Security controls for ICS/SCADA environments

Introduction 

An Industrial Control System (ICS) is any technology used to control and monitor industrial activities. Supervisory control and data acquisition systems (SCADA) are a subset of ICS. 

These systems are unique in comparison to traditional IT systems. This makes using standard security controls written with traditional systems in mind somewhat tricky. However, ICS owners do not have to make assumptions or try to secure them blindly: there are resources available to assist in securing these systems.

Both the National Institute of Standards and Technology (NIST) and the Center for Internet Security have written guides and controls specific to ICSes.

National Institute of Standards and Technology 

The Risk Management Framework (RMF) for federal systems is based on the NIST 800-53. 800-53 has controls specific to enterprise technology systems. NIST has written Special Publication 800-82 (currently on Revision 2), Guide to Industrial Control Systems (ICS) Security. 

Because ICSes have unique challenges and are often composed of older legacy systems, 800-82 was explicitly written for these system types. 800-82 identifies some of the security objectives for ICS implementation: 

  • Restricting logical access to the ICS network and network activity
  • Restricting physical access to the ICS network and devices
  • Protecting individual ICS components from exploitation
  • Restricting unauthorized modification of data
  • Detecting security events and incidents
  • Maintaining functionality during adverse conditions
  • Restoring the system after an incident

Those familiar with the RMF will recognize the security control families outlined in 800-82:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment and Authorization
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Program Management
  • Privacy Controls

Each family has a list of controls that apply to the category. These (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Tyra Appleby. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zKm5InUxQ4Y/