I noticed a change to the DHS-CERT
Control Systems Security Program web page today. They have added a link to a new document, the
Catalog of Control Systems Security: Recommendations for Standards Developers. According to the blurb on the web page this “new release includes updates based on new versions of industry standards, including revision 3 of NIST SP800-53”.
This is not a programming guide or a ‘how to’ guide in protecting a facility’s control system. Rather this is a broad set of guidelines designed to help industry bodies establish standards for protecting industrial control systems from a variety of cyber and physical attacks.
Controls Listing
The catalogue lists 250 separate controls (including 44 not listed in the current version of NIST SP800-53) that may be applicable to a wide variety of control systems in a number of different industries. The authors acknowledge that the not all of these will be applicable in every situation, noting that “it will be necessary to determine the level of protection needed and only apply the guidance as appropriate” (pg 4).
The controls are grouped into 19 different categories. They include:
2.1 Security Policy
2.2 Organizational Security
2.3 Personnel Security
2.4 Physical and Environmental Security
2.5 System and Services Acquisition
2.6 Configuration Management
2.7 Strategic Planning
2.8 System and Communication Protection
2.9 Information and Document Management
2.10 System Development and Maintenance
2.11 Security Awareness and Training
2.12 Incident Response
2.13 Media Protection
2.14 System and Information Integrity
2.15 Access Control
2.16 Audit and Accountability
2.17 Monitoring and Reviewing Control System Security Policy
2.18 Risk Management and Assessment
2.19 Security Program Management
Control Example
To understand what information is provided in these proposed controls I’ll show one of the simpler ones that would be common to almost all cyber security systems programs; Personnel Termination. The document provides the following basic guidance:
“When an employee is terminated, the organization revokes logical and physical access to control systems and facilities and ensures all organization-owned property is returned and that organization-owned documents and data files relating to the control system that are in the employee’s possession are transferred to the new authorized owner within the organization. Complete execution of this control occurs within 24 hours for employees or contractors terminated for cause.” (pg 9)
Additional guidance provides clarification of key terms; in this instance noting that:
“Organization-owned property includes system administration manuals, keys, identification cards, building passes, computers, cell phones, and personal data assistants. Organization-owned documents include field device configuration and operational information, control system network documentation. Exit interviews ensure that individuals understand any security constraints imposed by being a former employee and that proper accountability is achieved for all system-related property.”
Each control also lists enhancements that be applied to the control that would take it to the next level. For this control the authors recommend that:
“The organization implements automated processes to revoke access permissions that are initiated by the termination.”
Alternative Use for Document
While this document was designed to provide guidance to industrial standards setters, there is no reason why a sharp control systems security manager couldn’t use the information provided in this document to help develop a facility level control system security plan. It will require some picking and choosing, but the information is well organized and written in pretty near standard American-English.
Besides, if the document is used in the way that it was intended, these controls would end up in requirements developed by industrial standards setting bodies. Getting a head start on getting your facility up to these standards will make for a much easier transition.
No comments:
Post a Comment