A recent article published in a widely circulated technical publication has spurred a much-needed online discussion. The article’s focus was on the management of consumer password credentials. Naturally, this spurred the question of what NISC is doing to protect the information of our Members and their end-consumers/customers.
At NISC, the security of our Members’ information is of utmost importance. We’ve instilled a culture of cybersecurity, one where we work to continuously improve, and where we seek input from experts across the country.
Below is an outline of our current password management practices for SmartHub, NISC’s online billing and payment tool that allows end-consumers to manage their accounts, pay bills, monitor electric use and report issues. We’ve also elaborated on other efforts under way to protect and safeguard our Members.
NISC’s password management practices and commitment to cybersecurity
Key SmartHub password security practices
SmartHub is NISC’s online billing and payment tool that allows end-consumers to manage their accounts, pay bills, monitor electric use and report issues.
- All SmartHub passwords stored in our iVUE database are currently encrypted, not in plain text.
- While NISC strongly advises against it, a Member may configure our iVUE software solution to allow Customer Service Representatives with special security permissions to see a password under special circumstances. Update since our discussion: We are gathering a list of our Members who currently enable this option, and plan to directly contact their CEO/general managers, advising them of this and strongly encourage them to consider disabling this option.
- Today if a customer forgets the SmartHub password, he or she is required to answer a series of validation questions before being able to enter a new password.
- Password lengths and requirements are controlled by the Member.
Ongoing efforts to move credentials to the cloud, increase end-consumer security
NISC is currently working on a project to revamp security for our utility end-consumers. The primary push of the project is to migrate passwords away from being symmetrically encrypted and transition to storing hashed passwords leveraging the PBKDF2 algorithm recommended by the National Institute of Standards and Technology. The project will continue past the initial password storage improvements to include Two Factor Authentication support as well.
Migration of existing Customers is expected to begin in the second half of 2019.
Culture of Cybersecurity
NISC is committed to ongoing cybersecurity education and best practices, outlined through our Member-Employee online learning community. We offer a series of webinars, blog posts, cyber tips and trainings.
Bug Bounty program
Our commitment to continual security improvement has resulted in our participation in a private vulnerability disclosure program through HackerOne. This program establishes a formal process for NISC to accept and address reports of software vulnerabilities and to pay bounties to participants in the program that report vulnerabilities. The program includes response targets for time-to-response and time-to-resolution based on the criticality of the report submitted. This program is currently a private program available to white-hat hackers that HackerOne has vetted for program eligibility. This is intended to be the first step toward eventually establishing a public vulnerability disclosure program. NISC includes all internet-facing applications in the scope of this application security bug bounty program.
This past October, NISC released the “CyberSense Educational Kit,” a downloadable kit containing a series of customer-facing tips designed to protect their identity and strengthen their cybersecurity practices. Offered free of charge to any organization requesting the material, we plan to continue to update the kit with relevant information.