National Institute of Standards and Technology1
US Federal Industrial Control System (ICS) Security Standards and Guidelines
Keith StoufferNational Institute of Standards and Technology (NIST)
June 26, 2007
National Institute of Standards and Technology2
US Federal ICS Security Standards and Guidelines Overview
• FISMA
• NIST SP 800-53
• NIST SP 800-53A
• NIST SP 800-82
National Institute of Standards and Technology3
FISMA LegislationOverview
“Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…”
-- Federal Information Security Management Act of 2002
National Institute of Standards and Technology4
US Federal Standards and Guidelines
• Federal Information Processing Standards (FIPS)
• Special Publication (SP) 800 Series documents
National Institute of Standards and Technology5
Federal Information Standards (FIPS)
• Approved by the Secretary of Commerce
• Compulsory and binding standards for federal agencies non-national security information systems
• Voluntary adoption by federal national security community and private sector
National Institute of Standards and Technology6
Special Publication (SP) 800 Series Documents
• Special Publications in the 800 series are documents of general interest to the computer security community
• Established in 1990 to provide a separate identity for information technology security publications.
• Reports on guidance, research, and outreach efforts in computer security, and collaborative activities with industry, government, and academic organizations
• Agencies must follow NIST 800 series guidance documents; but 800 series documents generally allow agencies some latitude in their application
National Institute of Standards and Technology7
Scope of Applicability• All federal information systems other than those
systems designated as national security systems as defined in 44 U.S.C., Section 3542.*
• State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States on a voluntary basis, as appropriate.
* The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems.
National Institute of Standards and Technology8
RMF Characteristics• The NIST Risk Management Framework and the
associated security standards and guidance documents provide a process that is:
• Disciplined• Flexible• Extensible• Repeatable• Organized• Structured
“Building information security into the infrastructure of the organization…so that critical enterprise missions and business cases will be protected.”
National Institute of Standards and Technology9
Managing Enterprise Risk• Key activities in managing enterprise-level risk—risk to the
enterprise and to other organizations resulting from the operation of an information system:
Categorize the information system (criticality/sensitivity)Select and tailor baseline (minimum) security controlsSupplement the security controls based on risk assessmentDocument security controls in system security plan Implement the security controls in the information systemAssess the security controls for effectivenessAuthorize information system operation based on mission riskMonitor security controls on a continuous basis
National Institute of Standards and Technology10
The Risk Management Framework
Determine security control effectiveness (i.e., controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-53A
Security Control Assessment
Continuously track changes to the information system that may affect security controls and
reassess control effectiveness
SP 800-37 / SP 8800-53A
Security Control Monitoring
Document in the security plan, the security requirements for the information system and
the security controls planned or in place
SP 800-18
Security Control Documentation
SP 800-37
System Authorization
Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
FIPS 200 / SP 800-53 / SP 800-30
Security Control Refinement
Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence
FIPS 200 / SP 800-53
Security Control Selection
Select minimum (baseline) security controls to protect the information system; apply tailoring
guidance as appropriate
Implement security controls; apply security configuration settings
Security Control Implementation
SP 800-70
Define criticality /sensitivity of information system according to
potential impact of loss
FIPS 199 / SP 800-60
Security Categorization
Starting Point
National Institute of Standards and Technology11
Security Categorization
FIPS 199 LOW MODERATE HIGH
Confidentiality
The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity
The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability
The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
SP 800-60
Guidance for Mapping Types of Information and Information Systems to FIPS Publication 199 Security Categories
Example: A Pulp and Paper Control System
National Institute of Standards and Technology12
Security Categorization
FIPS 199 LOW MODERATE HIGH
Confidentiality
The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity
The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability
The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Example: A Pulp and Paper Control System
Minimum Security Controls
for Moderate Impact Systems
FIPS 200
SP 800-53
National Institute of Standards and Technology13
Security Control Baselines
Minimum Security ControlsLow Impact
Information Systems
Minimum Security ControlsHigh Impact
Information Systems
Minimum Security ControlsModerate Impact
Information Systems
SP 800-53 ICS Master Security Control Catalog
