Date Published: September 2019
Comments Due:
Email Questions to:
Author(s)
James McCarthy (NIST), Glen Joy (NIST), Lauren Acierto (MITRE), Jason Kuruvilla (MITRE), Titilayo Ogunyale (MITRE), Nikolas Urlaub (MITRE), John Wiltberger (MITRE), Devin Wynne (MITRE)
Announcement
Energy sector companies rely on operational technology (OT) in industrial control systems (ICS) to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. Given the growing complexity and critical role of these ICS environments, energy sector entities must be able to effectively identify, control, and monitor all of their OT assets to strengthen cybersecurity. We demonstrate how OT asset management practices can be enhanced by leveraging tools that may already exist in the environment or by implementing new capabilities.
This practice guide aims to help energy sector companies implement an asset management solution to monitor and manage OT assets at all times. Standards and best practices were used to deploy strong asset management solutions using commercially available technology. The guide also maps asset management capabilities to the NIST Cybersecurity Framework.
The NCCoE's practice guide NIST SP 1800-23, "Energy Sector Asset Management," can help energy sector organizations:
- Reduce cybersecurity risk and potentially reduce impact to safety and operational risk such as power disruption
- Develop and execute a strategy that provides continuous OT asset management and monitoring
- Enable faster responses to security alerts through automated cybersecurity event/attack capabilities
- Implement current cybersecurity standards and best practices while maintaining the performance of energy infrastructures
Industrial control systems (ICS) compose a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. Given the wide variety of ICS assets, such as programmable logic controllers and intelligent electronic devices, that provide command and control information on operational technology (OT) networks, it is essential to protect these devices to maintain continuity of operations. These assets must be monitored and managed to reduce the risk of a cyber attack on ICS networked environments. Having an accurate OT asset inventory is a critical component of an overall cybersecurity strategy.
The NCCoE at NIST is responding to the energy sector’s request for an automated OT asset management solution. To remain fully operational, energy sector entities should be able to effectively identify, control, and monitor their OT assets. This document provides guidance on how to enhance OT asset management practices by leveraging capabilities that may already exist in an energy organization’s operating environment as well as implementing new capabilities.
Industrial control systems (ICS) compose a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. Given the wide variety of ICS assets, such as programmable...
See full abstract
Industrial control systems (ICS) compose a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power and to drill, produce, refine, and transport oil and natural gas. Given the wide variety of ICS assets, such as programmable logic controllers and intelligent electronic devices, that provide command and control information on operational technology (OT) networks, it is essential to protect these devices to maintain continuity of operations. These assets must be monitored and managed to reduce the risk of a cyber attack on ICS networked environments. Having an accurate OT asset inventory is a critical component of an overall cybersecurity strategy.
The NCCoE at NIST is responding to the energy sector’s request for an automated OT asset management solution. To remain fully operational, energy sector entities should be able to effectively identify, control, and monitor their OT assets. This document provides guidance on how to enhance OT asset management practices by leveraging capabilities that may already exist in an energy organization’s operating environment as well as implementing new capabilities.
Hide full abstract
Keywords
energy sector asset management; ESAM; ICS; industrial control system; malicious actor; monitoring; operational technology; OT; SCADA; supervisory control and data acquisition
Control Families
Access Control; Audit and Accountability; Assessment, Authorization and Monitoring; Configuration Management; Contingency Planning; Incident Response; Maintenance; Program Management; System and Communications Protection; System and Information Integrity
