NIST guide aims to make industrial control systems more resilient

Tools

Industrial control systems, such as those used by utilities and manufacturing, are integrating new capabilities that promote connectivity and remote access, but also necessitate unique security solutions, says the National Institute of Standards and Technology in an updated special publication issued May 15.

"These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems," write the authors of NIST Special Publication 800-82, revision 1 (.pdf). While most are privately-owned, government does manage ICS in areas such as air traffic control.

However, threats from hostile governments, terrorist groups, disgruntled employees, malicious intruders, accidents and natural disasters put these critical systems at risk.

NIST SP 800-82, rev. 1 addresses ways to improve ICS security with the systems' unique performance, reliability and safety requirements in mind. NIST recommends organizations running ICS stand up a cross-functional cyber security team consisting of--at a minimum--a member of the information technology staff, control engineer, control system operator, network and system security expert, a member of the management staff and a member of the physical security department.

The team should consult with system vendors and integrators, and report to the chief information officer. The CIO should take complete responsibility and accountability for the cyber security of the ICS, says NIST.

The cross-functional cybersecurity team should develop security policies, procedures training and educational material--all of which adjusts with heightened security postures as the Homeland Security Advisory System Threat Level increases, says NIST.

The team should also apply a network topology--examples of topologies are provided in the document--with layers of security and the most critical communications executed at the most secure layer. Operators should separate corporate and ICS networks and prevent direct traffic between the two, as well as ensure systems are redundant and fault tolerant, says NIST.

Publication authors suggest disabling unused ports and services on ICS devices, restricting physical access and user privileges, and controlling access through a separate ICS authentication mechanism and smart cards identity management.

General IT best practices apply to ICS as well. NIST recommends operators implement security controls such as intrusion detection and antivirus software, employ encryption or cryptographic techniques for ICS storage and communications, regularly patch systems, and monitor audit trails on critical areas of the ICS.

A NIST statement says the agency expects revision 2 of the document to be released in spring 2014. NIST says the first draft is planned for late summer 2013 and a final draft is planned for winter 2013.

The agency says revision 2 will include an update on threats and vulnerabilities, risk management practices and architectures, and alignment with other security standards, among other things.

For more:
- download the report, SP 800-82 revision 1 (.pdf)

Related Articles:
NIST releases 4th version of security control catalog SP 800-53
Q&A: NIST's Ron Ross on the fourth revision of SP 800-53