The National Institute of Standards and Technology (NIST) published a notice in today’s Federal Register (79 FR 15100-15102) seeking organizations that are interested in working with the National Cybersecurity Center of Excellence (NCCoE) to address issues related to the physical and logical control of access to power generation, transmission and distribution facilities and equipment including industrial control systems.
Identity and Access Management
The NCCoE is looking for organizations that might be able to address capabilities or that have products that address:
• Services for authenticating and authorizing users based on identity, role, third-party affiliation (e.g., federation) or other attributes (e.g., attribute-based access control);
• Services for authenticating and authorizing devices;
• Services for whitelisting applications;
• Identity and access governance capability that translates human-readable access needs into machine-readable authorizations;
• Security incident and event management (SIEM) or log analysis software for monitoring access management events;
• ICS equipment, such as Remote Terminal Units (RTUs), programmable logic controllers (PLC), and relays, along with associated software and communications equipment (e.g., radios, encryptors);
• Physical access control devices that use standard communication interfaces; or
• “Bump-in-the-wire” devices for augmenting Operational Technology (OT) with authentication, authorization, access control, encrypted communication and logging capabilities.
Products or processes must meet the following capability requirements:
• Compatibility with various electric utility ICS equipment and software
• Strong authentication of users, devices, and software, based on credentials or attributes, along with appropriate encryption to enable reasonably secure exchange of identity and access management informationShow citation box
• Compatibility with protocols and communication media commonly used by electric utilities
• Federated authorization for communication across security domains
• Ease of use (e.g., installation, configuration, maintenance, provisioning, de-provisioning, credentialing, revoking credentials)
More details can be found here.
Organizations wishing to participate in this NCCoE project must contact NIST to request a letter of interest. Completed letters of interest will be submitted to NIST no later than April 17, 2014. NCCoE will select participants who have submitted complete letters of interest on a first come, first served basis within each category of product components or capabilities up to the number of participants in each category necessary to carry out this use case.