Peter A Clarke

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce.  It is enormously influential in setting standards, worldwide, in the cyber security sphere.  That is relevant in privacy protections as well.  Overnight the NIST released a guideline for comment, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.

It is a very topical release and deals with a difficult area of cyber security.  The industrial internet of things involves multiple devices.

The goals of the guide are:

• remotely monitor and control utility-owned and customer-managed DER assets
• protect and trust data and communications traffic of grid-edge devices and networks
• capture an immutable record of control actions across DERs
• support secure edge-to-cloud data flows, visualization, and continuous intelligence

The guide is aimed to have companies develop the following capabilities:

• communications and data integrityto ensure that information is not modified in transit
• authentication and access control to ensure that only known, authorized systems can exchange  information
• command register that maintains an independent, immutable record of information exchanges  between distribution grid and DER operators
• malware detection to monitor information exchanges and processing to identify potential  malware infections
• behavioral monitoring to detect deviations from operational norms
• analysis and visualization processes to monitor data, identify anomalies, and alert operators

The key factor is that IoT devices within DERs can communicate and exchange information across the open internet.  Unless there is a  private communications network this expand the attack surface of traditional  energy generation and distribution networks and the assets that connect to them. The guide develops as risk-based approach to cybersecurity and proactive cybersecurity defense.  That provides some assurance that  information exchanges between and among DERs = can be monitored, secured, and trusted.

What is often not considered clearly is what is meant by risk.  The NIST defines risk generally as:

 “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of:

(i) the adverse impacts that would arise if the circumstance or event occurs; and

(ii) the likelihood of  occurrence.”

The guide defines risk assessment as

“the process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.”

A vulnerability is defined as:

“weakness in an information system, system security procedures,  internal controls, or implementation that could be exploited or triggered by a threat source.”

The NIST recommends consistent and comprehensive checking of vulnerabilities which fall into the following categories:

• policy and procedure–incomplete, inappropriate, or nonexistent security policy, including its documentation, implementation guides (e.g., procedures), and enforcement
• architecture and design–design flaws, development flaws, poor administration, and connections with other systems and networks
• configuration and maintenance–misconfiguration and poor maintenance
• physical–lack of or improper physical access control, malfunctioning equipment
• software development–improper data validation, security capabilities not enabled, inadequate authentication privileges
• communication and network–nonexistent authentication, insecure protocols, improper firewall  configuration

The guide sets out in detail tables and processes to deal with the risk and implement processes to protect devices using the industrial Internet of Things.

I find the structure set out in NIST guidelines and standards very useful when advising clients on the best way to approach their cyber security issues, when reviewing their systems and when dealing with data breaches.