The National Institute of Standards and Technology (NIST) has issued proposed updates to its Guide to Industrial Control Systems (ICS) Security (NIST Special Publication 800-82) for final public review and comment.
The final draft includes revisions and additions responding to comments that NIST received from about 30 organizations during the initial comment review period. Comments on the latest—and final—review draft are due before March 10, 2015.
Downloaded more than 3 million times since its initial release in 2006, the ICS security guide advises on how to reduce the vulnerability of computer-controlled industrial systems to malicious attacks, equipment failures, errors, inadequate malware protection and other threats. Industrial control systems encompass the hardware and software that control equipment and the information technologies that gather and process data. They are commonly used in factories and by public utilities and other owners and operators of major infrastructure.
Most industrial control systems began as proprietary, stand-alone collections of hardware and software that were walled off from the rest of the world and isolated from most external threats. Today, widely available software applications, Internet-enabled devices and other nonproprietary IT offerings have been integrated into most such systems. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems. Cybersecurity threats to ICS can pose significant risks to human health and safety, the environment, and business and government operations.
The current draft—the second revision of the guide—includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, security architectures, and security capabilities and tools for ICS.
Due to their unique performance, reliability, and safety requirements, ICS cybersecurity often requires adaptations and extensions to NIST-developed security standards and guidelines for traditional IT systems.
A significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53, revision 4) to ICS. SP 800-53 contains a catalog of security controls that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used.
The new draft of the ICS security guide includes an overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of ICS.
NIST SP 800-82, Guide to Industrial Control System (ICS) Security, Revision 2 Final Public Draft can be downloaded from the NIST Computer Security Resource Center at: http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-82-Rev.2.
The public comment period runs from February 9 through March 9, 2015. Comments may be submitted by mail to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930; or by email to: nist800-82rev2comments [at] nist.gov