The National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCoE) have released a draft cybersecurity guide for energy sector asset management. NCCoE is seeking comments on the draft through Nov. 25.
The guide is intended to help energy organizations “strengthen their operational technology (OT) asset management practices by leveraging capabilities that may already exist within their operating environment or by implementing new capabilities.”
As part of its effort to create the guide, NCCoE built a laboratory environment at NIST to develop capabilities that energy companies can use to identify and manage OT assets and detect cybersecurity risks associated with them.
NCCoE worked with energy sector leaders and private sector technology vendors to develop the guide, though it did note that the guide “does not endorse [any] particular products, nor does it guarantee compliance with any regulatory initiatives.” Specifically, the guide provides solutions that will enable energy companies to manage, monitor, and establish baseline OT assets to reduce the risk of cybersecurity incidents.
The guide sought existing technology solutions that provide the following capabilities:
- OT/industrial control systems (ICS) asset inventory;
- High-speed communication mechanisms for remote asset management;
- Reliable/secure/encrypted communications;
- Continuous asset monitoring;
- Log analysis and correlation;
- Cybersecurity event/attack detection;
- Patch-level information; and
- Vulnerability awareness.
In addition to providing feedback by the Nov. 25 deadline, NCCoE urged organizations to “share [their] experience and advice with us. We recognize that technical solutions alone will not fully enable the benefits of our solution, so we encourage organizations to share lessons learned and best practices for transforming the processes associated with implementing this guide.”