New guides for industrial control systems

http://www.gcn.com/online/vol1_no1/45597-1.html

By William Jackson
GCN.com
01/02/08

The National Institute of Standards and Technology has released the
final version of new security guidelines for government information
technology systems used for industrial control processes.

The guidelines are in a revised appendix to NIST Special Publication
800-53 [1], titled Recommended Security Controls for Federal Information
Systems.

SP 800-53 is routinely updated every two years. Revision 2 is an
out-of-cycle update. The primary change in this revision is the complete
replacement of Appendix I. The regular two-year update will occur as
previously scheduled in December 2008.

This special update is required due to the urgent need to provide
guidance on appropriate safeguards and countermeasures for federal
industrial control systems, NIST said.

The new revision also updates the low security control baseline with the
addition of security control CP-4, Contingency Plan Testing and
Exercises, and includes updated references section in Appendix A. The
work was done by NISTs Computer Security Division and Intelligent
Systems Division, in collaboration with the Homeland Security Department
and agencies that own, operate and maintain industrial control systems.

SP 800-53 is one of seven NIST publications giving specifications for
meeting standards defined under the Federal Information Security
Management Act. The publications spell out how to implement Federal
Information Processing Standard 200, Minimum Security Controls for
Federal Information Systems, which became mandatory in December 2005.
The controls in the guidance create baseline configurations for low-,
moderate- and high-risk systems.

SP 800-53 includes the concept of compensating security controls to
allow for equivalent or comparable controls that are not included in the
publication. The latest revision addresses some of the compensating
controls that might be required for industrial control systems. Because
these systems are used for specific processes their architecture,
hardware and software platforms and configurations might fall outside
the parameters of other IT systems within an agencys enterprise. But
because such systems are increasingly interconnected, there is growing
concern about securing vulnerabilities in these control systems.

NIST worked with the industrial control systems communities in the
public and private sectors to develop guidance on applying security
controls of 800-53 to these systems. The guidance covers four areas:

    * Tailoring controls to unique characteristics of control systems,
      which might require more compensating controls than general
      purpose information systems. Compensating controls are not
      exceptions or waivers to the baseline controls; rather, they are
      alternative safeguards and countermeasures employed within the ICS
      that accomplish the intent of the original security controls that
      could not be effectively employed, the guidance explains.

    * Security control enhancements that augment the original controls
      required for some control systems. These extend the control
      catalog in Appendix F for access enforcement and configuration
      control.

    * Supplements to the security control baselines for control systems
      in Appendix D for moderate- and high-risk systems.

    * Supplemental guidance providing additional information on applying
      security controls and enhancements. This provides advice on why
      some controls or enhancements might not be appropriate in specific
      environments and might be a candidate for tailoring.

[1] http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev2