Applying NIST SP 800-53 to Industrial Control Systems
Stuart W. Katzke, Keith A. Stouffer, Marshall Abrams, David Norton, Joe Weiss
The National Institute of Standards and Technology (NIST) has established an Industrial Control System Security Project to improve the security of public and private sector Industrial Control Systems (ICSs). A major part of the project is to research the applicability of NIST Special Publication (SP) 800-53 Recommended Security Controls for Federal Information Systems to ICSs. SP 800-53 contains specifications for information security controls that are binding on all non-national security information and information systems belonging to, or operated for, federal government agencies. SP 800-53 was developed for use with traditional IT systems; another major part of the project is to clarify and rectify problems experienced in applying SP 800-53 to ICSs. Although several organizations are working on information security standards and guidelines, at the time this research was conducted, the NERC cyber security standards, CIP 002-1 to CIP 009-1, were the only available documents addressing security controls comparable to those contained in SP 800-53. Therefore, the research focused on comparing the NERC CIP standards with SP 800-53. A careful analysis of correspondence between SP 800-53 and the NERC CIP standards concluded that an organization conforming to one of the baseline sets of security controls in SP 800-53 can also comply with the management, operational and technical security requirements of the NERC CIPs, though the converse may not be true. As an active participant in both the information security and ICS communities (government and private sector), NIST is working on harmonizing ICS information security controls within the ICS community. If successful, the results are expected to influence a major portion of the ICS community, including other types of federal ICSs, regulatory agencies, national and international voluntary standards activities, and commercial sector ICSs (e.g., manufacturing processing systems, building control systems).
ISA Expo 2006 | | | ISA
October 17-19, 2006
ISA EXPO 2006, Houston, TX, October 2006
CIP, cyber security, ICS, industrial control system, information security, NERC, NIST, security control