Description:

It is critical to the integrity of the grid that only qualified individuals are allowed to make changes to any of the millions of individual pieces of equipment that make up the grid. For example, while employee A might be qualified to change a software element (or a setting which changes an asset’s actions), that same employee may be entirely unqualified to alter an immediately adjacent piece of equipment. As such, maintaining a rigorous identity management program is critical to ensuring that only qualified personnel are making changes, and that personnel only make changes to the intended equipment. Of note 1, attackers often try to steal the authenticated credentials of an approved person in order to use those credentials to enter and cause damage at will. No system protects against the use of someone using authenticated credentials.

The governance component refers to the entire, overarching process for managing these activities. Many vendors offer hardware and software that address this issue, but there are so many that an analysis of them is needed in order to identify Best Practices that can help utilities choose the one best-suited to their needs.

Educational Institution Connections:

Protect Our Power has partnered with Northeastern University to develop vendor comparisons and guidance for this Topic. Contact Erick Ford at EFord@ProtectOurPower.org for more information.