Tuesday, May 20, 2014

NIST SP800-82 Rev 2 - Guide to ICS Security -- Comments Requested

Last week the National Institute of Standards and Technology (NIST) published the initial public draft of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security.  This particular revision to the highly popular 800-82 versions 0 and 1 is a positive step change in the volume of information contained in the document.

In summary -- and extracted from page iv of the 255-page report -- the updates to this revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management, recommended practices, and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
The report also has added new tailoring guidance for NIST SP800-53, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizationssecurity controls including the introduction of overlays.  Also, the report has added an ICS overlay for NIST SP800-53, Rev $, security controls that provides tailored security controls for Low, Moderate, and High impact ICS.

As a member of the Industrial Controls Security Joint Working Group (ICSJWG) Standards Committee I had the opportunity to review chapter 3, "ICS Risk Management and Assessment," which is a new expansion from the earlier versions.  This chapter alone provides some expanded views of the risks posed by ICS environments.

Appendix C, "Threat Sources, Vulnerabilities and Incidents," is a useful compilation of text and tables covering such topics as ICS Threat Sources, Vulnerabilities and Predisposing Conditions, System Vulnerabilities and a list of documented incidents.

Of note, Appendix F, "References," is an excellent list of 80 different references not only used in developing the document but also would be an excellent resource for the ICS security student or practitioner. However, I am a bit surprised and disappointed that Eric Knapp's Industrial Network Security book was not included since it is one of the best resources published on this topic.

Call to Action

First, if you are interested in Industrial Controls Security, download this new version and put it on your reference shelf for your ICS projects.  It is free and provides even more insight into the ICS arena.

Secondly, if you are an IT Security instructor be sure to show this to your students and perhaps include ICS security as part of your curriculum.  SP800-82 would be an excellent textbook and again it is no charge except for the cost to print.

Thirdly, SP800-82 R2 is out for public comment until July 18, 2014.  If you are so inclined take some time to read the new document and offer your comments via email at nist800-82rev2comments@nist.gov or you can mail them to:

National Institute of Standards and Technololgy
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD  20899-8930

Thanks again and happy reading!