ICS Security Guide Up for Final Review

Monday, February 16, 2015 @ 11:02 AM gHale

Proposed updates are out for the Guide to Industrial Control Systems (ICS) Security.

The final draft includes revisions and additions responding to comments the National Institute of Standards and Technology (NIST) received from about 30 organizations during the initial comment review period. Comments on the latest — and final — review draft are due before March 10.

Energy Control System Help Sought
NIST Offers Mobile App Guidance
DoE Releases Framework Guidance
Smart Grid Framework Updated

Downloaded more than 3 million times since its initial release in 2006, the ICS security guide advises on how to reduce the vulnerability of computer-controlled industrial systems to malicious attacks, equipment failures, errors, inadequate malware protection and other threats. Industrial control systems encompass the hardware and software that control equipment and the information technologies that gather and process data. They commonly see use in factories and by public utilities and other owners and operators of major infrastructure.

Most industrial control systems began as proprietary, stand-alone collections of hardware and software walled off from the rest of the world and isolated from most external threats. Today, widely available software applications, Internet-enabled devices and other nonproprietary IT offerings end up integrated into ICSes. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems. Cybersecurity threats to ICS can pose significant risks to human health and safety, the environment, and business and government operations.

The current draft — the second revision of the guide — includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, security architectures, and security capabilities and tools for ICS.

Due to their unique performance, reliability, and safety requirements, ICS cybersecurity often requires adaptations and extensions to NIST-developed security standards and guidelines for traditional IT systems.

A significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53, revision 4) to ICS. SP 800-53 contains a catalog of security controls a user can tailor to specific needs according to an organization’s mission, operational environment, and the technologies used.

The new draft of the ICS security guide includes an overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of ICS.

Click here to download the NIST SP 800-82, Guide to Industrial Control System (ICS) Security, Revision 2 Final Public Draft.

The public comment period runs from February 9 through March 9, 2015. Click here to email comments.

Leave a Reply

You must be logged in to post a comment.