NIST seeks comments on major revision to industrial control systems security guide

May 22, 2014

The National Institute of Standards and Technology (NIST) has issued for public review and comment a proposed major update to its Guide to Industrial Control Systems (ICS) Security.*

Most industrial began as proprietary, stand-alone collections of hardware and software that were separated from the rest of the world and isolated from most external threats. Today, widely available , Internet-enabled devices, and other IT offerings have been integrated into many systems, and the data produced in ICS operations are increasingly used to support business decisions. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems to malicious attacks, equipment failures and many other threats.

Downloaded more than 2.5 million times since its initial release in 2006, the NIST guide advises on how to reduce the vulnerability of computer-controlled industrial systems used by industrial plants, public utilities and other major infrastructure operations to , equipment failures, errors, inadequate malware protection and other software-related threats.

The new draft—the second revision of the guide—includes updates to sections on ICS threats and vulnerabilities, risk management, recommended practices, architectures, and security capabilities and tools for ICS.

Due to their unique performance, reliability and safety requirements, securing industrial control systems often requires adaptations and extensions to security controls and processes commonly used in traditional IT systems. Recognizing this, a significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, revision 4) to ICS. SP 800-53 contains a baseline set of that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used. The new draft Guide to Industrial Control Systems (ICS) Security includes an ICS overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of industrial control systems.

Explore further: 104,000 taxpayers have personal info stolen from IRS website

More information: The Guide to Industrial Control System (ICS) Security, Revision2 Initial Public Draft (NIST SP 800-82) can be downloaded from the NIST Computer Security Resource Center at: csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf. The public comment period runs from May 14 through July 18, 2014. Comments may be submitted by mail to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930; or by email to: nist800-82rev2comments@nist.gov

*K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams and A. Hahn. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82 Revision 2, Initial Public Draft. May 2014.

Related Stories

NIST updates guidelines for mobile device security

Jul 11, 2012

The National Institute of Standards and Technology (NIST) has released a proposed update to its guidelines for securing mobile devices—such as smart phones and tablets—that are used by the federal government. NIST ...

Recommended for you

Subway riders' smartphones could carry tracking malware

18 hours ago

Millions of city dwellers with smartphones in hand, pocket or bag, use trains to get around night and day, seven days a week. The incoming message from three researchers in China is that an attacker could ...

NSA winds down once-secret phone-records collection program

May 24, 2015

The National Security Agency has begun winding down its collection and storage of American phone records after the Senate failed to agree on a path forward to change or extend the once-secret program ahead of its expiration ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.