New guides for industrial control systems
The National Institute of Standards and Technology has released
the final version of new security guidelines for government
information technology systems used for industrial control
processes.
The guidelines are in a revised appendix to NIST SpecialPublication 800-53>, titled “Recommended Security
Controls for Federal Information Systems.”
SP 800-53 is routinely updated every two years. Revision 2 is an
out-of-cycle update. The primary change in this revision is the
complete replacement of Appendix I. The regular two-year update
will occur as previously scheduled in December 2008.
“This special update is required due to the urgent need to
provide guidance on appropriate safeguards and countermeasures for
federal industrial control systems,” NIST said.
The new revision also updates the low security control baseline
with the addition of security control CP-4, Contingency Plan
Testing and Exercises, and includes updated references section in
Appendix A. The work was done by NIST’s Computer Security
Division and Intelligent Systems Division, in collaboration with
the Homeland Security Department and agencies that own, operate and
maintain industrial control systems.
SP 800-53 is one of seven NIST publications giving
specifications for meeting standards defined under the Federal
Information Security Management Act. The publications spell out how
to implement Federal Information Processing Standard 200, Minimum
Security Controls for Federal Information Systems, which became
mandatory in December 2005. The controls in the guidance create
baseline configurations for low-, moderate- and high-risk
systems.
SP 800-53 includes the concept of compensating security controls
to allow for equivalent or comparable controls that are not
included in the publication. The latest revision addresses some of
the compensating controls that might be required for industrial
control systems. Because these systems are used for specific
processes their architecture, hardware and software platforms and
configurations might fall outside the parameters of other IT
systems within an agency’s enterprise. But because such
systems are increasingly interconnected, there is growing concern
about securing vulnerabilities in these control systems.
NIST worked with the industrial control systems communities in
the public and private sectors to develop guidance on applying
security controls of 800-53 to these systems. The guidance covers
four areas:
- Tailoring controls to unique characteristics of control
systems, which might require more compensating controls than
general purpose information systems. “Compensating controls
are not exceptions or waivers to the baseline controls; rather,
they are alternative safeguards and countermeasures employed within
the ICS that accomplish the intent of the original security
controls that could not be effectively employed,” the
guidance explains.
- Security control enhancements that augment the original
controls required for some control systems. These extend the
control catalog in Appendix F for access enforcement and
configuration control.
- Supplements to the security control baselines for control
systems in Appendix D for moderate- and high-risk systems.
- Supplemental guidance providing additional information on
applying security controls and enhancements. This provides advice
on why some controls or enhancements might not be appropriate in
specific environments and might be a candidate for tailoring.