The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


Using PIV cards to increase security and lower CIP compliance costs

image credit:
Danny Vital's picture
Senior Cybersecurity Engineer, XTec

Hi, I've been working in IT for the past two decades. Twelve of these years have been working specifically in the area of cybersecurity. During my work in tech I've played various different roles...

  • Member since 2021
  • 14 items added with 4,803 views
  • Apr 2, 2021

In 2004, the US government committed to a new standard for identity and access management across all civilian and military agencies: PIV (Personal Identity Verification for government) and CAC (Common Access Card for military) cards. Today, almost all federal government and military personnel carry a PIV or CAC card, which authenticates their access both to physical facilities and to systems that support their work.  (In this paper we will refer to the technology as PIV for brevity.) 

In the electric power industry, this same technology can both make your organization more secure and greatly reduce the amount of time and money you spend on NERC CIP compliance. In this white paper, we will discuss the five most important ways in which PIV cards can help your organization achieve both of these goals.

Your access to Member Features is limited.


One card for physical and logical access

One of the most important features of PIV cards is that the user only has to carry one card. It authenticates both physical access to buildings and other facilities, and logical access to computers and other intelligent devices the employee uses to perform their work. Of course, this is a big convenience for the user, since they just need to carry one card and remember one simple PIN.

However, PIV cards are an even bigger convenience for the organization that implements them. There are several reasons for this:

  1. Both physical and logical access can be provisioned at once, based on the person’s role.
  2. When the person changes jobs, their previous accesses can be quickly disabled and their new accesses immediately provisioned.
  3. When the person leaves the organization, all of their physical and logical access can be removed in one step.

Having a single access management console for both physical and logical access can save your organization a lot of time in complying with the following CIP requirement parts:

  • CIP-004-6 R4.1 through R4.4: A single identity management system can authorize, provision, review, and remove an individual’s access both to systems and physical facilities. A full roles capability makes this very easy, when roles have been defined by your organization.
  • CIP-004-6 R5.1 through R5.5: Your organization can quickly remove access to the systems, physical facilities and information repositories (including those for BES Cyber System Information), to which an individual had access; this is done at a single console and with minimal delay. You can do this whether the individual was terminated, left voluntarily, or changed roles within the organization.
  • CIP-006-6 R1.2, R1.3 and R1.8: PIV cards provide multi-factor authentication and logging at all physical facilities.


Multi-factor authentication

You probably already understand the principle behind multi-factor authentication (MFA): your security is greatly enhanced if the user needs to supply more than one “factor” whenever they enter a building or logon to a computer. There are three types of factors:

  1. Something you know (a password or PIN)
  2. Something you have (a card that contains an electronic identifier, or a number provided to the user via a hard or soft security token, or a text to their cell phone)
  3. Something you are (a biometric “template” like a fingerprint)

A PIV card allows use of all three of these factors in authentication:

  1. Upon inserting their PIV card for access to a building or a system, the user is prompted to enter their simple PIN – something they know.
  2. The card contains an X.509 digital certificate, which cannot be copied or altered – something the user has.
  3. A template of the user’s fingerprint is stored on the card. Some PIV card readers have a fingerprint scanner, which compares the fingerprint of the user to the fingerprint scan template that’s stored on the card. This provides a third means of authentication – something the user is.

With PIV cards and card readers in place, you can have multi-factor authentication literally anywhere in your organization, i.e. a) for access to all devices on both your IT and OT networks, and b) for access to physical facilities including office buildings, substations, generating stations, etc. For some systems or facilities requiring a higher level of security, you can also require the fingerprint scan (or you might require it everywhere!). Conversely, in lower-security situations you can require just the card, not a PIN.

One note: If you prefer contactless single-factor authorization in some cases – e.g., doors in low-risk areas - many PIV cards also have contactless capability, as long as contactless card readers are deployed.

There are two CIP requirement parts that require MFA. If your organization uses PIV cards, you already have everything you need to comply with them:

  • CIP-003-8 R2 Attachment 1 Section 2: PIV cards allow your organization to implement multi-factor authentication at low impact NERC CIP assets, as well as medium and high impact assets.
  • CIP-005-6 R2.3: If the remote system (e.g. in an employee’s home) is protected with a PIV card reader, the employee can be multi-factor authenticated for Interactive Remote Access using their normal card and PIN.
  • CIP-006-6 R1.3: The employee’s PIV card, PIN and (optionally) fingerprint scan provide MFA for access to High impact Control Centers.


No passwords

Many cybersecurity professionals will tell you that the biggest source of cyber risk in their organization is passwords. Dragos, Inc., in their Year in Review for 2020, said “…using valid usernames and passwords is by far the top choice for hackers looking to breach a network and stay in it undetected.”[1] In other words, it is far too easy to steal or guess passwords. Dragos said they found that about half of the energy companies in their report used similar login credentials for both IT and OT networks, making it much easier for the hackers to penetrate the OT network.

