How NIST wants energy companies to reduce cyber risk

The National Institute of Standards and Technology is requesting comments on a draft guide to help energy companies better control who has access to their networked resources, including buildings, equipment, information technology and industrial control systems.

The National Institute of Standards and Technology released a guide that will help energy companies protect their industrial control systems, which have long been vulnerable to cyberattacks.

The draft guide focuses on identity and access management, showing people an example of how utilities can securely and efficiently manage access to systems that deal with power generation, transmission and distribution.

The guide presents practice situations that often mirror possible real-life scenarios: In one, a utility technician with physical access to substations and remote access to control units leaves a company and needs to have credentials revoked. The guide walks readers through a few scenarios where a centralized access control system would make changing or revoking his or her privileges simple and quick.


Identity management is a big security issue when it comes to these systems. A recent report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team found that access control was tied to three of the six biggest vulnerability points in utilities’ systems during fiscal year 2014.

Both the government and energy companies are concerned about the safety of their control systems. Seventy percent of respondents to a 2013 SANS survey believed their supervisory control and data acquisition, or SCADA, systems are highly aware of the risks their systems present, while a third believe their systems have already been infiltrated.

Visit the National Cybersecurity Center of Excellence’s website for more information on the guide. Comments on the draft guide are open until Oct. 23.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts