Tuesday, February 10, 2015

NIST SP800-82 R2 (2nd Draft) Out for Comment

NIST SP800-82, Guide to Industrial Control Systems (ICS) Security, has been a key, seminal guide for those of us working in ICS security.  The original guide was published as a "final" version in June 2011.  Revision 1 to the 800-82 series went final in May 2013.  In May 2014 the Initial Public Draft of Revision 2 was promulgated for comment.  I wrote a blog about this initial public draft on May 20, 2014 and encouraged interested parties to submit their comments.

Brief History of SP800-82

A few months ago I wrote an article for SearchSecurity on the Evolution of SP 800-82.  As part of this article I researched the history of this document and its development and ultimately prepared the Visio timeline shown below.  One thing I was sure to do was to obtain Keith Stouffer's (principal author of SP800-82 series) approval on the timeline accuracy.

(Apologies for the overlay with the right margin; however, if the chart goes too small then it is hard to read.  Thanks for understanding.)

What are the Revisions?

The new document out for comment is the second revision to NIST SP800-82.  From the NIST Website, updates in this new revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management recommended practices and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
  • New tailoring guidance for NIST SP800-53, Revision 4 security controls including the introduction of overlays, and
  • An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High Impact ICS.

When are Comments Due?

The public comment period is from February 9th to March 9th, 2015 (on month).  You can email your comments to nist800-82rev2comments@nist.gov.  You are encouraged to use a comment template form (Excel File) to collect your feedback for submittal.

Your comments are requested to make this a better, more thorough document for the industry.  Thank you!