http://www.gcn.com/online/vol1_no1/45455-1.html
By William Jackson
GCN.com
11/19/07
The National Institute of Standards and Technology has released an
initial draft of new security guidelines for government information
technology systems used for industrial control processes. The guidelines
are in a revised appendix to NIST Special Publication 800-53,
“Recommended Security Controls for Federal Information Systems.”
NIST describes the draft as an out-of-cycle update. The only change
between Revision 1 and Revision 2 is the complete replacement of
Appendix I, so only that appendix is being released for public review.
“This special update is required due to the urgent need to provide
guidance on appropriate safeguards and countermeasures for federal
industrial control systems,” NIST said in announcing the release.
SP 800-53 is one of seven NIST publications giving specifications for
meeting standards defined under the Federal Information Security
Management Act. This guidance spells out how to implement Federal
Information Processing Standard 200, Minimum Security Controls for
Federal Information Systems, which became mandatory in December 2005.
The controls in the guidance create baseline configurations for low-,
moderate- and high-risk systems.
SP 800-53 includes the concept of compensating security controls to
allow for equivalent or comparable controls not included in the
publication. The latest revision addresses some of the compensating
controls that might be required for industrial control systems. Because
these systems are used for specific processes, their architecture,
hardware and software platforms, and configurations might fall outside
the parameters of IT systems in an agency’s enterprise. But because such
systems are increasingly interconnected with Internet-connected
networks, there is increasing concern about securing vulnerabilities in
these control systems.
NIST worked with the industrial control systems communities in the
public and private sectors to develop guidance on applying security
controls to these systems. The guidance is in four areas:
* Tailoring controls to unique characteristics of control systems,
which might require more compensating controls than
general-purpose information systems. “Compensating controls are
not exceptions or waivers to the baseline controls; rather, they
are alternative safeguards and countermeasures employed within the
ICS that accomplish the intent of the original security controls
that could not be effectively employed,” the guidance explains.
* Security control enhancements that augment the original controls
required for some control systems. These extend the control
catalog in Appendix F for access enforcement and configuration
control.
* Supplements to the security control baselines for control systems
in Appendix D for moderate- and high-risk systems.
* Supplemental guidance providing additional information on applying
security controls and enhancements. This provides advice on why
some controls or enhancements might not be appropriate in specific
environments and might be a candidate for tailoring.
Comments can be submitted via e-mail and will be accepted through Dec.
14. Updates will be made after the public review period for the draft of
the new Appendix I, and the entire document will be published as
Revision 2 in December. The normal two-year revision cycle for SP 800-53
will take place as planned in December 2008.
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Wed Nov 21 2007 - 00:12:53 PST