The National Institute of Standards and Technology (NIST) issued proposed updates to its Guide to Industrial Control Systems (ICS) Security for final public review and comment.
The final draft includes revisions and additions responding to comments that NIST received from about 30 organizations during the initial comment review period. Comments on the latest — and final — review draft are due before March 10.
Downloaded more than 3 million times since its initial release in 2006, NIST Special Publication 800-82, as the ICS security guide is formally known, advises on how to reduce the vulnerability of computer-controlled industrial systems to malicious attacks, equipment failures, errors, inadequate malware protection and other threats. Industrial control systems encompass the hardware and software that control equipment and the information technologies that gather and process data. They are commonly used in factories and by public utilities and other owners and operators of major infrastructure.
A significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53, revision 4) to ICS. SP 800-53 contains a catalog of security controls that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used.
The new draft of the ICS security guideincludes an overlay that adapts and refines that baseline to address the specialized security needs of utilities, chemical companies, food manufacturers, automakers and other users of ICS.
NIST SP 800-82, Guide to Industrial Control System (ICS) Security, Revision 2 Final Public Draft can be downloaded from the NIST Computer Security Resource Center at: http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-82-Rev.2.
The public comment period runs through March 9. Comments may be submitted by mail to: National Institute of Standards and Technology; Attn: Computer Security Division, Information Technology Laboratory; 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930.