Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Releases Tips & Tactics for Control System Cybersecurity

Engineering works with the tablet in the production control room.Control room of a steam Turbine,Generators of Oil refinery industry plant for monitor process, business and industry concept
Credit: Shutterstock/Mr.B-king

The impact of cybersecurity breaches on infrastructure control system owners/operators is more visible than ever before. Whether you work for an infrastructure owner/operator or are a consumer of an infrastructure service, the events of the past few months have made it clear that cybersecurity is an important factor in ensuring the safe and reliable delivery of goods and services. For infrastructure control system owners/operators, it can be challenging to address the range of cybersecurity threats, vulnerabilities and risks that can negatively impact their operations, especially with limited resources.

NIST has developed an infographic, Tips and Tactics for Control Systems Cybersecurity, with quick steps control system owners/operators can take now to get started or refreshed on their cybersecurity journey and to help manage their control system cybersecurity risks. We also coordinated with the Cybersecurity & Infrastructure Security Agency (CISA) to find out what resources they may recommend and included them below for you as well.

In addition to the infographic, there are many control systems cybersecurity resources available from both NIST and CISA to help you, including:

  • NIST:
    • Cybersecurity Framework (CSF): Voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
    • Risk Management Framework (RMF): A comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
    • CSF Manufacturing Profile: Provides CSF version 1.1 implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the CSF can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.
    • CSF Manufacturing Profile Implementation Guide: Implementation guidance to help manufacturers to select and deploy cybersecurity tools and techniques that best fit their needs while minimizing operational impacts. The Guide provides general implementation guidance (Volume 1) and two complete example proof-of-concept solutions (Volume 2 and Volume 3) demonstrating how available open-source and commercial off-the-shelf products can be implemented in manufacturing environments to satisfy the Manufacturing Profile’s requirements.
    • Guide to Industrial Control Systems (ICS) Security: Guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.
       
  • CISA:

In addition to the control systems-specific resources, NIST offers:

In addition to the control systems-specific resources, CISA offers:

The collection of NIST resources for control system cybersecurity can be found at our new website. NIST continues to conduct the research and development of an update to NIST SP 800-82 to reflect the state of practice in cybersecurity risk management approaches for control systems.  We look forward to sharing a summary and analysis of the NIST SP 800-82 stakeholder pre-draft comments received later in June and sharing a draft of the next revision for public comment in late 2021.

About the author

Keith Stouffer

Keith Stouffer is a supervisory mechanical engineer at the National Institute of Standards and Technology. He leads the Trustworthy Systems, Components, and Data for Smart Manufacturing Program and is the lead author of NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, which provides guidance on how to secure ICS while addressing their unique performance, reliability and safety requirements. Outside of work, he enjoys fishing, hunting, and hiking.

Victoria Yan Pillitteri

Victoria Yan Pillitteri is a supervisory computer scientist at the National Institute of Standards and Technology. She leads the Federal Information Security Modernization Act (FISMA) Team that develops the suite of risk management guidance used for managing information security risk in the federal government. Outside of work, she enjoys teaching group exercise classes, baking, and traveling.

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.