NIST addresses security for industrial controls systems
- By William Jackson
- Nov 19, 2007
The National Institute of Standards and Technology has released an initial draft of new security guidelines for government information technology systems used for industrial control processes. The guidelines are in a revised appendix
to NIST Special Publication 800-53, 'Recommended Security Controls for Federal Information Systems.'
NIST describes the draft as an out-of-cycle update. The only change between Revision 1 and Revision 2 is the complete replacement of Appendix I, so only that appendix is being released for public review.
'This special update is required due to the urgent need to provide guidance on appropriate safeguards and countermeasures for federal industrial control systems,' NIST said in announcing the release.
SP 800-53 is one of seven NIST publications giving specifications for meeting standards defined under the Federal Information Security Management Act. This guidance spells out how to implement Federal Information Processing Standard 200, Minimum Security Controls for Federal Information Systems, which became mandatory in December 2005. The controls in the guidance create baseline configurations for low-, moderate- and high-risk systems.
SP 800-53 includes the concept of compensating security controls to allow for equivalent or comparable controls not included in the publication. The latest revision addresses some of the compensating controls that might be required for industrial control systems. Because these systems are used for specific processes, their architecture, hardware and software platforms, and configurations might fall outside the parameters of IT systems in an agency's enterprise. But because such systems are increasingly interconnected with Internet-connected networks, there is increasing concern about securing vulnerabilities in these control systems.
NIST worked with the industrial control systems communities in the public and private sectors to develop guidance on applying security controls to these systems. The guidance is in four areas:
- Tailoring controls to unique characteristics of control systems, which might require more compensating controls than general-purpose information systems. 'Compensating controls are not exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures employed within the ICS that accomplish the intent of the original security controls that could not be effectively employed,' the guidance explains.
- Security control enhancements that augment the original controls required for some control systems. These extend the control catalog in Appendix F for access enforcement and configuration control.
- Supplements to the security control baselines for control systems in Appendix D for moderate- and high-risk systems.
- Supplemental guidance providing additional information on applying security controls and enhancements. This provides advice on why some controls or enhancements might not be appropriate in specific environments and might be a candidate for tailoring.
Comments can be submitted via e-mail
and will be accepted through Dec. 14. Updates will be made after the public review period for the draft of the new Appendix I, and the entire document will be published as Revision 2 in December. The normal two-year revision cycle for SP 800-53 will take place as planned in December 2008.
William Jackson is a Maryland-based freelance writer.