Major Update to ICS Security Guide

Friday, May 16, 2014 @ 03:05 PM gHale


There now a major update to the Guide to Industrial Control Systems (ICS) Security.

Most industrial control systems began as proprietary, stand-alone collections of hardware and software separated from the rest of the world and isolated from most external threats.

RELATED STORIES
NIST Guidelines: Start with Security
Pressure Ratchets Up for Security Pros
Sales Drop, Costs Rise after Breach
Firms Watch Data Walk Out the Door

Today, widely available software applications, Internet-enabled devices, and other IT offerings have integrated into systems, and the data produced in ICS operations end up used to support business decisions. This connectivity has delivered big benefits, but it also has increased the vulnerability of these systems to malicious attacks, equipment failures and other threats.

Downloaded more than 2.5 million times since its initial release in 2006, the National Institute of Standards and Technology (NIST) guide advises how to reduce the vulnerability of computer-controlled industrial systems used by industrial plants, public utilities and other major infrastructure operations to malicious attacks, equipment failures, errors, inadequate malware protection and other software-related threats.

The new draft, which is the second revision of the guide, includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, security architectures, and security capabilities and tools for ICS.

Due to their unique performance, reliability and safety requirements, securing industrial control systems often requires adaptations and extensions to security controls and processes commonly used in traditional IT systems.

Recognizing this, a significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, revision 4) to ICS.

SP 800-53 contains a baseline set of security controls you can tailor to specific needs according to an organization’s mission, operational environment, and the technologies used. The new draft Guide to Industrial Control Systems (ICS) Security includes an ICS overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of industrial control systems.

Click here to download the Guide to Industrial Control System (ICS) Security, Revision2 Initial Public Draft (NIST SP 800-82).

The public comment period runs from May 14 through July 18. You may mail comments to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930; or by simply email them in.



Leave a Reply

You must be logged in to post a comment.