Electric Utilities Identity Management

Identity and access management design

The National Cybersecurity Center of Excellence (NCCoE) has published an example solution architecture guide that electric utilities and enterprises can use to more securely and efficiently manage access to the networked devices and facilities on which power generation, transmission, and distribution depend. To better protect power generation, transmission, and distribution, electric utilities need to be able to control and secure access to their resources, including operation technology (OT) systems, buildings, equipment, and IT systems. Identity and access management (IdAM) systems for these assets often exist in silos, and employees who manage these systems lack methods to effectively coordinate access to devices and facilities across these silos. This inefficient process can result in security risks. The guide to Identity and Access Management can help organizations:

adopt products and capabilities on a component-by-component basis, or as a whole, thereby minimizing impact to the enterprise and existing infrastructure
reduce the risk of malicious or untrained people gaining unauthorized access to critical infrastructure components and interfering with their operation, thereby lowering the overall business risk
allow for rapid provisioning and de-provisioning of access from a converged platform, so that personnel can spend more time on other critical tasks
improve situational awareness: proper access and authorization can be confirmed through the use of a single, converged solution
improve the security posture by tracking and auditing access requests and other IdAM activity across all networks
enhance productivity of employees and speed delivery of services, and support oversight of resources

Least privilege

A foundation of cybersecurity is the principle of least privilege, defined as providing the least amount of access (to systems) necessary for the user to complete his or her job. To enforce this principle, the access-control system needs to know the appropriate privileges for each user and system. An analysis of the IdAM solution reveals two components that need to be protected from both external and internal threat actors: the central identity and authorization store and the authorization workflow management system. The authorization workflow management system is trusted to make changes to the central identity and authorization store. Therefore, any inappropriate or unauthorized use of these systems could change authorization levels for anyone in the enterprise. If that occurred, the enterprise would experience a lack of integrity of the identity and authentication stores. The central identity and authorization store is the authoritative source for the enterprise and holds the hash for each user password, as well as the authorizations associated with each user. Access to this information would enable an unauthorized user to impersonate anyone in the organization. In this situation, the enterprise would lose control over access to resources.

Modular architecture

Operationally, a lack of a converged IdAM platform can increase the risk of people gaining unauthorized access to critical infrastructure components. Once unauthorized access is gained, the risk surface increases and the opportunity for the introduction of additional threats to the environment, such as malware and denial of service. At the strategic level, consider the cost of mitigating these risks and the potential return on investment in implementing a product (or multiple products). You may also want to assess if a converged IdAM system can help enhance the productivity of employees and speed delivery of services and explore if it can help support oversight of resources, including IT, personnel, and data. The example solution addresses imminent operational security risks and incorporates strategic risk considerations. The solution is made of many commercially available parts. You might swap one of the products for a solution that is better suited for your environment. A combination of some of the components described, or a single component, can improve your identity and access/authorization functions, without requiring you to remove or replace your existing infrastructure. The guide provides both a complete end-to-end solution and options that you can implement based on your needs. IdRamp provides a lightweight agile integration fabric that will enable the enterprise to converge IdAM silos with state of the art access control, MFA orchestration within a modular solution architecture. To learn more about how IdRamp can simplify implementation and strategic IdAM planning please contact us today.

Download – the complete Identity and Access Management for Electric Utilities guide from the Cybersecurity Center of Excellence.

Review – the NCCoE abstract Identity and Access Management for Electric Utilities

Schedule a Demonstration

Contact

Cookie	Type	Duration	Description
__cfduid	1	4 weeks	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
cookielawinfo-checkbox-advertisement	0	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	0	11 months	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	0	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-performance	0	11 months	This cookie is used to keep track of which cookies the user have approved for this site.
viewed_cookie_policy	0	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
_ga	0	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gid	0	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
GPS	0	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	1	1 year	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
is_unique	0	4 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form
sc_is_visitor_unique	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
vuid	0	2 years	The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.

Cookie	Type	Duration	Description
_gat	0	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
muxData	0	19 years	This cookie is used to enable certain video player functionalities associated with Vimeo.
PREF	0	7 months	This cookie is set by Youtube. Used to store user preferences like language or any other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	1	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	1		This cookies is set by Youtube and is used to track the views of embedded videos.