NIST Working on Industrial IoT Security Guide for Energy Companies
The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems.
A draft of the project was published on Monday and the NCCoE is hoping to get some feedback until June 5 that would help it “refine the challenge and scope.”
IIoT is represented by sensors, instruments and communication systems networked together in an effort to make operations more efficient in industrial organizations. In the case of the energy sector, wind turbines, solar panels and other distributed energy resources (DERs) communicate with a utility’s distribution control systems to manage energy flow.
However, NCCoE points out, the IIoT technologies involved in these information exchanges can lack security. The organization also notes that managing these DER capabilities can require a higher degree of automation, which can introduce additional cybersecurity risks.
Studies have shown that cyberattacks against the energy sector are higher than average and research into the activities of threat actors has demonstrated that the energy sector is the target of several groups.
“The National Cybersecurity Center of Excellence (NCCoE) is proposing a project that will focus on helping energy companies secure IIoT information exchanges of DERs in their operating environments. As an increasing number of DERs are connected to the grid there is a need to examine the potential cybersecurity concerns that may arise from these interconnections,” the NCCoE says.
The project focuses on five main areas of interest: information exchanges between distribution facilities and DER systems, processes and security technologies for trusted device identification and communication between devices, malware detection and prevention, ensuring the integrity of data, and data-driven cybersecurity analytics. The result will be a freely available cybersecurity practice guide.
Laurence Pitt, Global Security Strategy Director at Juniper Networks, shared some thoughts on securing IIoT in a recent SecurityWeek column.
“The security challenges SCADA and IIoT present may seem more complex at-a-glance, but actually are not all that different from the challenges that any enterprise business encounters on a daily basis: keep threats out, know what is on the network, who has access and react fast when a breach occurs,” Pitt said. “This means that the team responsible for SCADA and IIoT security can learn a lot from their co-workers securing the corporate enterprise network – in fact, by working together, these teams can ensure better security across the whole enterprise environment and that can only be good for business.”