[Project Description] Energy Sector Asset Management: For Electric Utilities, Oil & Gas Industry (Draft)

McCarthy, James; Powell, Michael; Ogunyale, Titilayo; Wiltberger, John; Wynne, Devin

White Paper (Draft)

Obsoleted on March 01, 2018 by [Project Description] Energy Sector Asset Management: For Electric Utilities, Oil & Gas Industry.

[Project Description] Energy Sector Asset Management: For Electric Utilities, Oil & Gas Industry

Documentation Topics

Date Published: January 2018
Comments Due: February 16, 2018 (public comment period is CLOSED)
Email Questions to: energy_nccoe@nist.gov

Author(s)

James McCarthy (NIST), Michael Powell (NIST), Titilayo Ogunyale (MITRE), John Wiltberger (MITRE), Devin Wynne (MITRE)

Announcement

The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to enhance the energy sector’s asset management capabilities for operational technology (OT). This project will include the development of a reference design and use commercially available technologies to develop an example solution that will help energy organizations address the security challenges of OT asset management.

Vulnerabilities in OT assets present opportunities for malicious actors to cause disruptions and power outages. To properly assess cybersecurity risk within the OT network, energy companies must be able to identify all their assets, especially the most critical.

This project will describe methods for managing, monitoring, and baselining assets and will also include information to help identify threats to these OT assets. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.

Abstract

Industrial control systems (ICS) comprise a core part of our nation’s critical infrastructure. Energy sector companies rely on ICS to generate, transmit, and distribute power. There is a wide variety of ICS assets, such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other devices (e.g., programmable logic controllers [PLCs]), that provide command and control functions on operational technology (OT) networks. These assets are primary targets of cyber attacks. Vulnerabilities within these systems and devices present opportunities for malicious actors to cause disruptions to the power grid.

Energy sector companies must monitor and manage ICS assets at all times to reduce the risk of such attacks. The NCCoE, in collaboration with members of the energy community and with cybersecurity technology providers, is planning a project to create an example solution to address this complex asset management challenge. This project will result in a freely available NIST Cybersecurity Practice Guide that includes an example solution for electric utilities and for oil and gas companies to effectively track and manage their assets.

Keywords

malicious actor; monitoring; operational technology (OT); supervisory control and data acquisition system (SCADA); industrial control system(s) (ICS); energy sector asset management (ESAM)

Control Families

None selected

Documentation

Publication:
Project Description

Supplemental Material:
Project homepage (other)

Document History:
01/16/18: White Paper (Draft)
03/01/18: White Paper (Final)

Topics

Security and Privacy
asset management; maintenance; vulnerability management

Applications
industrial control systems

Sectors
energy