In September 2019, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) announced the release of a draft practice guide entitled, “NIST Special Publication (SP) 1800-23: Energy Sector Asset Management.” The NCCoE spent the next two months collecting comments from the public to improve their guide. They then used this feedback to improve upon their initial draft.

But the wait is finally over. On May 20, the NCCoE released the final version of NIST SP 1800-23. This post will provide an overview of the guide’s purpose and explain how organizations can use it to strengthen their digital security.

The Purpose Behind NIST SP 1800-23

NIST SP 1800-23 is a response to the growing digital security challenges confronting organizations with operational technology (OT) assets. The issue for those types of entities is that many of their industrial control systems (ICS) are becoming increasingly interconnected. This development presents an opportunity for attackers insofar as they can abuse those connections to attack an ICS. Depending on the nature of the attack, malicious actors could undermine the functionality of an organization’s assets, systems and networks. Such damages could subsequently produce broader negative effects for society, especially if that organization plays a part in managing their respective host country’s critical energy infrastructure.

The NCCoE asserts that organizations can minimize the risks discussed above by maintaining an updated OT asset inventory. But that’s a challenge in itself. Energy organizations might not be able to discover all their assets using manual discovery alone, which could leave them exposed to digital security risks. These entities therefore need a better way of discovering and managing their OT assets.

How to Use NIST SP 1800-23

The key to effectively using the NCCoE Special Publication is to understand that asset management (Read more...)