[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] New guides for industrial control systems


By William Jackson

The National Institute of Standards and Technology has released the 
final version of new security guidelines for government information 
technology systems used for industrial control processes.

The guidelines are in a revised appendix to NIST Special Publication 
800-53 [1], titled Recommended Security Controls for Federal Information 

SP 800-53 is routinely updated every two years. Revision 2 is an 
out-of-cycle update. The primary change in this revision is the complete 
replacement of Appendix I. The regular two-year update will occur as 
previously scheduled in December 2008.

This special update is required due to the urgent need to provide 
guidance on appropriate safeguards and countermeasures for federal 
industrial control systems, NIST said.

The new revision also updates the low security control baseline with the 
addition of security control CP-4, Contingency Plan Testing and 
Exercises, and includes updated references section in Appendix A. The 
work was done by NISTs Computer Security Division and Intelligent 
Systems Division, in collaboration with the Homeland Security Department 
and agencies that own, operate and maintain industrial control systems.

SP 800-53 is one of seven NIST publications giving specifications for 
meeting standards defined under the Federal Information Security 
Management Act. The publications spell out how to implement Federal 
Information Processing Standard 200, Minimum Security Controls for 
Federal Information Systems, which became mandatory in December 2005. 
The controls in the guidance create baseline configurations for low-, 
moderate- and high-risk systems.

SP 800-53 includes the concept of compensating security controls to 
allow for equivalent or comparable controls that are not included in the 
publication. The latest revision addresses some of the compensating 
controls that might be required for industrial control systems. Because 
these systems are used for specific processes their architecture, 
hardware and software platforms and configurations might fall outside 
the parameters of other IT systems within an agencys enterprise. But 
because such systems are increasingly interconnected, there is growing 
concern about securing vulnerabilities in these control systems.

NIST worked with the industrial control systems communities in the 
public and private sectors to develop guidance on applying security 
controls of 800-53 to these systems. The guidance covers four areas:

    * Tailoring controls to unique characteristics of control systems, 
      which might require more compensating controls than general 
      purpose information systems. Compensating controls are not 
      exceptions or waivers to the baseline controls; rather, they are 
      alternative safeguards and countermeasures employed within the ICS 
      that accomplish the intent of the original security controls that 
      could not be effectively employed, the guidance explains.

    * Security control enhancements that augment the original controls 
      required for some control systems. These extend the control 
      catalog in Appendix F for access enforcement and configuration 

    * Supplements to the security control baselines for control systems 
      in Appendix D for moderate- and high-risk systems.

    * Supplemental guidance providing additional information on applying 
      security controls and enhancements. This provides advice on why 
      some controls or enhancements might not be appropriate in specific 
      environments and might be a candidate for tailoring.

[1] http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev2

Visit InfoSec News