Identity and Access Management

Idaho Power Company (IPC) currently uses role-based access controls, defined in active directory along with usernames and password controls, for access to internal systems and resources. Using the existing technologies, IPC can not migrate to user based authorization and may not be able to move to zero trust enforcement in the future. Idaho Power Company aspires to implement a system which supports multi-factor authentication with multiple available options as the alternate authentication factors, including passwordless logins. Additionally, Idaho Power Company would like to have a system which offers multiple options for additional factors, and considers advanced metrics such as geolocation, geo velocity, and more before granting users authorization to systems or data. Newer, advanced authorization systems include features such as geographical location of the request, localization of login to previous login attempts, and other advanced considerations not available in the technologies currently deployed at IPC. IPC current technologies do not allow for ranking of systems based on the criticality of the data the system can access. The current authorization system has no controls to help prevent usage of passwords from others, which may have been compromised.

The current threat landscape continues to change and grow almost faster than security professionals can keep up with. Power Companies, power grids, and other utilities are referred to as critical infrastructures. These pieces of critical infrastructure are considered higher risk to usual cybersecurity threats such as malware, outsider threats, insider threats, and ransomware. In recent history power grids have come under attack from malicious software directed at their control systems. This highlights the new and emerging threats which can be specifically leveled against the IPC system.

These are not everything, this is just an overview of the threat landscape, with IPC there is more at risk. IPC is a part of Idaho’s critical infrastructure, which can be a target for Terrorists and Nation State Actors. The end goal of this project is to assess current Identity and Access Management tools and processes to propose recommendations for a pathway to a future of constant authentication and authorization for access to resources and optimum identity protection for all user, service, and shared accounts.