Complete Set of Security Controls and Control Enhancements
Baseline #1
Selection of a subset of security controls from the master catalog—consisting of basic level controls
Baseline #2
Builds on low baseline. Selection of a subset of controls from the
master catalog—basic level controls, additional controls, and
control enhancements
Baseline #3
Builds on moderate baseline. Selection of a subset of controls from the master catalog—basic
level controls, additional controls, and control enhancements
National Institute of Standards and Technology14
Minimum Security Controls
• Minimum security controls, or baseline controls, defined for low-impact, moderate-impact, and high-impact information systems—
• Provide a starting point for organizations in their security control selection process
• Are used in conjunction with tailoring guidance that allows the baseline controls to be adjusted for specific operational environments
• Support the organization’s risk management process
National Institute of Standards and Technology15
Tailoring Security ControlsScoping, Parameterization, and Compensating Controls
Minimum Security ControlsLow Impact
Information Systems
Minimum Security ControlsHigh Impact
Information Systems
Minimum Security ControlsModerate Impact
Information Systems
Tailored Security Controls
Tailored Security Controls
Tailored Security Controls
Low Baseline Moderate Baseline High Baseline
Enterprise #1
Operational Environment #1
Enterprise #2
Operational Environment #2
Enterprise #3
Operational Environment #3
Cost effective, risk-based approach to achieving information security…
National Institute of Standards and Technology16
Categorization Issues
• Currently, categorization of Federal systems is mostly based on the information that is used within the information system, rather the information system itself
• Categorization workshop at NIST, September 5-6, 2007 to discuss categorization methodologies for ICS
National Institute of Standards and Technology17
Low Impact System
National Institute of Standards and Technology18
Moderate Impact Systems
National Institute of Standards and Technology19
High Impact System
National Institute of Standards and Technology20
High Impact System !!!
National Institute of Standards and Technology21
More High Impact Systems
National Institute of Standards and Technology22
NIST SP 800-53
• NIST SP 800-53 Recommended Security Controls for Federal Information Systems, which was developed for traditional IT systems, contains mandatory information security requirements for all non-national security information and information systems that are owned, operated, or controlled by federal agencies.
• NIST SP 800-53 provides the security controls that need to be applied to secure the system. It does now specify how the controls need to be implemented.
National Institute of Standards and Technology23
NIST SP 800-53 ICS Structure 17 Control Families
171 Controls (Requirements)
• Access Control • Awareness and Training• Audit and Accountability• Certification, Accreditation, and
Security Assessments• Configuration Management • Contingency Planning • Identification and
Authentication • Incident Response • Maintenance
• Media Protection• Physical and Environmental• Planning• Personnel Security• Risk Assessment• Systems and Services
Acquisition• System and Communications
Protection• System and Information
National Institute of Standards and Technology24
Technical Control Families Possible Reference for Part 4
• Access Control (20 requirements)• Audit and Accountability (11 requirements)• Identification and Authentication (7 requirements)• System and Communications Protection (23 requirements)
• TOTAL (61 requirements)
National Institute of Standards and Technology25
Operational Control Families Possible Reference for Part 2 and/or Part 3
• Awareness and Training (5 requirements)• Configuration Management (8 requirements)• Contingency Planning (10 requirements)• Incident Response (7 requirements)• Maintenance (6 requirements)• Media Protection (6 requirements)• Physical and Environmental Protection (19 requirements) • Personnel Security (8 requirements)• System and Information Integrity (12 requirements)
• TOTAL (81 requirements)
National Institute of Standards and Technology26
Management Control Families Possible Reference for Part 2 and/or Part 3
• Certification, Accreditation, (7 requirements)
and Security Assessments
• Planning (6 requirements)
• Risk Assessment (5 requirements)
• System and Services Acquisition (11 requirements)
• TOTAL (29 requirements)
National Institute of Standards and Technology27
Control Structure
• The security control structure consists of three key components:
(i) a control section
(ii) a supplemental guidance section – there may also be an ICS supplemental guidance section
(iii) a control enhancements section
National Institute of Standards and Technology28
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology29
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology30
Control
• The control section provides a concise statement of the specific security capability needed to protect a particular aspect of an information system. The control statement describes specific security-related activities or actions to be carried out by the organization or by the information system. For some controls in the control catalog, a degree of flexibility is provided by allowing organizations to selectively define input values for certain parameters associated with the controls.
