Editor's Note: This article was contributed by Ernie Hayden of Securicon LLC, an expert in industrial controls security, especially for the power utility industry.
About 6 months ago I wrote an article for this blog about the NIST Cybersecurity Framework. The article described how the framework came to be, what it is, what it is supposed to do and what you should do about it.
If you have any interest in industrial cyber security you will want to download the latest version of the framework and have it on hand for reference. If you are in one of 16 critical infrastructure industries (shown in a table in this earlier article), or if you rely on any of them for your success, your organization needs to go one step further and become familiar with its content.
In this article I am going to discuss the newly revised ICS Security Guideline – NIST 800-82 Rev. 2 – and offer some useful thoughts on it.
The U.S. government’s NIST ICS Security framework will apply to all critical infrastructure sectors, such as energy. It is also an excellent guide to SCADA security for all industrial enterprises.
Guide to ICS Security – Revision 2
Recently the National Institute of Standards and Technology (NIST) published the initial public draft of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. This particular revision to the highly popular 800-82 versions 0 and 1 is a positive step change in the volume of information contained in the document.
In summary -- and extracted from page iv of the 255-page report -- the updates to this revision include:
- Updates to ICS threats and vulnerabilities
- Updates to ICS risk management, recommended practices, and architectures
- Updates to current activities in ICS security
- Updates to security capabilities and tools for ICS
- Additional alignment with other ICS security standards and guidelines
The report also has added new tailoring guidance for NIST SP800-53, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, including the introduction of overlays of the NIST 800-82 ICS security guidelines versus the NIST 800-53 security requirements. The ICS overlay also helps delineate NIST SP800-53, Rev 4, security controls that can be tailored controls for Low, Moderate, and High-impact ICS.
Several months ago as a member of the Industrial Controls Security Joint Working Group (ICSJWG) Standards Committee, I had the opportunity to review chapter 3, "ICS Risk Management and Assessment," which is a new expansion from the earlier versions. This chapter alone provides some expanded views of the threats, vulnerabilities and associated risks posed to and by ICS environments.
Appendix C, "Threat Sources, Vulnerabilities and Incidents," is a useful compilation of text and tables covering such topics as ICS threat sources, vulnerabilities, predisposing conditions, and system vulnerabilities and a list of documented incidents.
Of note, Appendix F, "References," is an excellent list of 80 different documents and links not only used in developing the new revision to NIST 800-82 but also is an excellent resource for the ICS security practitioner or student. However, I am a bit surprised and disappointed that Eric Knapp's Industrial Network Security book was not included since it is one of the best resources published on this topic.
A Valuable Industrial Cyber Security Reference Guide
First, if you are interested in Industrial Controls Security as a network designer, system integrator, controls engineer or security professional download this new version and put it on your reference shelf for your ICS projects. It is free and provides valuable insight into the ICS arena.
Secondly, if you are an IT Security instructor be sure to show this to your students and perhaps include ICS security as part of your curriculum. NIST 800-82 would be an excellent textbook and again it is no charge except for the cost to print.
Thirdly, NIST 800-82 R2 is out for public comment until July 18, 2014. If you are so inclined, please take some time to read the new document and offer your comments via email at firstname.lastname@example.org or you can mail them to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD 20899-8930
Thanks again and happy reading!