Tuesday, May 26, 2015

New ICS Primer from ISACA

Industrial Control Systems (ICS) security continues to gain momentum and awareness in the cyber community.  ISACA has recently published its own version of ICS security awareness (cover of the document is below).

ISACA has published Industrial Control Systems: A Primer for the Rest of Us which can be obtained for no charge (registration is required) at www.isaca.org/ics 

If you are not familiar with ISACA (www.isaca.org) it has been around since 1969 and has about 115,000 constituents in 180 countries.  You may recognize ISACA as supporting COBIT and also the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications.

As you glance through the 19-page document you will recognize most of the graphics used come from either NIST 800-82, Guide to Industrial Control Systems (ICS) Security by Keith Stouffer, et al, or adapted from the ICS-CERT Advisories located at: https://ics-cert.us-cert.gov/advisories-by-vendor

One graphic that I especially liked was on page 13, Figure 7, showing a mind-map of Cybersecurity Threat Agents developed by our friends at the European Union Network and Information Security Agency (ENISA).  A copy of the graphic is below and can also be located at http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

So, the good news is we have another primer to pass along to our bosses and IT managers/technicians  to help them better understand what ICS security involves.  There are a few good ideas in the document such as a list of ICS Components (Pages 4-5) and other references back to the NIST 800-82 document for more details.