National Institute of Standards and Technology31
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology32
Supplemental Guidance
• The supplemental guidance section provides additional information related to a specific security control. Organizations should consider supplemental guidance when defining, developing, and implementing security controls.
National Institute of Standards and Technology33
ICS Supplemental Guidance
• ICS Supplemental Guidance provides additional guidance on how to apply the control, or provides guidance as to why the control may not be applicable in ICS environments.
National Institute of Standards and Technology34
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology35
Control Enhancement
• The control enhancements section provides statements of security capability to: (i) build in additional, but related, functionality to a basic control; and/or (ii) increase the strength of a basic control. In both cases, the control enhancements are used in an information system requiring greater protection due to the potential impact of loss or when organizations seek additions to a basic control’s functionality based on the results of a risk assessment. Control enhancements are numbered sequentially within each control so the enhancements can be easily identified when selected to supplement the basic control.
National Institute of Standards and Technology36
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology37
Baselines
• LOW Baseline - Selection of a subset of security controls from the master catalog consisting of basic level controls
• MOD Baseline - Builds on LOW baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements
• HIGH Baseline - Builds on MOD baseline. Selection of a subset of controls from the master catalog—basic level controls, additional controls, and control enhancements
Question: How are the three SP 800-53 baselines and the three ISA 99 security levels related? Can these be used as a reference for 99.04?
National Institute of Standards and Technology38
Key Question #1• What security controls are needed to adequately
protect an information system that supports the operations and assets of the organization?
• FIPS Pub 199, FIPS Pub 200, NIST Special Publication 800-60, and NIST Special Publication 800-53 guide actions.
• Decisions result in an agreed upon set of security controls and acceptance of any residual risk documented in the information system security plan and approved by organizational officials.
National Institute of Standards and Technology39
Control ExampleAU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
Supplemental Guidance: Organizations increase the level of audit monitoring and analysis activity within the information system whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information.
Control Enhancements:(1) The organization employs automated mechanisms to integrate audit
monitoring, analysis, and reporting into an overall process for investigation and response to suspicious activities.
(2) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications:
[Assignment: organization-defined list of inappropriate or unusual activities that are to result in alerts].
LOW Not Selected MOD AU-6 (2) HIGH AU-6 (1) (2)
National Institute of Standards and Technology40
Key Question #2• To what extent are the security controls
implemented correctly, operating as intended, and producing the desired outcome with respect to meeting information security requirements?
• NIST Special Publications 800-37 and 800-53A guide actions.
• Decisions result in determination of security control effectiveness and acceptance of mission/business function risk to the organization.
National Institute of Standards and Technology41
Compliance (800-53A)AU-6 AUDIT MONITORING, ANALYSIS, AND REPORTING
Control: The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions.
ASSESSMENT OBJECTIVE: Determine if: (i) the organization regularly reviews/analyzes audit records for indications of inappropriate or unusual
activity; (ii) the organization investigates suspicious activity or suspected violations; (iii) the organization reports findings of inappropriate/usual activities, suspicious behavior, or suspected
violations to appropriate officials; and (iv) the organization takes necessary actions in response to the reviews/analyses of audit records.
ASSESSMENT METHODS AND OBJECTS: Examine (DEPTH, COVERAGE): Audit and accountability policy; procedures addressing audit
monitoring, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records.
Test (DEPTH, COVERAGE): Information system audit monitoring, analysis, and reporting capability.
National Institute of Standards and Technology42
Federal Agency Challenges
• Federal agencies required to apply NIST SP 800-53 Recommended Security Controls for Federal Information Systems (general IT security requirements) to their ICSs
• Federal agencies that own/operate electric power-related ICSs could potentially have to meet 2 standards (FIPS 200/NIST SP 800-53 and FERC standards*)
* Most mature industry candidate is the NERC CIPs
National Institute of Standards and Technology43
NIST Industrial Control System Security Project
• Joint MEL/ITL project, in collaboration with federal and industry stakeholders, to develop standards, guidelines and test methods to help secure these critical control systems in harmony with their demanding safety and reliability requirements.
