NIST Seeks Comments on Major Revision to Industrial Control Systems Security Guide
By Mark Bello
Posted: May 21, 2014
The National Institute of Standards and Technology (NIST) has issued for public review and comment a proposed major update to its Guide to Industrial Control Systems (ICS) Security.*
Most industrial control systems began as proprietary, stand-alone collections of hardware and software that were separated from the rest of the world and isolated from most external threats. Today, widely available software applications, Internet-enabled devices, and other IT offerings have been integrated into many systems, and the data produced in ICS operations are increasingly used to support business decisions. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems to malicious attacks, equipment failures and many other threats.
Downloaded more than 2.5 million times since its initial release in 2006, the NIST guide advises on how to reduce the vulnerability of computer-controlled industrial systems used by industrial plants, public utilities and other major infrastructure operations to malicious attacks, equipment failures, errors, inadequate malware protection and other software-related threats.
The new draft—the second revision of the guide—includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, security architectures, and security capabilities and tools for ICS.
Due to their unique performance, reliability and safety requirements, securing industrial control systems often requires adaptations and extensions to security controls and processes commonly used in traditional IT systems. Recognizing this, a significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, revision 4) to ICS. SP 800-53 contains a baseline set of security controls that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used. The new draft Guide to Industrial Control Systems (ICS) Security includes an ICS overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of industrial control systems.
The Guide to Industrial Control System (ICS) Security, Revision2 Initial Public Draft (NIST SP 800-82) can be downloaded from the NIST Computer Security Resource Center at: http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf. The public comment period runs from May 14 through July 18, 2014. Comments may be submitted by mail to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930; or by email to: nist800-82rev2comments@nist.gov
*K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82 Revision 2, Initial Public Draft. May 2014.
For more information: