NIST SPECIAL PUBLICATION 1800 -23 Energy Sector Asset Management For Electric Utilities, Oil & Gas Industry Includes E xecutive Summary (A ); Approach, Architecture, and S ecurity C haracteristics (B) ; and How -To Guides (C) James McCarthy Lauren A cierto Glen J oy Jason Kuruvilla Titilayo Ogunyale Nikolas Urlaub John Wiltberger Devin Wynne This publication is av ailable free of charge from: https: //doi.org/10.6028/NIST.SP.1800-2 3 The first d raft of t his publication is ava ilable free of ch arge from: https://www.nccoe.nist.gov/library/energy -sector -asset -management -nist-sp-1800- 23-practice- guide NIST SPECIAL PUBLICATION 1800 -23 Energy Sector Asset Management For Electric Utilities, Oil & Gas Industry I ncludes Executive Summary (A); Approach, Architecture, and Security Characteristics (B) ; and How -To Guides (C) J ames McCarthy Glen Joy National Cybersecurity Center of Excellence Information Technology Laboratory Laur en Acierto Jason Kuruvilla Titilayo Ogunyale Nikolas Urlaub John Wiltberger Devin Wynne The MITRE Corporation McLean, Virginia M ay 2020 U .S. Department of Commerce Wilbur Ross , Secretary N ational Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology NIST SPECIAL PUBLICATION 1800 -23A Energy Sector Asset Management For Electric Utilities, Oil & Gas Industry Volume A : Executive Summary James McCarthy Glen J oy National C ybersecurity C enter of E xcellence Information Technology Laboratory Lauren A cierto Jason Kuruvilla Titilayo Og unyale Nikolas Urlaub John Wiltberger Devin Wynne The MITRE C orporation McLean, Virginia May 2020 This publication is av ailable free of charge from: https://doi.org/10.6028/NIST.SP.1800-2 3 The first d raft of t his publication is ava ilable free of ch arge from: https://www.nccoe.nist.gov/library/energy -sector -asset -management -nist-sp-1800- 23-practice- guide NIST SP 1800-23A : Energy Sector Asset Management 1 Executive Summary The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to demonstrate how energy organizationscan strengthen their operational technology (OT) asset management practices by leveraging capabilities that may already exist within their operating environment or by implementing newcapabilities. As electric utilities and the oil and gas industry are some of the nation’s critical infrastructures , the incapacitation or destruction of assets, systems, and networks in the energy sector couldhave serious negative effects on the economy, public health, and s afety. As industrial control systems (ICS) in the energy sector become more interconnected,vulnerabilities within OT assets and processes are target s for malicious actors. A challenge for energy organizations is maintaining an updated asset inventory. It is difficult toprotect what is not seen or is not known. Without an effective asset management solution, organizations that are unaware of assets in their infrastructure may unnecessarily exposethemselves to cybersecurity risks. This NIST Cybersecurity P ractice Guide provides detailed steps on how energy organizations can identify and manage OT assets and detect cybersecurity risks associated with them. CHALLENGE Energy organizations may be a prime target of growing and evolving cybersecurity threats , given the criticality of their infrastructure to our nation . A cyber attack that disrupts OT processes or equipment can result in safety issues and the loss of power, as well as in significant productivity costs. Currently, many ener gy organizations rely on manual processes to manage their OT assets , which makes it challenging to quickly identify and respond to potential threats . Existing asset inventories may be static, one-time , or point -in-time snapshots of auditing