Earlier this week the National Institute of Standards and Technology (NIST) published a draft of SP 1800-10, Protecting Information and System Integrity in Industrial Control System Environments. The new document provides a practical example solution to help manufacturers protect their Industrial Control Systems (ICS) from data integrity attacks. NIST is soliciting comments on this new document.
NIST is soliciting comments on the Draft of SP 1800-10. Comments should be submitted via email (manufacturing_nccoe@nist.gov) or by filling out the web form. Comments should be submitted by November 7th, 2021.
Commentary
This document provides an important look at how cybersecurity can be successfully engineered into an industrial control system. How useful that example will be for actual manufacturing systems remains to be seen. Looking at this document, it would appear that a high-level of IT knowledge will be required to implement the solutions reported in the document. Whether that level of support is readily available in small manufacturing of chemical facilities remains to be seen.
What is not clear from this document is how much work is needed to implement these tools. A description of the time needed to set up the equipment for these relatively simple control systems would be helpful, but I am not sure how well that would scale to real world control systems with hundreds of control devices and sensors. It is also not clear how much response action would be required by facilities to address the error messages and log files generated by such a system. Is a security operation center necessary or will facilities have to rely on already overstressed operators to deal with these results?
For understandable reasons, these test beds to not address process safety issues that must be taken into account when assessing security risks at a facility; even the Tennessee Eastman simulation fails to address this represents a generic chemical process without considering chemical hazards. I do wish, however, that there had been some discussion about the role process safety has in any process control system risk evaluation.
One final comment. I was really pleased to see that all of the test evaluations showed that the tested systems prevented the design criteria attacks. It shows that cybersecurity controls in a control system environment are possible. I would be surprised, however, to hear that they all did so on the first attempt. It would be helpful if initial testing-failure descriptions and a discussion of remedial actions taken were presented. It would also be helpful if NCCOE were to report on a well-funded red-team attack on the platforms tested.
For more details on the document and the systems evaluated,
see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cybersecurity-for-the-manufacturing - subscription required.
No comments:
Post a Comment