http://csrc.nist.gov/sec-cert/ics
National Institute of Standards and Technology44
ICS Security Project Strategy
• Work with government and industry ICS community to foster convergence of ICS security requirements– DHS, DoE, FERC, DoI, ICS agencies (BPA, SWPA,
WAPA)
– Industry standards groups• ISA SP99 Industrial Automation and Control System Security
standard
• IEC 62443 Security for industrial process measurement and control –Network and system security standard
National Institute of Standards and Technology45
Federal ICS Workshops
• Workshop April 19-20, 2006 at NIST to discuss the development of security requirements and baseline security controls for federally owned/operated ICS based on NIST SP 800-53
• Workshop March 27-28, 2007 at NIST to discuss and vet draft security requirements and baseline security controls for federally owned/operated ICS based on NIST SP 800-53
• Initial public draft scheduled for release summer 2007
National Institute of Standards and Technology46
Federal ICS Workshops
• Attended by Federal stakeholders– Bonneville Power Administration (BPA)– Southwestern Power Administration (SWPA)– Tennessee Valley Authority (TVA)– Western Area Power Administration (WAPA)– Federal Aviation Administration (FAA)– Department of the Interior, Bureau of Reclamation– Department of Energy (DOE)– DOE Labs (Argonne, Idaho, Pacific Northwest, Sandia)– Federal Energy Regulatory Commission (FERC)– Department of Homeland Security (DHS)
National Institute of Standards and Technology47
NIST SP 800-53 ICS
• Draft NIST SP 800-53 ICS:– http://csrc.nist.gov/sec-cert/ics/papers/AppxF_800-53-rev1-Augmented
_12Jun07.pdf
• Draft NIST SP 800-53 ICS Baselines:– http://csrc.nist.gov/sec-cert/ics/papers/ICS-Requirements-Baselines.pdf
• First Public Draft of these documents scheduled for release summer 2007
National Institute of Standards and Technology48
NIST Workshop on Applying NIST SP 800-53 to ICS
• NIST Workshop on Applying NIST SP 800-53 ICS, August 16 – 17, following the Control System Cyber Security Conference, Knoxville, TN
• NIST will host a workshop for representatives from national and international industrial control system (ICS) communities (e.g. electric, oil, gas, water, manufacturing) to share information, obtain direct inputs, and determine their level of interest in voluntarily adopting and using NIST’s ICS augmentation of NIST SP 800-53
National Institute of Standards and Technology49
SP800-53/NERC CIP Mappings
• Developed a bi-directional mapping and gap analysis between NIST SP800-53 and the NERC CIP standard to discover and propose modifications to remove any conflicts
• Generally, conforming to moderate baseline in SP 800-53 complies with the management, operational and technical security requirements of the NERC CIPs; the converse is not true.
• Full report available at:http://csrc.nist.gov/sec-cert/ics/papers/ICS-in-SP800-53_final_21Mar07.pdf
National Institute of Standards and Technology50
SP800-53/NERC CIP Mapping Table (Small Section of Actual Table)
R1.
Crit
ical
Ass
et Id
entif
icat
ion
R2.
Crit
ical
Ass
et Id
entif
icat
ion
R3.
Crit
ical
Cyb
er A
sset
Iden
tific
atio
nR
4. A
nnua
l App
rova
lR
1. C
yber
Sec
urity
Pol
icy
R2.
Lea
ders
hip
R3.
Exc
eptio
nsR
4. In
form
atio
n Pr
otec
tion
R5.
Acc
ess
Con
trol
R6.
Cha
nge
Con
trol
and
Con
fgn
Mgm
tR
1. A
war
enes
sR
2. T
rain
ing
R3.
Per
sonn
el R
isk
Ass
essm
ent
R4.
Acc
ess
R1.
Ele
ctro
nic
Secu
rity
Perim
eter
R2.
Ele
ctro
nic
Acc
ess
Con
trol
sR
3. M
onito
ring
Elec
tron
ic A
cces
sR
4. C
yber
Vul
nera
bilit
y A
sses
smen
tR
5. D
ocum
enta
tion
Rev
iew
and
R
1. P
hysi
cal S
ecur
ity P
lan
R2.
Phy
sica
l Acc
ess
Con
trol
sR
3. M
onito
ring
Phys
ical
Acc
ess
R4.
Logg
ing
Phys
ical
Acc
ess
R5.
