Whether you need to find application guides, white papers, training guides, or anything in between, SEL’s library can keep you up-to-date and fully informed about securing today’s critical infrastructures.
The following resources are available to asset owners and operators looking for additional information on security for critical infrastructure. The majority of these resources are compiled by industry professionals and government partners; these resources do not include federally mandated requirements.
AWWA created a guidance document and tool to complement the NIST Cybersecurity Framework. The guidance is based on recommendations found in the 2008 Roadmap to Security Industrial Control Systems in the Water Sector and provides actionable information for utility owners and operators based on their use of process control systems.
To assist organizations with embedding cybersecurity into their procurement process, this guide provides baseline language for all parties involved, including asset owners, operators, integrators, and suppliers. The guide complements other cybersecurity efforts by providing organizations with guidance on how to communicate cybersecurity expectations in a clear and repeatable manner. Language in the guide is specific to energy delivery systems, including programmable logic controllers, digital relays, remote terminal units, SCADA, EMS or DCS systems, electrical substations, or natural gas pumping stations; it does not attempt to specify or replace IT cybersecurity acquisition language.
The ES-C2M2 provides a tool for organizations to evaluate, prioritize, and improve their cybersecurity capabilities. It includes a core maturity evaluation mechanism as well as additional reference materials and implementation guidance specifically tailored for the electricity sector. At the end of the exercise, the organization receives an overall score determined by their risk tolerance, which they can compare with a desired score to assess areas for improvement.
The ONG-C2M2 is designed similarly to the ES-C2M2, but is modeled for organizations in the oil and natural gas sector.
This guideline was drafted by a joint public-private sector team, including DOE, NIST, NERC, and representatives from FERC, DHS, and industry. The document describes an RMP that is tuned to the specific needs of electricity sector organizations and is intended to address the management of cybersecurity-related risk derived from or associated with the operation and use of information technology and industrial control systems and/or the environments in which they operate.
Developed as an update to the 2006 roadmap, the document outlines a strategic framework over the next decade among industry, vendors, academia, and government stakeholders to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions. The 2011 roadmap signifies a continued effort by public and private stakeholders to identify steps to build, deploy, and improve the cyber resilience of the nation’s computer-based systems that manage operational processes in the electric, oil, and natural gas industries.
This roadmap describes a plan for voluntarily improving cybersecurity across all critical infrastructures that employ industrial control systems. Industry experts offer input concerning the state of control system cybersecurity and communicate recommended strategies for improvement. The roadmap also provides milestones to focus specific efforts and activities for achieving the goals and addressing control systems’ most urgent challenges, longer-term needs, and practices for improvement.
This standard defines the functions and features to be provided in IEDs to accommodate critical infrastructure protection programs. Security regarding the access, operation, configuration, firmware revision, and data retrieval from an IED is addressed. Communications for the purpose of power system protection (teleprotection) are not addressed in this standard.
This standard defines a cryptographic protocol to provide integrity, and optional confidentiality, for cybersecurity of serial links. Specific applications or hardware implementations are not addressed, and the standard is independent of the underlying communications protocol.
This suite of eight standards provides specifications for data authentication through digital signatures, ensuring prevention of eavesdropping, authenticated access, prevention of playback and spoofing, and intrusion detection.
SEL was showcased at the National Institute of Standards and Technology (NIST)’s Best Practices in Cyber Supply Chain Risk Management for our exceptional supply chain risk management practices. This case study discusses SEL’s supply risk management philosophy and management best practices.
The President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013, directing NIST to work with industry stakeholders to develop a voluntary framework based on existing standards, guidelines, and best practices. The framework provides a prioritized, flexible, repeatable, and cost-effective approach for owners and operators to manage cybersecurity-related risk.
This guide was developed by the Joint Task Force Transformation Initiative Interagency Working Group. It provides a comprehensive set of security controls, three security control baselines (low-, moderate-, and high- impact), and guidance for tailoring the appropriate baseline to meet specific needs according to the organization’s missions, environments of operation, and technologies used. SP 800-53 provides the security control baselines as the starting point for the security control selection process.
The Information Technology Laboratory (ITL) and the Engineering Laboratory (EL) at NIST collaborated to develop this guide to assist organizations that operate industrial control systems (ICS). It presents an overview of the different types of ICS, including: supervisory control and data acquisition (SCADA) systems; distributed control systems (DCS); and programmable logic controllers (PLC). The components, uses, and operations of these systems are discussed, along with potential system threats and vulnerabilities.
This three-volume report presents a framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.
NRECA worked with member companies to develop a set of tools that cooperatives can use to strengthen their security posture. The document was created to help electric cooperatives develop a cybersecurity plan for general business purposes, not to address any specific current or potential regulations. The target audience is the cooperative’s information technology organization and leadership team.