Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Applying NIST SP 800-53 to Industrial Control Systems

Published

Author(s)

Stuart W. Katzke, Keith A. Stouffer, Marshall Abrams, David Norton, Joe Weiss

Abstract

The National Institute of Standards and Technology (NIST) has established an Industrial Control System Security Project to improve the security of public and private sector Industrial Control Systems (ICSs). A major part of the project is to research the applicability of NIST Special Publication (SP) 800-53 Recommended Security Controls for Federal Information Systems to ICSs. SP 800-53 contains specifications for information security controls that are binding on all non-national security information and information systems belonging to, or operated for, federal government agencies. SP 800-53 was developed for use with traditional IT systems; another major part of the project is to clarify and rectify problems experienced in applying SP 800-53 to ICSs. Although several organizations are working on information security standards and guidelines, at the time this research was conducted, the NERC cyber security standards, CIP 002-1 to CIP 009-1, were the only available documents addressing security controls comparable to those contained in SP 800-53. Therefore, the research focused on comparing the NERC CIP standards with SP 800-53. A careful analysis of correspondence between SP 800-53 and the NERC CIP standards concluded that an organization conforming to one of the baseline sets of security controls in SP 800-53 can also comply with the management, operational and technical security requirements of the NERC CIPs, though the converse may not be true. As an active participant in both the information security and ICS communities (government and private sector), NIST is working on harmonizing ICS information security controls within the ICS community. If successful, the results are expected to influence a major portion of the ICS community, including other types of federal ICSs, regulatory agencies, national and international voluntary standards activities, and commercial sector ICSs (e.g., manufacturing processing systems, building control systems).
Proceedings Title
ISA Expo 2006 | | | ISA
Conference Dates
October 17-19, 2006
Conference Location
Houston, TX
Conference Title
ISA EXPO 2006, Houston, TX, October 2006

Keywords

CIP, cyber security, ICS, industrial control system, information security, NERC, NIST, security control

Citation

Katzke, S. , Stouffer, K. , Abrams, M. , Norton, D. and Weiss, J. (2006), Applying NIST SP 800-53 to Industrial Control Systems, ISA Expo 2006 | | | ISA, Houston, TX (Accessed October 31, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created September 1, 2006, Updated February 19, 2017