Acc
ess
Log
Ret
entio
nR
6. M
aint
enan
ce a
nd T
estin
gR
1. T
est P
roce
dure
sR
2. P
orts
and
Ser
vice
sR
3. S
ecur
ity P
atch
Man
agem
ent
R4.
Mal
icio
us S
oftw
are
Prev
entio
nR
5. A
ccou
nt M
anag
emen
tR
6. S
ecur
ity S
tatu
s M
onito
ring
R7.
Dis
posa
l or R
edep
loym
ent
R8.
Cyb
er V
ulne
rabi
lity
Ass
essm
ent
R9.
Doc
umen
tatio
n R
evie
w a
nd
R1.
Cyb
er S
ecur
ity In
cide
nt R
espo
nse
R2.
Cyb
er S
ecur
ity In
cide
nt
R1.
Rec
over
y Pl
ans
R2.
Exe
rcis
esR
3. C
hang
e C
ontr
olR
4. B
acku
p an
d R
esto
reR
5. T
estin
g B
acku
p M
edia
2 3 2 11 22,7 2 18 12
19,2 21 21 23
Count 0 0 0 0 1 0 0 0 2 0 0 0 0 2 2 5 3 0 0 1 0 0 0 0 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0
AC-1 Access Control P & P 4 8 8 13 13AC-2 Account Management 3 13 17 13AC-3 Access Enforcement 0AC-4 Information Flow Enforcement 0AC-5 Separation of Duties 0AC-6 Least Privilege 3 17 13 13AC-7 Unsuccessful Logon Attempts 0AC-8 System Use Notification 1 8AC-9 Previous Logon Notification 0
AC-10 Concurrent Session Control 0AC-11 Session Lock 0AC-12 Session Termination 0AC-13 Supervision and Review—A C 0AC-14 Permitted Actions without I or A 0AC-15 Automated Marking 0AC-16 Automated Labeling 0AC-17 Remote Access 3 12 9 8AC-18 Wireless Access Restrictions 3 7 17 17
AC-19 Access Control for Portable and Mobile Systems
2 17 17
AC-20 Personally Owned Information Systems
0
Access Control
CIP-009CIP-008CIP-002 CIP-003 CIP-004 CIP-005 CIP-007 CIP-006
NERC CIP FINAL
Other - NotesSP 800-53 Rev. 1 Controls
22
LEGEND
High baseline (no shading)
Moderate baseline (12.5% grey shading)
Low baseline (25% grey shading)
Not in baseline (50% grey shading)
National Institute of Standards and Technology52
NIST SP 800-82
• Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security– Provide guidance for establishing secure SCADA and ICS,
including implementation guidance for SP 800-53 ICS controls• Content
– Overview of ICS– ICS Characteristics, Threats and Vulnerabilities– ICS Security Program Development and Deployment– Network Architecture– ICS Security Controls– Appendixes
• Current Activities in Industrial Control System Security • Emerging Security Capabilities • ICS in the FISMA Paradigm
National Institute of Standards and Technology53
NIST SP 800-82
• Initial public draft released September 2006– http://csrc.nist.gov/publications/drafts.html– Downloaded over 200,000 times
• Second public draft scheduled for release summer 2007
National Institute of Standards and Technology54
NIST ICS Security Project Summary• Issue ICS security guidance
– Evolve SP 800-53 Recommended Security Controls for Federal Information Systems security controls to better address ICSs
• Initial public draft scheduled for release summer 2007– Publish SP 800-82 Guide to Supervisory Control and Data
Acquisition (SCADA) and Industrial Control System Security • Initial public draft released September 2006• Second public draft scheduled for release summer 2007
• Improve the security of public and private sector ICSs – Raise the level of control system security awareness– Work with on-going industry standards activities
• Assist in standards and guideline development• Foster convergence• http://csrc.nist.gov/sec-cert/ics
National Institute of Standards and Technology55
NIST ICS Security Project Contact Information
Project Leaders
Keith Stouffer Dr. Stu Katzke (301) 975-3877 (301) 975-4768 [email protected] [email protected]
Web PagesFederal Information Security Management Act (FISMA)
Implementation Project
http://csrc.nist.gov/sec-cert
NIST ICS Security Project
http://csrc.nist.gov/sec-cert/ics