—a complex task on its own—but they have to secure the assets from both a physical and a logical (IT) perspective and provide documentation of both.


Adding to the challenge is that traditionally there has been little overlap between energy companies’ IT departments and the engineering organizations responsible for the Supervisory Control and Data Acquisition (SCADA) and Energy Management Systems (EMS) that control their operations.  Most energy companies have not dealt with the IT security requirements that other regulated industries have faced and subsequently often do not have the in-house IT security expertise or dedicated resources needed to develop and implement a CIP compliance plan for cyber security.


Despite the challenges, energy companies have more than one incentive to achieve CIP compliance.  While the threat of disasters such as terrorism or a blackout has been the most urgent force driving the development of the CIP standards, the benefits of compliance go far beyond minimizing the risk and impact of cataclysmic problems.


The good news is while some of the CIP standards require a significant commitment of time and human resources, there are technology solutions available that can quickly, easily and affordably help organizations meet many of the CIP requirements—and more importantly—ensure the security of all critical assets.


Organizations that attain CIP compliance are empowered to better protect against both physical and logical attacks from both internal and external sources, preventing remote access to the system and stopping insiders looking to sabotage the system from within.  In addition, by fulfilling the CIP requirements, energy companies can also gain greater control and visibility over their operations and use of resources, increase safeguards for confidential business and customer data, improve service levels and compete more effectively.


The NERC Mandate

As the electric reliability organization for North America, NERC’s mandate is to improve reliability and security throughout the bulk power system in the United States and Canada.  The first 83 NERC reliability standards were approved by FERC in early 2007, making them the first mandatory and legally enforceable standards for the U.S. bulk power system.  These standards encompass all aspects of power generation and distribution operations.


Beyond trying to understand what the CIP standards require, it is equally essential for energy companies to understand what problems the standards are intended to solve.  In a report entitled “Top 10 Vulnerabilities of Control Systems and heir Associated Mitigations,” published in March of 2007 (http://www.nerc.com/~filez/cipfiles.html), NERC and the U.S. Department of Energy identified the following as critical vulnerabilities in the energy industry:



  • Inadequate policies, procedures and culture that govern control system security;

  • Inadequately designed control system networks lacking sufficient defense-in-depth mechanisms;

  • Remote access to the control system without appropriate access control;

  • System administration mechanisms and software used in control systems are not adequately scrutinized or maintained;

  • Use of inadequately secured Wi-Fi wireless communication for control;

  • Use of a non-dedicated communications channel for command and control and/or inappropriate use of control system network bandwidth for non-control purposes;

  • Insufficient application of tools to detect and report anomalous or inappropriate activity;

  • Unauthorized or inappropriate applications or devices on control system networks;

  • Control systems command and control data not authenticated; and

  • Inadequately managed, designed, or implemented critical support infrastructure.


In the report, NERC and the U.S. Department of Energy also issued a set of recommended mitigations for these vulnerabilities, which include the following:



  • Document, implement and regularly update a cyber security policy that represents management’s commitment and ability to secure its critical infrastructure assets;

  • Ensure policies and procedures comprehensively include other parts of the enterprise, vendors, or contractors as appropriate;

  • Implement strong procedural or technical controls at the access points to the electronic security perimeter to ensure authenticity of the accessing party (e.g., restrict remote access to field devices); Don’t allow unauthenticated remote access to the control system;

  • Implement physical security of network access points, including access control, or electronic methods for restricting access (e.g., MAC address filtering);

  • Develop and implement policy for managing user and system access, including password policies; Change all default passwords where possible;

  • Use secure communication technology when the Internet is used for sensitive communications (e.g., VPN, SSH, SSL, IPSEC)

  • External connections should be controlled and secured with an authentication method, firewall, or physical disconnection when not in use;

  • Define levels of access based on roles or work requirements.  Assign access level and unique identifiers for each operator.  Isolate user access to compartmentalized areas based on specific user needs;

  • Use multifactor authentication (e.g., two-factor, non-re-playable credentials);

  • Use proximity based authentication technology, such as RFID Tokens;

  • Revoke authorization rights and access privileges of users upon termination or transfer; Automate removal of user accounts tied to badge systems or human resources upon employee termination;

  • Remove, disable or rename administrator, shared and other generic account privileges including factory default accounts where possible; and

  • Establish methods, processes and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity.


