[ISN] NIST addresses security for industrial controls systems

From: InfoSec News (alerts@private)
Date: Wed Nov 21 2007 - 00:05:55 PST


http://www.gcn.com/online/vol1_no1/45455-1.html

By William Jackson
GCN.com
11/19/07

The National Institute of Standards and Technology has released an 
initial draft of new security guidelines for government information 
technology systems used for industrial control processes. The guidelines 
are in a revised appendix to NIST Special Publication 800-53, 
“Recommended Security Controls for Federal Information Systems.”

NIST describes the draft as an out-of-cycle update. The only change 
between Revision 1 and Revision 2 is the complete replacement of 
Appendix I, so only that appendix is being released for public review.

“This special update is required due to the urgent need to provide 
guidance on appropriate safeguards and countermeasures for federal 
industrial control systems,” NIST said in announcing the release.

SP 800-53 is one of seven NIST publications giving specifications for 
meeting standards defined under the Federal Information Security 
Management Act. This guidance spells out how to implement Federal 
Information Processing Standard 200, Minimum Security Controls for 
Federal Information Systems, which became mandatory in December 2005. 
The controls in the guidance create baseline configurations for low-, 
moderate- and high-risk systems.

SP 800-53 includes the concept of compensating security controls to 
allow for equivalent or comparable controls not included in the 
publication. The latest revision addresses some of the compensating 
controls that might be required for industrial control systems. Because 
these systems are used for specific processes, their architecture, 
hardware and software platforms, and configurations might fall outside 
the parameters of IT systems in an agency’s enterprise. But because such 
systems are increasingly interconnected with Internet-connected 
networks, there is increasing concern about securing vulnerabilities in 
these control systems.

NIST worked with the industrial control systems communities in the 
public and private sectors to develop guidance on applying security 
controls to these systems. The guidance is in four areas:

    * Tailoring controls to unique characteristics of control systems, 
      which might require more compensating controls than 
      general-purpose information systems. “Compensating controls are 
      not exceptions or waivers to the baseline controls; rather, they 
      are alternative safeguards and countermeasures employed within the 
      ICS that accomplish the intent of the original security controls 
      that could not be effectively employed,” the guidance explains.

    * Security control enhancements that augment the original controls 
      required for some control systems. These extend the control 
      catalog in Appendix F for access enforcement and configuration 
      control.

    * Supplements to the security control baselines for control systems 
      in Appendix D for moderate- and high-risk systems.

    * Supplemental guidance providing additional information on applying 
      security controls and enhancements. This provides advice on why 
      some controls or enhancements might not be appropriate in specific 
      environments and might be a candidate for tailoring.

Comments can be submitted via e-mail and will be accepted through Dec.
14. Updates will be made after the public review period for the draft of 
the new Appendix I, and the entire document will be published as 
Revision 2 in December. The normal two-year revision cycle for SP 800-53 
will take place as planned in December 2008.



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Wed Nov 21 2007 - 00:12:53 PST