NIST seeks comments on major revision to industrial control systems security guide

May 22, 2014

The National Institute of Standards and Technology (NIST) has issued for public review and comment a proposed major update to its Guide to Industrial Control Systems (ICS) Security.*

Most industrial began as proprietary, stand-alone collections of hardware and software that were separated from the rest of the world and isolated from most external threats. Today, widely available , Internet-enabled devices, and other IT offerings have been integrated into many systems, and the data produced in ICS operations are increasingly used to support business decisions. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems to malicious attacks, equipment failures and many other threats.

Downloaded more than 2.5 million times since its initial release in 2006, the NIST guide advises on how to reduce the vulnerability of computer-controlled industrial systems used by industrial plants, public utilities and other major infrastructure operations to , equipment failures, errors, inadequate malware protection and other software-related threats.

The new draft—the second revision of the guide—includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, architectures, and security capabilities and tools for ICS.

Due to their unique performance, reliability and safety requirements, securing industrial control systems often requires adaptations and extensions to security controls and processes commonly used in traditional IT systems. Recognizing this, a significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, revision 4) to ICS. SP 800-53 contains a baseline set of that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used. The new draft Guide to Industrial Control Systems (ICS) Security includes an ICS overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of industrial control systems.

Explore further: New NIST guidelines aim to help IT system developers build security in from the ground up

More information: The Guide to Industrial Control System (ICS) Security, Revision2 Initial Public Draft (NIST SP 800-82) can be downloaded from the NIST Computer Security Resource Center at:… p800_82_r2_draft.pdf. The public comment period runs from May 14 through July 18, 2014. Comments may be submitted by mail to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930; or by email to:

*K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82 Revision 2, Initial Public Draft. May 2014.

add to favorites email to friend print save as pdf

Related Stories

NIST updates guidelines for mobile device security

Jul 11, 2012

The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices—such as smart phones and tablets—that are used by the federal government. NIST ...

Recommended for you

China blocks 'privacy' search engine DuckDuckGo

Sep 22, 2014

China has begun blocking the privacy-protecting search engine DuckDuckGo, which avoids storing user data or tracking online activity, according to the company and security researchers.

FBI widens probe of naked celebrity photos

Sep 22, 2014

The FBI vowed Monday to widen a probe into the massive hacking of naked celebrity photos if necessary, after new reported leaks including nude shots of Kim Kardashian.

New ZEBRA bracelet strengthens computer security

Sep 22, 2014

In a big step for securing critical information systems, such as medical records in clinical settings, Dartmouth College researchers have created a new approach to computer security that authenticates users ...

CloudFlare tackles lost SSL key risk with Keyless SSL

Sep 19, 2014

Organizations looking for and concerned about optimal security protection are the targets of a new service announced by San Francisco-based CloudFlare. The offering is called Keyless SSL. CloudFlare explained ...

When does Google hand over your data to governments?

Sep 19, 2014

Governments around the world want to know a lot about who we are and what we're doing online and they want communications companies to help them find it. We don't know a lot about when companies hand over ...

User comments : 0