Identity Management to the Rescue

The above “to do” list may seem daunting—and to many energy companies, it probably is.  However, all of the recommended steps to compliance from NERC and the U.S. Department of Energy are based on real security technologies and policies that are in use today—and can be put into use within your company.


Given the shortened timeframe for complying with these regulations—and the fact that many in the energy industry have not started their compliance efforts yet, energy companies will need to look at solutions that are cost-effective, are not intrusive to the existing network or security environment—and are easy for users to work with.  These additional requirements are leading many energy companies to closely examine identity management solutions as a way to jump-start their compliance efforts and improve the overall security of their organization.


With identity management solutions, companies can establish and enforce policies to reliably verify the identity of each user accessing the company’s IT resources; they can enable policies to be established that govern how many users are permitted to gain access to IT resources; and can ensure that the identities of networked users, clients and servers can be verified without transmitting passwords over the network.


In order to get a full view into how identity management can help, let’s take a more specific look at some of the top vulnerabilities that NERC and the U.S. Department of Energy identified and how identity management solutions can help energy companies answer the CIP standards:



  • One vulnerability was that several energy companies were operating with inadequate policies and procedures for handling control system security.  With an integrated identity management solution in place, energy companies are empowered to define, enforce and confirm (through auditing) that policies are in place, applied and enforced evenly across the organization.  A strong solution can give an energy company a comprehensive way to track user access to buildings, networks and applications, automatically generating reports that show detailed logs of user access activity for fast and effortless audits.

  • Another common problem on the list was that the networks that control access were inadequately designed and did not provide a deep enough defense against misuse.  In addition, remote access was seen as a problem, as access control policies didn’t always extend to mobile access.  With identity management solutions, such as single sign-on, companies can implement strong procedural or technical controls at all access points to ensure that users are prevented from accessing the network or application unless they have the proper authorization credentials (which are based on their assigned role within the organization).  These rules can be put in place for both on-site and remote access.  Identity management solutions can automatically change passwords behind the scenes at regular intervals—and often can help ensure that external connections are controlled and secured when not in use.

  • To further add to the defense against unauthorized network access, several identity management technologies allow multi-factor authentication to be enabled at an organization, tying network access together with tokens, smart cards or biometrics, for example.  Network access can also be correlated with physical presence in the facility, adding yet another layer of identity authorization and protection for critical cyber assets.  This is especially helpful in setting up a system to automate the removal of user accounts upon termination from both the facility access and the network access system.

  • Another important aspect of complying with the CIP standards is ensuring that a proper notification process is put in place, so administrators are immediately made aware of any violations or anomalies.  Identity management solutions typically see this as a must-have and include the ability to automatically generate reports and store activity logs that prove there was a violation of policy—and how severe it was.


An organization that employs identity management, access management, strong authentication and regular audits is often better equipped to identify system users, govern how each user accesses IT resources, keep user identity information confidential—and prove that security policies are in place and enforced—all helping to mitigate key control system vulnerabilities and support CIP compliance.


It is vital to remember, however, that technology alone cannot achieve regulatory compliance.  The people leading the CIP compliance effort must clearly define policies and controls and follow the procedures to execute these controls.  Technology’s role is to support policies and automate processes, making it easier to establish and maintain compliance without putting an onerous burden on IT staff and users.


Meeting the CIP Challenge

With its detailed requirements, lack of best practices and looming deadlines, CIP compliance remains a formidable challenge for the entire energy industry.  However, it also represents an opportunity for energy companies to gain greater control over their critical assets and facilities, to ensure policies and procedures are in place and followed and to improve service reliability for their customers.  Identity management solutions can be essential components in achieving, maintaining and demonstrating CIP compliance—and in helping to ensure the safety and reliability of an energy company’s critical infrastructure.


About the Author

David Ting is the CTO and founder of identity and access management company Imprivata.  Named one of InfoWorld’s Top 25 CTO’s of 2006, David has more than 20 years of experience in developing advanced imaging software and systems for high security, high-availability systems.  Prior to founding Imprivata he developed biometric applications for government programs and Web-based applications for secure document exchange at companies such as Eastman Kodak, Atex System, Delphax Systems and eCopyIt.  He was also a member of the scientific staff at the BNR/INRS Labs in Montreal, a collaborative research institution jointly operated by Bell-Northern Research and University of Quebec.  He holds six patents and has several patents pending.