Passwords present a fundamental problem: They need to be as complex as possible in order to be secure, but they also need to be as simple to remember as possible so that users don’t write them down, use the same password across systems and on the internet, etc. In the electric power industry, passwords are often shared, because of the need for multiple people to be able to quickly access the same systems at different times (for example in substations or Control Centers).

While there are some commercial solutions available to partially address this problem, wouldn’t it be great if you could deploy the ultimate solution: eliminate passwords altogether? With PIV cards, you can do that! PIV cards contain a digital certificate that is unique to the individual and can’t be copied or altered. This, along with a simple PIN entered by the user, provides a higher level of security than even the most complex password. And you can always require a fingerprint scan as well, when you believe the highest level of security is required.

There are many NERC CIP requirements that are based on passwords; PIV cards can help you comply with all of these, probably at a much lower cost in staff time and money than you are incurring now. Here are some of the most important examples:

  • CIP-004-6 R5.5 and CIP-007-6 R5.3 both apply to shared accounts. If your organization deploys PIV cards to employees (and contractors, if needed), there will no longer be any need for shared accounts. This is because the user will only need their card and an easy-to-remember PIN. In fact, you will always be able to require a fingerprint scan as well, for the highest level of security.
  • CIP-007-6 R5.4 requires changing default passwords. If a system is protected with a PIV card reader, any default password that might be on the system is irrelevant; there is no pathway to access the system, even if a user knows the default password.
  • CIP-007-6 R5.5 and R5.6 require controls on password length and complexity as well as password changes, but they only apply to systems with “password-only authentication”. Any system with a PIV card reader is out of scope for both of these requirements!
  • CIP-007-6 R5.7 requires limitation on the number of unsuccessful authentication attempts. When users are authenticated using PIV cards, there is no password for an attacker to guess. Any attempt to use an invalid PIV card even once will be blocked and an alert generated, as will repeated attempts to enter an invalid PIN with a valid card.


Storing PRA and training renewal dates on the PIV card

Beside the digital certificate and fingerprint scan template, other information (for example, certifications) can be stored on the card and read by the card reader to control access. Four very important pieces of information for NERC entities are whether a user – who has been granted electronic and/or unescorted physical access to BES Cyber Systems - has had a personnel risk assessment and CIP training after being hired, and when each of those was last conducted. The PRA needs to be renewed in seven years and the training needs to be renewed at least every 15 months.

Specifically, there are three CIP requirement parts involved:

CIP-004-6 R2.2: If the user has not yet completed their CIP training, a new employee can be prevented from accessing High and Medium impact BCS, EACMS and PACS, or having unescorted physical access to assets like Medium impact substations or High impact Control Centers.

CIP-004-6 R2.3: If the employee has not renewed their training before the renewal date, they can be prevented from accessing High and Medium impact systems and facilities until they have renewed it. Access will be automatically blocked starting the day after their training expires.

CIP-004-6 R3.5: If a new employee has not completed their Personnel Risk Assessment, or if an existing employee has not renewed their PRA in the last seven years, they can be prevented from accessing High and Medium impact systems and facilities until they have had a new PRA.


Emergency response

When one electric utility has experienced a natural disaster, other utilities will often provide skilled workers to help the impacted utility recover. When this happens, it is usually quite hard for the impacted utility to follow all of the personnel security requirements in CIP-004-6, at the same time as they’re authorizing and authenticating emergency workers.

While a declaration of CIP Exceptional Circumstances will normally protect the utility against any CIP violations being assessed as a result of not strictly following the CIP-004-6 requirements, the fact remains that emergency response situations open up a security hole that might be exploited by a resourceful adversary.

One PIV solutions vendor has worked with federal agencies, primarily FEMA, to develop capabilities based on PIV cards, that can mitigate much of the security risk associated with emergency response situations. These include:

  1. Mobile enrollment and authentication facilities;
  2. Capability to accept PIV cards issued by other organizations (government agencies, other utilities, and vendors);
  3. Capability to create a “derived credential” on a smartphone, laptop, tablet or other mobile device; and
  4. Capability to document exactly who had access to which facility at what time, even at the height of the crisis.

For more information on these topics, see these three white papers:

  1. Enhancing your organization’s security using PIV cards:
  2. 33 ways that PIV cards can help your organization save time and money in NERC CIP compliance:
  3. Use of PIV cards when Mutual Aid is required during natural disasters:


Want to learn more?  Attend our upcoming Energy Central PowerSession: How to Improve Security and Reduce NERC CIP Compliance Costs Using Smart Identification Scheduled for Thursday, April 15th at 2:00 pm EDT.  For more information and to register, follow this link.   

[1] From article in E&E News, February 25, 2021: “Russia-linked grid hackers threaten U.S. — report”. Used with permission.


No discussions yet. Start a discussion below.

Danny Vital's picture
Thank Danny for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »